One MAC per port is very low yield, won’t do anything to stop even a mildly sophisticated attacker, and often just makes life more difficult than it needs to be. Especially for a college network where any notion that the general network is “secure” is a complete joke.
It's not meant to be a comprehensive security plan, but rather a very easy thing to have configured on each port, to stop people from plugging $20 8 port dumb switches into managed infrastructure.
if you use a cheap router instead of a switch the far end will only see one MAC address which is the one of the router. doing NAT then is as easy as it could be. You could literally use just about any router out of the box without even configuring anything. you can also add an ethernet switch behind this device easily. only limiting a port to a single MAC is therefore somewhat pointless. you would prohibit valid use cases (adding a switch) without hindering any nefarious user (guy with a cheap router). Also, NAT for MAC addresses is a thing although not necessarily the most useful approach in this case...
Wait till he finds out that people frequently use multiple VMs with their own MAC addresses on a given physical box. Especially in the kind of lab where people are working on security projects.
Edit: or that security includes availability in addition to confidentiality and integrity
Eh, at work I either have to assign them pre-approved MAC addresses or get approval for VM MACs, or just use pretend my PC is a router and all VMs get a 100...* IP (10...* is used for the network already).
Why rfc6598 space instead of one of the other 1918 ranges? I would expect pretending to be a cgn on an internal network to blow up in spectacular fashion.
I think he means doing NAT on his PC itself (such as is the default network configuration on virtualbox), where it doesn't ordinarily matter what private IP range the VMs are located in. VMs get DHCP leases and a default gateway from the host. The host presents only one IP address and MAC to what it's physically plugged into.
I know what NAT is, and even if I didn't it was obvious from the post, my question was about the range chosen for the clients. Given that the RFC covering 100.64../10 is specifically for carrier-grade NAT (that's what cgn in my post refers to) I was surprised at the choice to use it instead of one of the other private IP ranges specified in rfc1918, such as 192.168../16.
One place where cgn addressing can trip people up is with DNS; lots of DNS servers (especially the flimsy ones used in lab-in-a-box setups) end up filtering host records for those ranges which can screw up SSH by making the reverse lookup fail, for instance.
Edit: from the text of the RFC -
"""Because CGN service requires non-overlapping address space on each
side of the home NAT and CGN, entities using Shared Address Space for
purposes other than for CGN service, as described in this document,
are likely to experience problems implementing or connecting to CGN
service at such time as they exhaust their supply of public IPv4
addresses."""