August 24 at 8 a.m. we will change the network to strict enforcement of local address rules. Til now, we have been running loose rules by providing a proxy ARP service to help misconfigured computers find campus network services. We are making this change to assure that the network is not short circuiting one of the new enhancements in Windows XP SP 2. Proxy ARP is a service originally intended for operating systems that do not factor subnet information when deciding which packets should be sent to a router. It has the side effect of helping systems that could make this decision but for lack of proper information about the net mask. One of the new XP firewall rules will block work group file sharing beyond the local subnet. Hence it is important for the PC to accurately distinguish between local and distant addresses. The proxy arp service blurs that distinction and would put misconfigured computers at additional risk by exposing them to unexpected connections. Properly configured computers will have the correct value for the subnet mask. On Windows XP/2000 this can be viewed in a command window with the ipconfig command. You'll get a display that looks like: Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : ucsc.edu IP Address. . . . . . . . . . . . : 128.114.2.192 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 128.114.2.252 If your computer's subnet mask is correct, the change will not affect you. While proxy ARP interfers with SP 2 security, this change does not require users to install SP 2. After we make this change, computers with the wrong value will not be able to connect to some computers off their local subnet. There is not a single right value for the netmask that covers the entire campus. Hence our recommendation: let DHCP take care of the details of setting network parameters. To do a manual check of the netmask, you can verify the correct value for this important parameter in the tables at: http://toolbox.ucsc.edu/cgi-bin/dhcpstat/dhcpstatus_front_nolink.cgi While the driver for this change is SP 2, computers of all flavors will be affected. If they have been hand-configured with the wrong mask value, they will have net problems starting on the 24th. Sun and SGI workstations historically have had more wrong mask problems than Windows and Macs.