DHCP Registration Requirements

One sentence advice: "Start up a web browser and open a webpage."

Beginning in early December, phasing in first in CD then D0 offline, registration of network devices will be required before any network addresses are issued. The most visible impact of this will be to those using the DHCP (Dynamic Host Configuration Protocol) service to get temporary addresses assigned. Since a large number of users of this service are visitors, you may be asked for advice even if you are not using it yourself. The key to help is to follow the one sentence advice above.

For those interested in details, here's the rest of the story.

This summer's "exercise" of tracking down machines reinforced the importance of having a contact person for all systems on the lab network for quick response in computer security emergencies. Assignment of network addresses has become so automated, particularly with the advent of Dynamic Host Configuration Protocol (DHCP) services, that many people don't realize they need to register network devices at Fermilab.

Visitors and unregistered machines

When an unregistered machine tries to obtain a DHCP lease, it will get a short-lived, restricted, network connection.. Trying to access any web page or telnet session will bring up the registration page. The registration page asks for some basic contact information (name, email, institution, etc) and should take only about a minute to fill out. While the user is filling out the information, a basic vulnerability scan will be performed looking for current urgent problems. If the information is provided and the system passes the scan, a DHCP lease good for the rest of that day will be provided. If there are problems, the user will be directed to appropriate help.

If the machine will be at FNAL for longer than a few days, the machine must also be registered in the permanent database, as temporary registration will only be allowed for a limited period. Permanent registration is accomplished as described below, and should become effective within one or two working days.

Permanent Registration

The primary interface for node registration is the Data Communications web page at https://fncdug1.fnal.gov/misnet/cgi/nwsvc.pl Completion of this form will enter the system into the lab's database within 24 hours. Crucial information is system name, IP address (for status IP systems), MAC address (all MAC addresses must be registered for machines with multiple network interfaces, system location, and name, email and phone number of the individual responsible for this machine. To see if your system is already registered, onsite users can test the machine running their browser by clicking on http://miscomp.fnal.gov:7777/pls/miscomp/registered.html Others will have to go to: https://fncdug1.fnal.gov/misnet/systemName.html where you can look for systems by node name, hardware address, or other keys. To change information on a machine already registered, go to: https://fncdug1.fnal.gov/misnet/cgi/nwsvc.pl

When this new registration service starts, machines with unregistered MAC addresses will be treated as transient systems and required to register each day. In the longer term, machines with static IP addresses may also lose their network access if their registration is missing, incomplete or incorrect.

If you need further help determining whether the machines you use are registered or how to prepare your guests for visits, contact your General Computer Security Coordinator.

List of GCSC's:

BD:    Tim Zingelman,  Brian Drendel, deputy
BSS:   Joe Klemencic,  Scott Nolan, deputy
CD:    Matt Crawford,  Randy Reitz, deputy
CDF:   To be appointed by spokespersons 
D0:    Mike Diesburg, Greg Cisko, deputy
DIR:   Jud Parker
ESH:   Matt Arena
FESS:  Ken Fidler
LSS:   Kevin Williams
PPD:   Allen Forni,      Karen Carew, deputy
TD:    John Konc, Ping Wang, deputy

Dane Skow
Last modified: Tue Nov 25 15:24:37 CST 2003