- IP Addresses
- Administrate IP Addresses Online (Network Administrator)
- Computer Names
- Network Administrators
- Firewall / Packet Filter
- Abuse Handling
Every computer within a network needs a unique IP address. For the world wide internet the TCP/IP established itself. Therefore the so-called IP Address has to be unique world wide. This has to apply for every computer: it has to be reachable via ping (at least within TU network, see Class-B Networks of TU).
There are two IP (Internet Protocol) types: IP Version 4 and IP Version 6.
IP (Version 4)
IP Version 4 (often
abbreviated IPv4 or IP4 or just IP) is the established protocol used
for decades. An IP address (more precise: an IPv4 address) is a number
of digits seperated by 3 colons. Example: 22.214.171.124
The 4 numbers of IP addresses must be between 0 and 255. Thus the lowest IP address is 0.0.0.0 and the highest 255.255.255.255.
For special purposes there are also private IPv4 addresses which are not world-wide unique. They are formed from a certain part of the IPv4 address area:
- 10.0.0.0 to 10.255.255.255 (10.0.0.0/8 - a Class-A-Network)
- 172.16.0.0 to 172.31.255.255 (172.26.0.0/12 - 16 Class-B-Network)
- 192.168.0.0 to 192.168.255.255 (192.168.0.0/16 - 256 Class-C-Network)
In addition there are further IP address areas with special features (e.g. 169.254.0.0/16).
Due to the immense success of IPv4 addresses there is a shortage of addresses and they will not be sufficient in a long term.
IP Version 6
In order to compensate the shortage of addresses and to increase some details, IP Version 6 (abbreviated IPv6) has been specified.
An IPv6 address is a hexdecimal character string seperated by
7 colons. A method of abbreviation allows the omittance of colons in
some cases. Example: 2001:0638:0809:0000:0000:0000:0000:AC7F resp.
The 8 hex numbers of the IPv6 address must be between 0000 and FFFF. (A single hex number can be formed by the numbers 0-9 and the letters A-F).
IP Addresses of TUB (IPv4)
The TUB has got two Class-B networks for IPv4 with the public addresses:
- 126.96.36.199 to 188.8.131.52 (184.108.40.206/16, 65000 IPs)
- 220.127.116.11 to 18.104.22.168 (22.214.171.124/16, 65000 IPs)
Thus the first numbers of public IP addresses always start with 130.149 or 141.23.
Firewall rules covering the TU network always have to apply to both
A firewall ruleset "exclude all IP addresses but TU addresses" would look like this:
IP Addresses of TUB (IPv6)
The TUB has got these public addresses:
- 2001:0638:0809:0000:0000:0000:0000:0000 bis
(2001:0638:0809::/48, more than 1 septillion IPv6 addresses)
Thus a TUB IPv6 address always begings with 2001:0638:0809.
Please note that ICMPv6 must not be prohibited in any firewall.
IPv6 is currently not being employed at TUB.
The IPv6 team currently evaluates the technical and organisational aspects which are the basis for a later implementation of the protocol. In advance one can say:
- IPv6 offers advanced technologies which will facilitate working in some cases.
- TUB does not need IPv6 since there are enough IPv4 addresses.
- IPv6 is (despite the long history of 20 years) a new and rarely employed technology
- The traffic monitored by DE-CIX is 99.8% v4 and 0.2% v6 showing the current significance in Europe
- IPv6 offers new technological challenges which are not completely covered by manufacturers and us
- Possible issues: v6-ACLs completely hardware based? -> interaction: Sup, FWSM, OSPF, BGP, ASA; DAD-Attacks; FW-Rules for /64-Networks; DNS-Entries for diced v6-Adressen; different interfaces for local/global-communictation; static DHCPv6; ...
currently not supported technology we reserve the right to block IPv6
traffic (including tunnels).
If you need IPv6 for research or teaching please contact your network administrator. The administrator should inform us about the project and we will evaluate whether the project can be realised with our capacities.
Administration of IP Addresses/DNS
The registration, change or deletion of IP
addresses and DNS entries is conducted by the network administrator of
your department (->Why?). Since there is not an unlimited number of
IP addresses, applicants will only receive addresses according to
their needs. For house networks we will deregister IP addresses which
have been unused for more than a year without notification.
For subnetworks adjusted we will occasionally check if the size of your subnetwork is appropriate.
Administrate IP Addresses Online (Network Administrator)
The menu "IT-Anträge/IP-Adresse" in TU Portal allows network administrators of a department to use the application "IP-Adresse". With this application you can administrate the IP addresses and subnetworks of your department online. This requires the role "dns-verwalter".
The main properties are:
- Administration of own computers in your subnetworks and subdomains
- All changes come into effect immediately
- IP address can be (but should not be) specified
The new web interfaced is not completely connected with the new DNS appliance; therefore there are some issues. An already registered IP address can not be changed but only be deleted (and registered again). It can take up to 30 minutes for a DHCP change to come into effect.
Further information about the application IP-Adresse
The Domain Name Service (DNS) translates IP addresses into names which are handy for humans and vice versa. For example www.heise.de becomes 126.96.36.199 and vice versa. DNS is a structured as a hierarchy. The single components are seperated by dots.
Each organisation with its own addresses has one or more DNS servers.
DNS at TUB
The nameserver of TUB is:
The system corresponding to that IP is redundant. For an increased safeguarding against failure you can use the following name server in addition (not instead) which is outside of TUB:
Caution: The name servers used until 2010 (188.8.131.52 and
184.108.40.206) are shut off!
If you still use them (even as second or third server), please remove them immediately. The IPs will be used for other purposes soon and the DNS-requests may be regarded as attacks or malfunction.
To all operators of firewalls:
Please ensure that the IP 220.127.116.11 is cleared for DNS.
To all operators of DNS servers:
Please ensure that you have the DNS server 18.104.22.168 for all zones which are not covered by your DNS server. Do not expect that your name server is allowed to send requests to our server recursively.
A domain is text which describes an entry of the hiearchic DNS. Germany has the top-level-domain DE and TU Berlin has the part TU-Berlin.DE meaning it is a subdomain of DE if you chose DE as starting point.
Subdomains at TUB
Every computer name at TUB ends with TU-Berlin.DE there we call this our "main domain" and the subordinated hierarchic layer as "subdomain". This is necessary since there are more than 20000 TU computers which can not all be labeled name.TU-Berlin.DE. Instead they receive a name like name.subdomain.TU-Berlin.DE. Every department with a organisational character can receive its own subdomain name. This name is conneted with the OrgName and has the same name. These rules apply - not only for websites:
- 2 to 20 characters, no person names
- Characters: a-z, 0-9, hyphen, first character has to be a letter
- The person in charge of the cost centre resp. FIO
assures, that there are no 3rd party claims for the name. For a use in
a university context name and trademark rights are relevant (according
to Prof. Dr. Hoeren, Lehrstuhl Rechtsinformatik, Uni Münster,
DFN-Conference "Praktische Rechtsfragen" 14.02.2008).
You can make your research about name rights with the following methods:
Contract a lawyer
Use a major search engine and examine the first 30 hits
In addition to that subdomain you can apply for more subdomains if necessary:
Langname (if the orgname is an abbreviation: extended form of the
orgname, for example orgname info, langname: informatik)
Übersetzung (only for departments with strong focus on international activities, for example orgname info, translated into computer-science)
Internet/Project name (name for specific projects, they will be deleted 6 months after the project has been finished)
At the moment dozens of subdomains exist with names like:
- math.TU-Berlin.DE (Institut für Mathematik)
- siwawi.TU-Berlin.DE (Fachbereich Siedlungswasserwirtschaft)
- zuv.TU-Berlin.DE (zentrale Universitätsverwaltung)
Another hiearchic level (subsubdomains) is not available at the moment. Existent subsubdomains are exceptions.
Domains outside TU-Berlin.DE
External domains (which do not end with TU-Berlin.DE) are not administrated by NOC. Existent domains are exceptions.
You can get external domains from external providers and administrate them using the provider's tools, but please note:
- Such domains do not comply with the corporate
design of TUB as enacted by the chancellor and all faculties.
Therefore they are usually in admissible.
Exceptions are for example cooperations with other universities or projects where TUB is not in charge (or just acts as a host). These websites must not carry the corporate design.
- You are responsible for the actuality of the entries. NOC can not help.
- The domain is registered for a natural person (not for an institute or similar). This person will receive a bill (which can be covered by TUB) and is the responsible party in case of a lawsuit.
- The natural person
ensures that the desired name is free of 3rd party rights. For a
use in a university context name and trademark rights are relevant
(according to Prof. Dr. Hoeren, Lehrstuhl Rechtsinformatik, Uni
Münster, DFN-Conference "Praktische Rechtsfragen"
You can make your research about name rights with the following methods:
Contract a lawyer
Use a major search engine and examine the first 30 hits
Differing from the first paragraph NOC can conduct the registration of an external domain in special cases. In that case NOC chooses the provider and only takes care of the technical execution but will not provide a responsible person for the content and will not pay the charges (36 EUR/year + 36 EUR for setup).
Subdomains are the technical basis for OrgName,
Internet and Project names. They can only be applied for by the
correspondent role administrator.
Websites must comply with the Rules for the allocation of webdomains  (see current notice of the chancellor from 15.05.2007).
Note: This is not about Domain-Name-Service (DNS-Entries) for computers and not about Windows domains.
A complete name/IP address pair looks like this at TUB:
licman1.tubit.TU-Berlin.DE = 22.214.171.124
Are names necessary?
Depending on the task of a computer it often not necessary to assign a name, but it facilitates administration and troubleshooting. Therfore every computer at TUB retreives a name in a subdomain.
DNS Names using Windows (Windows Domains)
Windows employs its own name and domain concept which only partly complies with the actual DNS. For you this means, that you do not necessarily need to use the DNS name you chose in your IP application as your computer name for Windows. But you should do it anyway in order to avoid confusion and to facilitate troubleshooting.
Subdomains have nothing to with subnetworks.
A network is a group of coherent IP addresses. A subnetwork is a coherent part of that group.
Subnetworks at TUB
The TUB has two Class-B networks which could
potentially contain 2 times 65000 computers. Due to numerous reasons
these 2 networks are divived up into subnetworks. (An assembly of the
two networks to a 130.000 IP network is not possible - and does not
All TUB subnetworks of the first network have 130.149 as first and second number, two more numbers follow. Only in connection with the subnet mask (255.255.x.y) the size of the subnetwork is determined. Therefore please provide both. (We do not assume that you have a Class-C network. Therefore it is not sufficient to specify only the third number of your IP address.)
Example: If you have the IP address 126.96.36.199, it is not sufficient to say that you have the 107 subnetwork, since you only have a part of the 130.149.107 subnetwork which is a part of the TUB network 130.149. You could only say: "I have one of the 107 subnetworks", but this specification is still incomplete. Instead please give us the IP (188.8.131.52) and subnet mask (255.255.255.192). Allowing us to see that your subnetwork ranges from 184.108.40.206 to 220.127.116.11.
We do not know how the IPv6 address space will be divided as soon
as IPv6 will be officially implemented.
Subnetworks have nothing to do with Subdomains.
Due to historical reasons, we have a register of responsible persons for every computer. For modern subnetworks (not house networks) we have replaced this by network administrators who are responsible for all computers of their cost centre and subnetwork. Requirements are:
- own subnetwork (no house network)
- provisioned account
- person officially appointed using TU Portal TUBIS
You can see through the network administrators of cost centres using the TU Portal application "Liste der Rollenverwalter und IT-Betreuer". The application does not give information about the correspondent subnetworks.
For house networks applies: the network administrator is not responsible for the entire network, but for those computers belonging to his/her organisational unit. He does not have any influence on other computers within the house network.
Entitled is only the person appointed by the person in charge of the cost centre, a provisioned employee of TUB.
The network administrator will be notified by NOC if any computers within his administration cause any problems (such as abuse) and is allowed to issue register/change applications. If the administrator does not apply himself, it has to be ensured that the administrator is notified. This can be done by sending an e-mail as applicant (not entitled) to email@example.com with CC (Copy) to the correspondent (entitled) network administrator.
We use the address information saved in TUBIS for contacting the network administrator. If we do not have that information, we can not contact the network administrator. The operations necessary for maintenance and security will be conducted in any case.
Why can't everyone be administrator?
- Nobody wants 20000 administrators for 20000 computers. There would be a chaos of responsibilites, directives, unauthorised applications, vacations, representatives and so on.
- Most users do not want to (and should not) be confronted with administration details.
- Computers are not alone but form groups in subnetworks. If a network has to be renumbered every user has to be notified individually
- We can not and do not want to decide over contradicting interests within an organisational unit. We need one person who communicates with us and has dealt with all internal issues in advance.
Persons who own the network administrator (Netzbetreuer resp. dns_verwalter) are entitled by definition.
Firewall / Packet Filter
A firewall is a software
which can filter data in some cases more precisely than a packet
A packet filter is a software which operates in the data path between sender and receipient of data packets in particular
- on the sender's computer and/or
- on the router between sender network and receipient network and/or
- on the receipient's computer
and can permit or deny the transfer based on a ruleset.
tubIT offers a firewall for every subnetwork (which is not a house network) which is installed on our routers. By definition these firewalls can not influence the traffic within the same subnetwork.
If you need a certain service, please contact your network administrator who is entitled to apply for the firewall change at NOC.
The network infra structure and computers of TUB server research and teaching. If a computer shows abusive activities, it will be blocked and device administrator (for house network) respectively the network administrator (for department subnetworks) will be notified via e-mail.
The e-mail containts the reason for blocking and demands a statement.
The blocking servers the protection against dangers resp. the enforcement of the President's authority within the existent contracts and laws. There is no in advance notification before the blocking. Possible reasons are:
- endangering computer behaviour, issued by malware (viruses, trojans, spam bots etc)
- excessive "testing" of other computers (flood-ping, port-scans etc)
- felonies (child pornography, incitement etc)
- activities not covered by research and teaching (movie/mp3 sharing, TOR exit nodes, IP proxies etc)