Due to the way CNS operates, Virginia Tech has ways of identifying network users in almost all circumstances. CNS operates on a cost-recovery basis, so each physical portal is associated with a department paying a monthly fee; for this reason very few unused publicly accessible portals are available.
CNS logging is intended to support operation of the network and allow for identification of the source of potential problems, and is essentially in line with industry standards for corporate and educational networks. Many of these things to keep in mind will apply off campus as well.
Users on public portals have the option of connecting via either DHCP or static addresses. To get a DHCP lease, a user must first register their MAC address with CNS. Static addresses do not carry this restriction, but static addresses are allocated by individual departments and often unavailable to end users. In most cases, static addresses are only routable within a single building, so it’s not possible to retain an address while roaming. Choosing a random IPv4 on a building’s subnet each time risks an address collision; if someone complains, CNS will often deactivate the port within a couple days. Certain departments also run their own alerting software (such as Nagios) capable of detecting anomalies like this.
The DHCP servers operated by CNS log IP address assignments, MAC address, and hostname. In the case of Apple devices, the default hostname includes the owner’s real name, for example, Alicia Hokie’s MacBook Pro.
In the case of wifi access, a network password is required to authenticate. Ordinarily, this is linked to a PID, but departments have the ability to purchase VT-Wireless access for guests. The eduroam network also exists to provide free access to affiliates of other partner universities; in this case users must authenticate against their home RADIUS server.
For VT-Wireless users, and eduroam users from Virginia Tech, the identity of connecting users is logged on the RADIUS server.
For roaming eduroam users, only the anonymous identity can be logged by Virginia Tech, and your actual identity will either be logged by the user’s home institution or not at all. The anonymous identity only needs to end in the institution’s domain, but the username does not matter. For example, a UCSD affiliate could connect using an anonymous identity of firstname.lastname@example.org, and Virginia Tech would have to request the actual identity of this user from UCSD.
On wireless, and on some wired networks, Network Address Translation (NAT) is used, which means the IP address that is assigned to your computer is translated to that a different address. These address pairings are logged.
For wired portals, CNS uses a subnetting scheme which allows wired addresses to be mapped to individual buildings. On wireless, NAT is used for IPv4, apparently with no building-to-address correlation. Wireless IPv6 addresses have several buildings on the same /64 subnets, although it is possible to distinguish between captive portal and encrypted SSIDs based on IPv6 address.
CNS and the IT Security Office have even more detailed logs useful for geolocating IP addresses. CNS logs device hardware (MAC) address and IP address associations on their routers by querying ARP (for IPv4) and neighbor table (for IPv6) information. For switches, MAC address and port mappings are stored, which can be mapped to each Ethernet portal, tying an IP address to a building and room number. For residence hall networks, this is done automatically when the daily upload cap is exceeded or if a DMCA complaint is received.
CNS also maintains a log of wireless access point associations. At least one faculty member has admitted to tracking students alleged to have cheated across campus using VT-Wireless logs.
By default, hosts use SLAAC for IPv6 addressing, with a link-local address that is a function of the device’s hardware (MAC) address. Unless privacy extensions are used, users can be uniquely identified as they travel between access points. This is the default on many newer devices, but you should confirm this if you’re using Linux or an older device.
It’s known that CNS collects Cisco NetFlow data. It should be assumed that anything that crosses a VT router creates NetFlow data for both IPv4 and IPv6. NetFlow data is essentially the metadata of all communications seen by the NetFlow collector, including source and destination address, protocol, source and destination port, and routing information. We are not currently aware of how long this data is retained.
Best Practice Recommendations
If anonymous internet portals are desired, use an unused static IP on an open CNS port for a limited time period with a random MAC address.
In general, it’s a good idea to use Tor to protect anonymity on the Internet.
Use IPv6 privacy extensions when connecting to any network if your device has IPv6 enabled.
Assume layer 4 metadata is retained indefinitely for all data leaving your subnet.
When using campus networks, assume that everyone can identify your building and CNS/ITSO can identify your exact location.
Do not use a hostname that can be directly tied to you; either change it to something generic, or configure your computer to not send a hostname when requesting an IP address with DHCP.