Mac OS X 10.7.x Network Configuration: OIT Notes and Caveats

This document contains OIT notes and caveats about Mac OS X 10.7.x Network Configuration. This document covers version 10.7 (that is, 10.7.0).

• Network startup happens when the Mac boots, and uses whatever location was selected at the time the Mac last shutdown. Mac OS X does not provide a way for you to change the selected location until after startup is complete and you have logged in (regardless of whether you log in manually or automatically).

  As a result, if you have moved your Mac to a different connection since last shutting down or logging out, the location in effect at network startup time may not be appropriate. Although you can select a more appropriate location once the Mac has finished starting and you are logged in, having the wrong location selected at network startup time can be inconvenient:

  • It may cause startup delays, if the Mac must attempt to bring up a network port that is disconnected, look for a DHCP or BootP server that will not be found, or look for a wireless network that is not available in your current physical location.

  • Other network-based software that starts at boot time may not function without a working network connection. Some of this software may "heal" when you change the location to an appropriate one. If you find that some of the network-based software on your Mac does not "heal" in this way, you can work around the problem by rebooting your Mac after selecting an appropriate location.

• We have been unable to find detailed and accurate Apple documentation describing how the Mac behaves when multiple physical network ports are active in a single network location.

  The brief information Apple provides indicates that the Mac tries the network ports in the order they appear in the network location's list of network ports. This information appears to be incomplete at best; it instead appears instead that the OS will make simultaneous use of the enabled ports, at least for some kinds of ports. The effect of the ordering is unclear.

  For Macs with multiple physical network ports (which is typical), we generally recommend that you avoid possible unexpected behaviors by designating inactive all but one of the network ports in each location. Define a different network location for each physical network port you typically use.

• When you have the Network pane of Systems Preferences open, operating various controls in that pane (e.g. buttons, pop-up menus, etc) will sometimes cause the selected location to suddenly change. The settings you made prior to the sudden location change may or not be preserved.

  We have confirmed this problem through version 10.7.

• If the Mac has more than one network port (e.g. Ethernet and Wireless) designated Active and simultaneously attached to two networks, and these networks are different IP subnets, some traffic sent by the Mac will be discarded by the campus network.

  Mac OS X's IP implementation uses the "Weak End System Model" with respect to transmitting. The Mac transmits some data via one network port, but marks the data as coming from the IP address of the other network port. OIT's IP routers perform "IP ingress spoof filtering" to discard packets containing IP sources inappropriate for the network on which they were received, as such traffic can represent a security problem.

  This is not a bug in Mac OS X's IP implementation; the "Weak End System Model" is allowed by IP specifications. Neither is there anything wrong with the IP ingress spoof filtering performed on OIT's IP routers. However, when used in combination, they result in packet loss. IP ingress spoof filtering is an important measure to combat certain kinds of network-based attacks; it will not be disabled.

  One fix would be for Mac OS X to adopt the "Strong End System Model" with respect to transmitting. This ensures that data transmitted by the Mac from each network port is marked with the IP address of that network port, not the Mac's other network port. Such an approach is especially appropriate for multihomed hosts. However, we are not aware of any plans to enhance Mac OS X to do this.

  This issue is not unique to Mac OS X; most current operating systems employ the Weak End System Model, as their IP implementations were written before IP ingress spoof filtering was a common practice. The issue is highlighted by Mac OS X because by default, it tries to make all ports active, and modern Macs often have both an Ethernet and a Wireless port.

  To work around the problem, we recommend you not allow the Mac to find itself in a situation where more than one network port is designated Active and simultaneously attached to a live network. You can do so by following OIT's instructions for creating multiple locations, designated all but one network port as Inactive in each location. (I.e. do not rely on the Automatic location shipped with Mac OS X if the Mac has multiple network ports.)

• If the Mac has more than one network port (e.g. Ethernet and Wireless) designated Active and simultaneously attached to the same IP network (i.e. subnet), the Mac's operating system may may operate in a way that's not acceptable on the campus network.

  This is a variation of the issue described above (the "Weak End System Model" with respect to transmitting), but is a larger problem when both interfaces are attached to the same IP subnet. Like most operating systems, Mac OS X may not operate well when it has multiple interfaces attached to the same IP subnet simultaneously. Most operating systems are not designed to handle this configuration.

  You will not encounter this situation if your Mac has just an Ethernet and a Wireless interface, and the Wireless interface is configured to use only OIT Wireless Service, as OIT Wireless Service provides a connection to an IP subnet that is not available via any other mechanism (there are no customer Ethernet ports attached to the same subnet as OIT Wireless Service). But you will encounter this situation if you configure your Wireless interface to use other (private) Wireless Access Points, and any of them are configured to operate as a bridge and are attached to the same IP network that your Mac's Ethernet interface is currently wired to.

  To work around the problem, you must not allow the Mac to find itself in this situation. You can do so by following OIT's instructions for creating multiple locations, designating all but one network port as Inactive in each location. (I.e. do not rely on the Automatic location shipped with Mac OS X if the Mac has multiple network ports.)

• The Mac OS X 10.7.x firewall feature has an optional setting called "Stealth Mode". (This is enabled or disabled at System Preferences -> Security -> Firewall -> Advanced -> Stealth Mode.) By default, the "Stealth Mode" feature is disabled. Enabling "Stealth Mode" causes the Mac to stop responding to ICMP requests. This means, for example, that the Mac will no longer respond to PING requests.

  You should leave the firewall's "Stealth Mode" feature disabled.

  If your Mac were to not respond to PING requests, it would sometimes be harder to perform some troubleshooting when your Mac experiences a network problem.

  Additionally if your device ever uses a dynamically-assigned IP address (for example, an OIT Mobile IP Address) that is not assigned for its use at the time, and your Mac were not responding to PING requests, it would increase the likelihook that the IP address your Mac is "stealing" will be assigned (by OIT DHCP Service) to another device at the same time, resulting an a number of problems.

  For these reasons, you should leave the firewall's "Stealth Mode" feature disabled.

• If you create multiple network locations, some of the configuration settings for Wi-Fi (wireless) interfaces in each location are not stored separately. The Wi-Fi interface configurations for different locations share some of their configuration settings.

  This affects settings that appear on a Wi-Fi interface's basic configuration display, and also settings under the Wi-Fi tab in the Advanced configuration display.

  Although the user interface for the Wi-Fi interface in each the Network pane (in System Preferences) implies that the settings are specific to each Wi-Fi interface in each network location, the Mac often does not behave that way.

  For example, if you change the selected wireless network name in one location, alter the list of preferred wireless network names, or show/hide the Wi-Fi status in the menu bar, these changes will often affect the Wi-Fi interface in other locations as well.

  This prevents you from reliably configuring separate locations to explicitly connect to different wireless networks. For example, if you want to create one location that will connect (only) to OIT Wireless Service (for use on campus), another location that will connect (only) to a private wireless network (e.g. when visiting a residence off-campus), and another location to connect to (only) a commercial wireless network in a cafe, you may be unable to do so. Any changes made to one location may appear in the other locations as well.

  If you use multiple locations with different wireless networks, and rely upon these settings to ensure you only connect to specific wireless networks in specific locations, this represents a security problem, because it may allow your Mac to connect to a wireless network you didn't intend to connect to in a particular location.

  We have confirmed this problem is present in version 10.7.

• Apple's VPN client is a Microsoft-compatible Point to Point Tunneling Protocol (PPTP) implementation. Anyone who relies on a Microsoft-compatible PPTP-based VPN (i.e. essentially all PPTP implementation today) should be aware that there are some security concerns with the use of Microsoft PPTP.

• The PPTP VPN client does not provide a way to tune certain parameters associated with the VPN connection. Some of these parameters a security-conscious customer might have wished to have the ability to tune:
  • The client will attempt to authenticate using the MS-CHAPv1 or MS-CHAPv2 protocol, as selected by the VPN server. If unable to authentiate using one of those protocols, the client will disconnect. (Its willingness to use the MS-CHAPv1 protocol is a security vulnerability. Apple has not yet documented a way to reconfigure it so it will refuse to fall back to MS-CHAPv1.)

  • The client attempts to use the MPPC compression protocol. If unable to negotiate MPPC, it is willing to connect without compression.

  • While the VPN connection is active, the Mac has an additional default IP route, via the VPN server. However, the Mac still has an interface route to each locally-attached network. (I.e. the IP subnet to which each interface is currently attached.)

    The Mac will still use those interface routes in preference to the default route that points to the VPN server.

    As a result, traffic between the Mac and other devices on the same IP subnet as any of its interfaces will not use the VPN connection, but instead will continue to travel directly between the Mac and the other devices.

• Within a single network location, a single VPN (PPTP) network port can effectively support only one VPN service configuration.

  (It can effectively be used with more than account name/password combination, when all the other VPN settings for the VPN service configuration remain the same. As long as you don't save a password as part of the configuration, you will be prompted for the account name and password each time you connect to a VPN server.)

  Although the basic configuration pane for a VPN (PPTP) network port has an Add Configuration... command (in the Configuration pop-up menu) to allow you to define multiple configurations, all these configurations share a single set of advanced configuration settings. It is unlikely that a single group of advanced settings would be appropriate for different VPN services.

  To be able to have truly independant settings for each VPN service within a single network location, do not use the Add Configuration... command. Instead, for each VPN service, create a separate VPN (PPTP) network port in the location. The settings for separate VPN (PPTP) network ports in a single location are independent. You may select which VPN (PPTP) network port to use from the VPN Of course, a different approach is to use separate locations to store the settings for different VPN services.

  We have confirmed this problem in version 10.7.

• The Internet Sharing feature (a combined NAT, DHCP server, and Wireless Access Point) is inappropriate for use on any Macintosh attached to the campus wired or wireless network. Each version we have examined has one or more bugs that cause it to interfere or degrade campus network service.

  By default, this feature is turned off. If your Mac is attached to the campus network, do not turn on this feature.

  For more details, see Do Not Use Mac OS X's Internet Sharing Feature on the Campus Network.