As announced on April 19, 2017, MIT is upgrading its network to enable the use of the next generation of internet addressing, internet protocol version 6 (IPv6), and in the process is consolidating in-use internet protocol version 4 (IPv4) address space to facilitate the sale of excess IPv4 capacity.
Over the past several months, Information Systems and Technology (IS&T) worked with a variety of stakeholders and industry experts within MIT and beyond on a hybrid approach to a dual-stack IPv4/IPv6 architecture for the next generation of MITnet.
This page is intended to answer technical and procedural questions about the Next Generation MITnet architecture and the impact of these changes.
Why is IS&T making changes to MITnet?
We are preparing for the next generation of MITnet and IPv6. MIT has entered into an agreement to sell half of its IPv4 address space to Amazon. Proceeds from the sale will cover network upgrade costs and provide a source of endowed funding for the Institute to use in furthering its academic and research mission. See this letter to the MIT Community for more information on Next Generation MITnet. This agreement necessitates the consolidation and re-numbering of MIT’s existing IPv4 usage in order to free up addresses for transfer to Amazon by the end of June 2018.
What are the features of the Next Generation MITnet architecture?
The Next Generation network architecture will leverage a hybrid approach, providing faculty, staff and students engaged in MIT’s scholarly and research activities a network experience consistent with the experience they have today, using public IPv4 and IPv6 addresses. Members of the MIT community engaged in the administrative support and operation of the Institute will be provided network connectivity using private IPv4 addresses with network address translation (NAT) and public IPv6 addresses.
This hybrid approach includes the following key elements:
- Dynamic host configuration protocol (DHCP) will be used wherever possible to register devices for assignment of IPv4 and IPv6 addresses.
- Public IPv6 addresses will be assigned via DHCP6 to all devices that request them.
- Members of the MIT community engaged in MIT’s scholarly and research activities will be provided a public IPv4 address by default, and will have the option to select a private IPv4 address with NAT as part of the device registration process.
- MITnet will use network address translation (NAT) for non-academic users, to mitigate the impact of any future changes to MITs IPv4 address landscape and to ensure the efficient use of MIT’s IPv4 address space.
- The overall network architecture and approach will be consistent across campus for IS&T-operated wired and wireless networks. The architecture for private networks operated by DLCs will not be impacted, but allocated IPv4 addresses that fall within the range being transferred to Amazon will need to be renumbered.
- Moira, IS&T’s infrastructure management system, will be enhanced to provide full support for IPv6 address management and real-time management of our DHCP, DNS and RADIUS authentication infrastructure.
- Next-generation firewalls will be used to provide both the firewall and network address translation functionality.
What work is currently underway?
To meet the June 2018 transfer obligation, IS&T is working with local IT support and occupants of buildings that are using IPv4 network ranges due for transfer, i.e., 18.128.x.x and above. Devices in these buildings are being renumbered to use addresses either in the public IPv4 range being retained by MIT (220.127.116.11/9), or in private address space, in accordance with the guidelines described above.
What buildings will be affected by the June 2018 address transfer? What buildings have already been reassigned to new addresses?
A list of all buildings affected by the current phase of address reassignment is available in this Knowledge Base article.
Will MIT still have public IPv4 addresses?
Yes. Faculty, students, and staff engaged in MIT’s scholarly and research activities will be assigned public IPv4 addresses by default. Those who are assigned public addresses, but wish to have a private address, can request reassignment by emailing firstname.lastname@example.org, or by using the self-service tool when it becomes available.
How can I get a public-facing IPv4 address?
Initially, your address type will be selected as part of the the DHCP registration process. Those engaged in MIT’s scholarly activities will be given the choice of a public or private address. Those involved in the administrative support and operation of MIT will be assigned a private address. IS&T plans to provide students, faculty, and staff engaged in scholarly activities a self-service interface to update their type of address after registration. In the meantime, requests for a change of address type can be sent to email@example.com.
What will the public-facing MITnet address range be at the end of the consolidation?
As of June 26, 2018, MIT’s address range will be 18.104.22.168/9 (in CIDR notation), i.e. 22.214.171.124 through 126.96.36.199.
What changes can I expect after June 2018?
Consolidation of the remainder of in-use IPv4 addresses will occur after June 2018.
Why is MIT using private IPv4 addresses and Network Address Translation (NAT)?
Providing members of the MIT community engaged in the administrative support and operation of the Institute with network connectivity using private IPv4 addresses with Network Address Translation (NAT) will mitigate the impact of any future changes to MIT’s IPv4 address landscape, and ensure the efficient use of MIT’s IPv4 address space. Migrating devices that do not need to be reachable from outside MITnet behind next generation firewalls will improve our default security posture.
Will these changes adversely affect innovation on MITnet?
No. Members of the MIT community engaged in scholarly and research activities will be provided a public IPv4 address by default, consistent with their past network experience, with the option to select a private IPv4 address with Network Address Translation (NAT) if they so choose.
I believe a service I run has been or may be affected by this change. Who do I contact to fix it?
Contact the Service Desk at firstname.lastname@example.org or by calling 617-253-1101 with the IP address of the device(s), a description of what services are or may be affected, and the department and location. IS&T staff will do our best to prevent service disruption.
Can I choose when my migration will happen?
The migration schedule is being managed to ensure completion by June 2018, as required by the terms of the transaction, so specific migrations cannot be delayed in a way that compromises the overall schedule. However, IS&T plans to work closely with the community, and IS&T staff will reach out directly to people who are listed as contacts for devices registered as using static IP addresses within the affected ranges to ensure they do not experience unplanned disruption to connectivity. If you have concerns about a specific migration or scheduling constraints, or are interested in moving early, please contact the Service Desk at email@example.com or by calling 617-253-1101.
How can I prepare for this?
You can configure machines that you manage to use DHCP if they don’t already. If you need a machine to retain a permanent address, IS&T can assign you a permanent DHCP reservation. Request this by contacting the Service Desk at firstname.lastname@example.org.
For IT Providers: Gather as much information as you can about machines that have static IP addresses assigned and what they are used for, all of your network printers, and any externally delivered services that your devices provide, and we will assist you in planning your migration.
Are static IPs going away altogether? If not, what can they be used for?
DHCP will be used for all IP address assignments. Static IPs will be replaced with permanent DHCP reservations where needed, providing the same functionality while improving IS&T's ability to manage the network. If you believe your device requires a static IP, please contact the Service Desk at email@example.com.
Do I need to register my device for DHCP?
Yes, the machine will need to be registered to use the network. If you would like to receive a specific IP address when your machine uses the network in your building, please submit your request here or contact the Service Desk at firstname.lastname@example.org.
What if my device does not support DHCP?
Please contact the Service Desk at email@example.com or call 617-253-1101 to discuss further.
How do I get remote access into my on-campus machine once it is migrated to a private IPv4 address?
It will be possible to request a permanent, internal (10.x.x.x) IP address and hostname which will be assigned to a host via DHCP. Once that is in place the host can be remotely accessed through MIT’s VPN service. To request a permanent DHCP reservation, contact firstname.lastname@example.org.
I provide IT support for a department, lab, or center. Who should I contact to coordinate scheduling and change communications?
IS&T’s Distributed Support (DITR) team will be working with IT providers to coordinate all changes. If you already have a DITR service agreement, contact your point person. If you do not already receive support through DITR, contact email@example.com and a DITR representative will reach out to you.
If I maintain a firewall for servers, how and when can I find out necessary configuration changes as the campus IP space changes?
IS&T has published an updated list of MIT’s public IPv4 address ranges to the Knowledge Base. This list is current and will be updated again in June 2018, when the next transaction is complete. The ranges currently listed will remain owned by MIT through June 2018. During this time, some IP addresses in the listed ranges will be renumbered to become unused, but those freed-up addresses will remain owned by MIT until the June 2018 transaction. In June 2018, the range owned by MIT will be 188.8.131.52/9.
The DLC I support provides public-facing services from devices on our network. How can we continue to provide these services?
IS&T offers services to DLCs such as managed server hosting (via our hybrid cloud environment) as well as data center colocation, and recommends leveraging these services whenever possible for security and resilience. If these services do not fit your needs, then we can assign public IPv4/IPv6 addresses to your host(s) via permanent DHCP reservation.
If I use wireless, does this affect me?
Yes, the IPv4 addresses used by the MIT and MIT SECURE wireless networks are part of the address space that will be renumbered. All wireless hosts will continue to receive IPv4 addresses via DHCP. Consistent with the operation of the wired network, wireless users engaged in scholarly and research activities will be provided with an option to select a public or private address during registration. Those engaged in administrative support and operation of the Institute will be provided with a private address.
How is this going to affect all campus subnets? I'm concerned about dorms.
Residence halls are treated like other IS&T-managed networks. The hybrid architecture approach will be consistent across all networks operated by IS&T regardless of location.
How will printing be affected?
Centrally-managed printing such as Pharos and the MIT print servers will not be affected. If you use static IP addresses to connect your printers to the MIT network, they should be migrated to DHCP just like any other network device. If you connect to printers using their IP address you will need to update your configuration to reestablish connections to those printers after they migrate.
Does MIT have IPv6?
The Next Generation MITnet effort is part of our preparation for IPv6. See this letter to the MIT Community for more information on Next Generation MITnet.
When will IPv6 be available?
IS&T has begun an initial pilot of IPv6 technology in selected locations. A broader campus rollout will take place in a later project phase.
Will IPv6 addresses be firewalled?
MIT plans to implement IPv6 both within and outside of the firewall. If your device is assigned a private IPv4 address, it is behind the firewall, and its IPv6 address will be behind the firewall as well. If your device is assigned a public IPv4 address, it is directly exposed to the Internet, and its IPv6 address will be, too.
Will port forwarding be allowed?
No. Port forwarding will not be supported.
How will use of peer-to-peer applications such as BitTorrent be affected?
Peer-to-peer applications such as BitTorrent are designed to work on private as well as public networks, and downloads should not be impacted by this change. Connections initiated from private addresses will be permitted outbound through the firewall. Connections initiated from outside of MITnet will only be able to connect to public addresses. For devices using private addresses, BitTorrent downloads will not be impacted, but sharing will only work from devices using public addresses.
Does MIT have Dynamic DNS?
MIT does not yet use Dynamic DNS, but plans to implement it in a future phase of this project.
Are there changes planned that affect the security of the network?
Network connectivity to devices using private IPv4 addresses will be provided through a firewall that will connect those devices to the broader MIT network and external Internet. There were efforts already underway to place building networks throughout the MIT campus behind a firewall. That work is now being combined into this overall Next Generation MITnet effort. Network access to public IPv4 addresses will not traverse any firewalls.
How does this affect systems with IPSec policies?
Machines using Windows Domain IPSec policies for access control will need to have their IPSec policies updated to reflect the new IPv4 addresses.
What if I am already using private IPv4 addresses for my device or application?
The MIT network will be using 10.0.0.0/8 for private addressing on the campus network. Both 172.16.0.0/12 and 192.168.0.0/16 will remain available for your use. If you are currently using 10.0.0.0/8 for your device or application, please be prepared to move to 172.16.0.0/12 or 192.168.0.0/16.
Will Zephyr, AFS and Athena services continue to work?
Yes, these services will continue to work as they do today. Their traffic will be routed directly across the campus network between the private IPv4 addresses and our data center facilities.
Will each building be limited to 256 public addresses? What if my location needs more than that?
IS&T will assign 256 public IPv4 addresses by default to each building, but we will add additional public IPv4 address capacity as needed to meet the demand for a particular building. No requests for a public IPv4 address will be turned away.
What do I do if I have a hardcoded reference to an IP address impacted by this change?
You will need to update your configuration or code to update the reference. If there are extraordinary circumstances preventing you from doing this, contact firstname.lastname@example.org.
I currently have one or more hostname(s) assigned using static IP. Can I retain my hostname(s)?
What happens if the public address I’m NAT’ed through gets blacklisted (i.e. someone else’s machine is causing trouble and that affects my connection)?
As always, if your connectivity has been disrupted, contact the Service Desk at email@example.com or by calling 617-253-1101.
I have a question that is not answered here. Who do I contact?
If you have questions that are not answered here, or you have questions about any of the answers provided, please let us know by emailing firstname.lastname@example.org.
(Page updated 3/26/2018)