OIT filters most IPv4 broadcast and multicast traffic on the wireless networks operated by OIT. We do so because such traffic contributes to degraded wireless network service, while being unnecessary for the wireless network functionality OIT supports.
The filters described were installed during March 2012 - July 2012, replacing a number of more-specific filters previously installed.
As the number of devices on the wireless networks has grown, the volume of broadcast and multicast traffic from those devices has grown. Such traffic has grown also as applications and operating systems make increasing use of broadcast and multicast to announce services they wish to offer to the "local" network, and to try to discover such services offered by other devices on the "local" network.
Broadcast and multicast traffic are vital parts of the network; their existance is not inherently bad. However, as the volume of broadcast and multicast traffic grows, network service can degrade. Wireless networks are especially sensitive to the effect of broadcast and multicast traffic. Experience has taught us that if we do not block most broadcast or multicast traffic on our wireless networks, these large networks degrade, sometimes to the point where they become unusable.
Our wireless networks are intended for use only by clients, not servers. These networks are not suitable places to attach devices acting as servers. Given that, there should be no need for applications and operating systems to discover other devices on the local network acting as servers, or to advertise that they are acting as servers.
Prior to March 2012, OIT filtered selected IPv4 broadcast and multicast traffic on the wireless networks. We focused on those protocols which were not needed to provide the services we support on our wireless networks, yet were responsible for most of the broadcast and multicast traffic. Each time we discovered another protocol which met these criteria, we implemented a new filter for that protocol. As applications and operating systems continued to expand their use of such protocols, it was necessary for us to grow these filters repeatedly. During March 2012 - July 2012, we changed our approach to instead filter all IPv4 broadcast and multicast traffic by default on our wireless networks, only permitting those few protocols which are necessary for the supported operation of our wireless networks.
IPv4 datagrams are filtered if they are destined to any of the following IPv4 addresses:
- 224.0.0.0/4
- This is the multicast network range.
- 255.255.255.255
- This is the limited broadcast address.
- 10.8.0.0
- This is the 0's style subnet-directed broadcast address for vapornet100.
- 10.8.255.255
- This is an incorrect 1's style subnet-directed broadcast address for vapornet100 some clients may erroneously use.
- 10.9.0.0
- This is an incorrect 0's style subnet-directed broadcast address for vapornet100 some clients may erroneously use.
- 10.9.255.255
- This is the 1's style subnet-directed broadcast address for vapornet100.
- 10.16.0.0
- This is the 0's style subnet-directed broadcast address for ip4-wifirestricted01.
- 10.16.255.255
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted01 some clients may erroneously use.
- 10.17.0.0
- This is an incorrect 0's style subnet-directed broadcast address for ip4-wifirestricted01 some clients may erroneously use.
- 10.17.255.255
- This is the 1's style subnet-directed broadcast address for ip4-wifirestricted01.
- 10.24.0.0
- This is the 0's style subnet-directed broadcast address for visitornet101.
- 10.24.255.255
- This is an incorrect 0's style subnet-directed broadcast address for visitornet101 some clients may erroneously use.
- 10.25.0.0
- This is an incorrect 0's style subnet-directed broadcast address for visitornet101 some clients may erroneously use.
- 10.25.255.255
- This is the 1's style subnet-directed broadcast address for visitornet101.
- 10.28.0.0
- This is the 0's style subnet-directed broadcast address for ip4-wifirestricted02.
- 10.28.255.255
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted02 some clients may erroneously use.
- 10.29.0.0
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted02 some clients may erroneously use.
- 10.29.255.255
- This is the 1's style subnet-directed broadcast address for ip4-wifirestricted02.
- 10.48.0.0
- This is the 0's style subnet-directed broadcast address for ip4-wifirestricted03.
- 10.48.255.255
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted03 some clients may erroneously use.
- 10.49.0.0
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted03 some clients may erroneously use.
- 10.49.255.255
- This is the 1's style subnet-directed broadcast address for ip4-wifirestricted03.
- 10.50.0.0
- This is the 0's style subnet-directed broadcast address for ip4-wifirestricted04.
- 10.50.255.255
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted04 some clients may erroneously use.
- 10.51.0.0
- This is an incorrect 1's style subnet-directed broadcast address for ip4-wifirestricted04 some clients may erroneously use.
- 10.51.255.255
- This is the 1's style subnet-directed broadcast address for ip4-wifirestricted04.
- 169.254.0.0
- This is the 0's style subnet-directed broadcast address for the link-local network.
- 169.254.255.255
- This is the 1's style subnet-directed broadcast address for the link-local network.
- 140.180.232.0
- This is the 0's style subnet-directed broadcast address for ip4-wirelessgaming2.
- 140.180.239.255
- This is the 1's style subnet-directed broadcast address for ip4-wirelessgaming2.
- 172.25.40.0
- This is the 0's style subnet-directed broadcast address for ip4-wifiuhs01.
- 172.25.43.255
- This is the 1's style subnet-directed broadcast address for ip4-wifiuhs01.
- 172.25.64.0
- This is the 0's style subnet-directed broadcast address for ip4-wifitstat.
- 172.25.95.255
- This is the 1's style subnet-directed broadcast address for ip4-wifitstat.
- 10.253.0.0
- This is the 0's style subnet-directed broadcast address for ip4-wifiundergrad.
- 10.253.127.255
- This is the 1's style subnet-directed broadcast address for ip4-wifiundergrad.
- 10.253.128.0
- This is the 0's style subnet-directed broadcast address for ip4-wifigrad.
- 10.253.255.255
- This is the 1's style subnet-directed broadcast address for ip4-wifigrad.
Several exceptions to these filters are enumerated below.
The traffic is also filtered at the campus legacy network's core Ethernet switches. All buildings (or groups of buildings) and wireless controllers carrying these VLANs are attached to these legacy core switches. These filters are installed in such a way as to apply only to those networks supporting wireless services provided by OIT. This causes the filters to apply to traffic (for our wireless networks) as that traffic passes through the campus legacy core on its way from one leg of the network to another, from one wireless controller to another, and between a wireless controller and a leg of the network. (In some cases, multiple buildings or multiple data center host aggregation switches share a single connection to a campus core switch.)
It is unclear at this time whether similar filtering will be practical at those NGN data center switches.
The wireless controllers carrying those VLANs are attached to these NGN data center switches.
Several kinds of IPv4 broadcast and multicast traffic are excepted from these filters:
In the filters at the wireless access points, we permit DHCP and BootP requests broadcast by clients. There are IPv4 datagrams where the destination address is 255.255.255.255, the UDP source port is 68, and the UDP destination port is 67. We also permit DHCP and BootP responses broadcast by legitimate servers.
We do so to allow clients to use DHCP.
We did so to aid in detection of improperly bridged networks.
We permit these packets within the network core to allow the network's Ethernet switches to hear an IGMP Queryer.