Residence Hall and Dedicated Remote Access
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to residence hall and dedicated remote access network connections.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
This guideline applies to all students residing in residence halls.
: All registered machines in any residence hall on the campus network will be in the domain ".res.cmu.edu". All registered machines using a dedicated remote access service will be in the domain ".rem.cmu.edu" (note that Computer Science DSL machines will be registered as ".rem.cs.cmu.edu"). In some cases, systems may be configured with registered names in multiple domains. If you want to have multiple domains for your system, the following must be considered:
Any domain which implies commercial use, regardless of the system's actual content or use, is explicitely banned regardless of where the registry is being served. This currently includes any systems registered in .COM or .NET domains, but is not limited to these domains. With the imminent creation of new domain hierarchies and changing use of current hierarchies, interpretation of which domain names imply commercial use is left to the discretion of Computing Services.
Systems violating domain name guidelines will be immediately disconnected from the campus network for a period of not less than one semester.
Routers: No routers are permitted to be attached to any portion of the campus network. Any devices which provide routing service for IP, IPX, or AppleTalk traffic will be immediately disconnected from the campus network for a period of not less than the duration of the current academic year. Windows XP has a configuration option under the Wireless Connection Properties, in the Advanced tab labeled as, "Internet Connection Sharing". This is a form of routing and is explicitely banned. Users who cause problems due to this configuration will face disciplinary action in addition to the loss of network connectivity for the system listed above.
Ethernet hubs, which attach multiple devices to a single network outlet, are not routers and may be attached to the campus network. It is important that all machines connected to a hub be registered with Data Communications.
Most operating systems do not provide routing functionality and are perfectly safe to attach to our network in any configuration. Most UNIX operating systems have the capability to provide routing functionality; for these operating systems, you should ensure that routing is not configured. Some operating systems (NetWare) and devices (terminal servers, commercial routers, etc.) act as routers by definition and are not permitted to be attached to the campus network unless explicit permission is obtained in advance from Data Communications (email@example.com).
Some software such as MARS which provides Netware services via UNIX machines also emulates routers or provide router-like functionality. As such, these applications are not permitted to be run on Residence Hall or Dedicated Remote Access systems.
Routers are generally used to connect multiple network segments together and should not be necessary for individual users on our campus. If misconfigured, routers can cause severe problems for all users on a network segment. Even if properly configured, routers can cause significant difficulties with the maintenance and support of network segments maintained by Computing Services. For these reasons, systems connected to the campus network in the residence halls are not permitted to act as routers.
Systems on the campus network are not permitted to be configured as DHCP servers. DHCP allows systems to obtain the correct IP address during the boot process. User owned DHCP servers may override the distribution of IP addresses by the official DHCP servers, causing the client system to obtain an incorrect address, denying it access to the network. Any system found to be running a DHCP server will be immediately removed from the network.
Restricted Operating Systems: There are some operating systems which are known to cause problems in Carnegie Mellon's network environment. These operating systems are banned from being used in residence halls or via dedicated remote access services. At this time, the only operating systems explicitly banned are NT Server and Netware. If other operating systems become restricted, an announcement will be made on official.computing-news.
For those who want to run Linux systems, but who do not have appropriate system administration experience, Computing Services suggests that you consider running "Andrew Linux". Andrew Linux is a port of the UNIX-based Andrew environment to RedHat Linux. As such, system administration problems are reduced and a rich suite of applications and services become available with no installation requirements on the part of the user. For more information on Andrew Linux, please contact the Computing Services Help Center at 268-HELP or send mail to firstname.lastname@example.org.
Network Traffic: Network traffic should be considered private. Because of this, any "packet sniffing", or other deliberate attempts to read network information which is not intended for your use will be grounds for loss of network privileges for a period of not less than one full semester. In some cases, the loss of privileges may be permanent. Note that it is permissable to run a packet sniffer explicitely configured in non-promiscuous mode (you may sniff packets going to or from your machine). This allows users to explore aspects of networking while protecting the privacy of others.
Residence hall and dedicated remote access service connections to the campus network, and to the Internet, are provided to allow students, staff and faculty to fully participate in the educational and research missions of Carnegie Mellon University. In general, we encourage individuals to provide useful, interesting and inventive content to the Internet community, so long as it remains feasible for us to do so.
It may not remain feasible to provide unlimited connectivity for systems which are not strictly serving the University's missions. Beacuse of this possibility, we reserve the right to request that users reduce the amount of traffic being caused by their service, or where necessary, to remove such systems or services from the campus network. In all but extreme cases, we will contact the owner of the system before removing it from the network.
Misconfigured Services: There may be times when a machine is unintentionally misconfigured and subsequently causes a problem on the campus network. In such cases, in order to preserve the best service possible for the majority of the users, the machine will be disconnected from the campus network immediately. The owner of the system in such cases will be notified via electronic mail and via telephone that the machine has been disconnected.
Windows systems has an option in the Network Connection dialog allowing one to select a pair of connections (wireless and wired, wireless and dialup, for example) to "Bridge Connections". This configuration is known to cause problems and should be disabled unless you are absolutely sure that you know what you are doing.
The machine will only be allowed back onto the network after the owner notifies Data Communications or the person who sent the electronic mail, that they have reconfigured the machine, resolving the problem.
Accounts: Some operating systems, specifically UNIX operating systems, allow the system administrator to create accounts for other users. While this is not discouraged for machines connected to the campus network, there are some things that should be considered.
All users must be accurately identifiable. The user name field for any given account should contain the user's real name. There is no valid reason to allow a user to have a ficticious name assigned to their account.
Off-campus users, those with no affiliation to Carnegie Mellon University are not explicitely prohibited from having accounts on machines connected to the campus network, but the following items should be considered by the owner of the machine:
All users of any system connected to the campus network are bound by the Computing Code of Ethics as outlined in the Student Handbook. Failure to adhere to this Code will result in either the loss of the account or the loss of campus network privileges for the system. In all cases, the owner of the system involved may be held fully responsible for such violations if Computing Services is not convinced that the situation is being addressed in a professional, timely and appropriate manner.
Users who are not affiliated with Carnegie Mellon should be flagged as such. This could be done by an entry in the user's plan file or by putting an additional string, "(Non-CMU)" for example, into the user name field for the account.
It should also be noted that university resources, such as the campus network, are provided for university purposes. Allowing unaffiliated users to have an account on residence hall or dedicated remote access systems could be considered as a violation of this policy.
As a system administrator you may be held fully responsible for the conduct of your users. If the users in question are violating computing policies or causing other problems, the system administrator will be expected to take appropriate action to resolve the problem. If Computing Services determines that the problem has not been resolved, the system used will be disconnected from the campus network for a period of not less than one full semester. In some cases, loss of network privilges could be permanent.
Security: Users are responsible for the security and integrity of their systems. In cases where a computer is "hacked into", it is recommended that the system be either shut down or be removed from the campus network as soon as possible in order to localize any potential damage and to stop the attack from spreading. In such cases, if the system administrator cannot be contacted in a reasonable time, Computing Services reserves the right to disable the network connection. Once the system administrator is made aware of the situation and agrees to take reasonable steps to ensure that the machine is not compromised, network privileges may be restored.
In cases where, despite the efforts of the system administrator, the machine continues to pose a security concern, we reserve the right to require that the user switch to a single user OS before allowing the system back onto the campus network.
In cases where a user's machine(s) habitually causes problems, by action, as a "target" of incoming attacks, or because of a lack of responsible behavior on the owner's part, Computing Services may initiate action to permanently ban the user from having machines on the campus network.
Commercial Use: Under no circumstances will any individual be permitted to use their network connection or computing privileges for commercial purposes. Any commercial use of our facilities is explicitly prohibited by the University and is grounds for removal of campus network privileges.
Any machine which provides services for a commercial operation (e.g. a web site selling commercial products), provides services of a commercial nature (e.g. provides web services for a fee), or has a domain name with a commercial designation (currently .COM or .NET) is explicitly prohibited from the campus network*.
*This section reinforces the guidelines on DOMAIN NAMES above.
Anonymous Mailers: All electronic communications at Carnegie Mellon must accurately identify the sender. Anonymous mail forwarders are explicity prohibited by the Code of Ethics in the Student Handbook. Running an anonymous mail forwarding service is grounds for removal of campus network privileges for a period of not less than one full semester.
Intentional Abuse: Systems found to be intentionally running programs which disrupt network activity or attack specific machines on the network will be subject to immediate removal. In some cases, disciplinary action may be taken against the owner of the system and the user(s) involved in generating the problem activity.
Network Maintainance: Computing Services will periodically conduct scans of various areas of the network (subnets) in order to help to maintain a resonable network environment for the majority of our users. Results of such scanning may help Computing Services to discover misconfigured systems, and may in some cases cause us to discover activity which violates laws, university policies, or Computing Services guidelines. In such cases, action appropriate to the "problem" will be taken.
Common Problems: Computing Services has noted a few "recurring themes" in the computer resource abuse area. Some of these will be discussed here, mainly to make you aware that some activities which you might not consider to be "bad", can get you into trouble.
File Sharing: It is a common misconception that anything that is downloaded from the Internet or that is copied from a CD is legal to share with others. Many files (movies, music, software programs, etc.) available on the Internet are provided in violation of U.S. and International copyright laws. The distribution of copyright protected files without the permission of the copyright holder is illegal.
Users should note that if they want to set up a mechanism so that they can access their own files (not distribute them), that care should be taken to use a password which restricts access. In the case of MP3 "shared folders" or web sites, the password "mp3" is NOT considered to be an attempt to secure the site, but rather will be interperated as an implicit invitation to distribute materials from the site. If the files available in such a site are not protected by copyright law, then there is no problem. Any discovery of copyright protected materials in such a site will be considered to be a violation of the Carnegie Mellon University Computing Policy and of these guidelines. See our page outlining how we process DMCA notices for more information.
Denial of Service Attacks: Denial of service attacks are covered under the Computing Code of Ethics as follows: "No one should deliberately attempt to degrade or disrupt system performance or to interfere with the work of others."
Any attempt to disrupt service or performance on systems on or off campus can result in the loss of network privileges and disciplinary action. The following items are all examples of denial of service attacks, but are not completely inclusive:
- Mail bombing (sending thousands of mail messages to a group or individual)
- Ping flooding (launching continuious ping requests at a specific machine)
- "Smurf attacks"
- "SYN flooding"
Advertising: The internet has been inundated with various "make money fast" schemes, and other marketing ploys, as thoroughly as it has been with legitimate businesses. You should keep in mind that despite the fact that you may own your computer, it is using CMU's network, and has a CMU domain name. You are not permitted to run or advertise a business from a CMU-based system without explicit permission from an appropriate authority (see the Computing Code of Ethics). The following items violate the intent of the policy on commercial use:
Advertising "banners" on web pages served from hosts in the CMU.EDU domain. Advertising any commercial enterprise (business) from web pages, plan files, etc. on hosts in the CMU.EDU domain. Advertising any "make money fast" schemes, or "make money for browsing the web" services on hosts in the CMU.EDU domain. By making you aware of some of the activities that frequently cause problems for users on the campus network, we hope that you will be able to avoid situations which could jeapordize your network access.
User Responsibilities and Procedures
As with any computing or communications resources at Carnegie Mellon University, users must keep in mind the fact that they are bound by the Carnegie Mellon Computing Policy
Under no circumstances may machines be configured with IP addresses that have not been assigned by Computing Services Data Communications department. By using an unregistered IP address or an IP address assigned to another, you may deprive other users of network service and/or make it considerably more difficult to diagnose network problems on the campus network.
Dynamically assigned IP addresses are considered to be "registered" for the period of the dynamic lease to a given machine.
Using a different ethernet hardware address than the one you have registered with Data Communications will also result in the machine being removed from the network. Users purchasing new ethernet cards, or who otherwise need to change their hardware address must inform Data Communications in order to ensure that user information is kept accurate and up-to-date.
Using an IP address that has not been assigned to you or using an ethernet hardware address that is different from the one registered with Data Communications is grounds for losing your campus network privileges for a period of not less than one full semester.
Users must review and abide by each guideline outlined above.
Last Updated: October 19, 2005
Established: July 25, 2003