The central IT services will gradually disable the older IPSec protocol for ETH VPN:

• 16th Nov 2023 for students (@student-net.ethz.ch realm)
• 13th Dec 2023 for employees (@staff-net.ethz.ch realm)

Those of you who are already using the Cisco Secure Client for their VPN connections will not be affected by this change. Also the Linux openconnect client will continue to work.

However, any client relying on the IPSec protocol will become non-functional. In particular, the built-in VPN of Apple operating systems (macOS, iOS, iPadOS) will stop working. All affected users must migrate to the Cisco Secure Client in the upcoming weeks, to avoid any disruption of the VPN service.

For the actual installation, please refer to the VPN documentation of Informatikdienste, or our own readme for macOS.

Also note that, in the upcoming months, ETH will enable Multi-Factor-Authentication (MFA) for the VPN service. So all users will have to enter a one-time-password (OTP) when connecting the VPN. This is similar to the other services, mainly the cloud services of Microsoft, Adobe and Zoom, where MFA has already been enforced for ETH accounts. Further details regarding the VPN MFA migration will be announced as soon as the precise dates have been fixed.

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPK, HEZ, HPM, HPL and HPW on Monday 6th Dec 2021 in the evening between 19h00 and 23h00.

This is the second of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don’t need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 3th Dec 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

The central Informatikdienste will have a scheduled downtime of all networking (cable and wireless) in the buildings HPH, HPP, HPR, HPS, HPV and HPZ on Monday 8th Nov 2021 in the evening between 19h00 and 23h00.

This is the first of three downtimes for the ongoing project to split the current networks into smaller chunks. This major undertaking will also induce a short downtime for some computers in the dynamic DHCP pool in other buildings (as some of our IP ranges are being moved to the listed buildings).

Users don't need to do anything and their computers should come back online automatically. Otherwise try to reboot or get in touch with us.

In order to prepare for the migration, Informatikdienste will forbid all changes to their DHCP servers between Friday 5th Nov 13:00 and Tuesday morning. As a consequence we will not be able to register new devices or hostnames during this period.

Several network migrations will take place over the next months that will have an impact on the design and inner workings of the ethernet network at D-PHYS. Even though all hosts will be affected at a technical level, we believe that most changes will not require any involvement from your side. By the end of the year this should further increase the fault-tolerance of the cabled network infrastructure and enhance the security of the bulk of the computers at D-PHYS.

Network segmentation

The central Informatikdienste are splitting several networks into smaller chunks to increase the overall stability and fault-tolerance. Unfortunately the details are flagged as confidential, prohibiting us from exposing the precise structure of this segmentation. The main repercussion is that our D-PHYS networks will no longer be able to span across all current buildings at once. So depending on the building, we will have to introduce new subnets and assign new IP addresses to the computers inside.

NAT network

Motivated by the above-mentioned segmentation as well as security considerations, we are planning to migrate a large number of hosts to a NAT network. This means that the computer will only get an ETH-internal IP address and will no longer be directly reachable from outside of ETH. From inside ETH or VPN, all communication with that computer remains unaffected. However, while the host can still communicate with all of the internet, it will no longer be exposed to direct attacks from the outside. We believe that this is a very sensible default for most computers and laptops. Of course it will still be possible to assign a public IP to selected hosts in order to provide a specific service to the outside. The new NAT network also provides DynDNS with sentname.dhcp-int.phys.ethz.ch hostnames and full IPv6 connectivity. So if you rely on DNS entries for dynamic IP addresses, make sure to use the domain dhcp.phys.ethz.ch for public subnets and dhcp-int.phys.ethz.ch for internal subnets.

DHCP migration

Right now, some of our networks are serviced by our own D-PHYS DHCP servers, while others use the DHCP servers of central IT services. We are now consolidating all networks and migrating the remaining ones step-by-step to the DHCP servers of Informatikdienste. This change is mostly technical and should remain unnoticed by most users.

For further details and up-to-date information please refer to our readme page.

Some of you make use of our DynDNS infrastructure that automatically assigns hostnames to computers with a dynamic IP address. This feature enables you to connect to your computer using its sent hostname, followed by the dhcp.phys.ethz.ch domain (eg example.dhcp.phys.ethz.ch) instead of the ever-changing dynamic IP address.

Thursday morning

Jan 30 2020 between 9:00 and 11:00

we will be migrating our DynDNS service to the servers of central Informatikdienste. As a consequence the resolution of example.dhcp.phys.ethz.ch to its dynamic IP address may not always work during that time. The global phys.ethz.ch and ethz.ch domains are not affected. Therefore the bulk of our users will not even notice the migration.

Update: Informatikdienste have postponed the migration from 23rd to 30th January.

After a long (11 years) phase of stability in the D-PHYS network, we are preparing a pretty extensive network reorganization for 2018. This is mainly driven by ever-increasing information security requirements mandated by ETH. The D-PHYS network has traditionally been very open and we will try to keep it that way, but we need to implement some modifications. The basic premise is to partition our current /21 network (2048 IP addressess) into smaller groups that better represent the types of machines in those networks. This will then allow us to tailor each group's firewall rules to the services needed by those machines. The roadmap looks like this:

• Rearrange hosts in current /21 net to align with future VLAN boundaries
• Partition the /21 net into smaller VLANs
• Migrate individual subnets from our DHCP server to that of ID. This will also allow us to assign IPv6 addresses
• Migrate the subnets into different virtual private zones (VPZ)
• Assign and fine tune firewall settings on the different VPZ

As usual, we'll try to implement these steps as smoothly as possible. However, a migration on this scale will not go entirely without issues. Step 1 will entail an IP address change for quite a number of hosts. We'll make sure that our dyndns host names (foobar.dhcp.phys.ethz.ch) will be in sync with the new addresses, but this only works for properly configured DHCP hosts. Here's how you can help: if you have any hosts in the 192.33.96.0/21 D-PHYS network that are statically configured (non-DHCP), please get in touch with us ASAP. The same is true if you're using hard-coded IP addresses from that range instead of host names. We'll need to deal with those hosts individually.
In the course of 2018 we'll keep you updated on project progress and announce specific dates when we implement changes.

Update: since Informatikdienste are currently drafting an even more comprehensive Hönggerberg network reorganization that will deeply impact our plans as well, this project is currently on hold until we know more. Stay tuned.

In the last few weeks we discovered some attempted attacks on the Windows Remote Desktop feature from sources outside of ETH.

In order to protect both your machines and our network, we decided to block RDP access from ETH-external networks. If you still need access from outside the ETH network (e.g. from home) you have to first open a VPN connection to ETH and then start the Remote Desktop client.

More information about installing the VPN client is available here.

In collaboration with our colleagues in Informatikdienste we will use the upcoming months to upgrade the D-PHYS network in order to make it ready for the future. In particular, we will enable the IEEE 802.1x protocol in our network that will allow us to virtually patch any VLAN to each individual client. This will also pave the way for the upcoming VoIP telephony deployment in D-PHYS. The migration will be a step-by-step process and we will visit each building and floor individually to address potential questions during the migration. The typical desktop or laptop computer will not notice the change except for a short interruption of < 1 min. Certain macOS clients will need a bit of persuasion however, the required steps are described here.
Things will look a bit different for new clients that connect to the D-PHYS network for the first time only after the migration: they will not display the well-known ISG D-PHYS landing page, but an OS popup or a generic ETH page. This works the same way as the ETH wifi. You either supply your n.ethz credentials in the popup or you log in via the landing page. Your machine will then be patched into the ETH docking network. If you have a specific reason to have your machine in the D-PHYS network (HPx::745 for the technically inclined), please let us know and we will register your MAC address in our database - just like you did in the past. All existing machines at D-PHYS have been preregistered for HPx::745 in order to avoid any confusion.
So please be ready when Alex shows up in your group and announces the migration date.

Due to required changes to our network infrastructure and some hardware maintenance, we're scheduling a maintenance downtime for most D-PHYS servers starting on Thursday, 14th of April 2016, at 5pm. The downtime will last several hours and single services may be down for longer than others or will be down multiple times in a row.

We'll update this posting as soon as things are back to normal.

Most D-PHYS services will be affected by that downtime, especially file servers and e-mail services, but also some virtual machines and most websites hosted by ISG D-PHYS are affected. (http://www.phys.ethz.ch/ and other AEM-hosted websites are not affected.)

E-mails coming in during the downtime will be held on the sender's side and will arrive at D-PHYS with a delay. Sending e-mails won't be possible during the downtime either.

After the migration we will benefit from a faster and more reliable network connection to our servers.

Update at 19:30: Most services are back to normal. Expect further downtimes for home directories and mail later this evening.

Update at 23:00: All services are available again.

Update Fri 09:00: After Thursday's network migration a defective patch cable caused network problems on Friday morning.

Microsoft will provide a final bunch of patches for Windows Server 2003 on July 14th. 2015. After then, no more security and stability fixes are going to be released. This means that still running Windows Server 2003 machines conflict with the ETH Bot (Acceptable Use Policy for Telematics) which requires that every computer connected to the ETH network must be fully updated and secured.

The central IT security group of ETHZ continuously inspects the network streams for signatures of XP and Windows Server 2003 computers. If you have a running Windows Server 2003 machine connected to the public network, please migrate the operating system to a newer version i.e Windows Server 2012.

If you have any questions or need help please do not hesitate to contact the ISG D-PHYS Helpdesk