IRIS Network Policy
The following policy governs network connected devices in the UC Berkeley Electrical Engineering and Computer Science (EECS) department and the Center for Information Technology Research in the Interest of Society (CITRIS) on networks maintained by Instructional and Research Information Systems (IRIS).
Vision: The IRIS network is a robust, state-of-the-art communication environment supporting UC Berkeley's goal of excellence in education and research. It is flexible and easy to use for a large variety of devices and supports production services reliably and securely.
This document uses prescriptive keywords such as “MUST,” “MAY,” and “SHOULD” as defined in IETF RFC 2119.
Core Network Policy
In addition to this specific policy, use of the IRIS network must comply with all existing laws (federal and state) and University regulations and policies including the UC Berkeley Campus Computer Use Policy and the Minimum Security Standards for Networked Devices.
Registered System Administrator (Core 1,2)
- Each device MUST have a registered system administrator who is responsible for ensuring the device complies with all policy requirements.
- System administrators MUST have active IRIS accounts.
Device Naming (Core 2)
- The name configured on a device MUST match the registered name.
Device Addressing (Core 2,3)
- Routable IP addresses used by a network device MUST be assigned to that device by IRIS hostmaster.
- Network devices MAY be assigned static IP addresses or static DNS names at the system administrator's request and upon IRIS approval.
- Network devices SHOULD be configured as DHCP clients.
Wired Network (Core 3)
- To support multiple physical devices on a single network port simultaneously, an unmanaged network switch MAY be used.
Prohibited Devices and Services (Core 3)
- Any device or network service listed in Prohibited Devices and Services in Appendix A MUST NOT be operated on IRIS production networks without explicit permission from IRIS.
Security Incidents and Policy Violations (Core 3)
- IRIS MUST notify the appropriate system administrator or account holder via email regarding security
compromises or policy violations.
- If a response is not received within 4 business hours or before the day's close of business, IRIS MAY disable the device's network connection or deactivate the account.
- For serious security threats, problems, or policy violations, IRIS MAY disable network connections or deactivate accounts sooner.
- In the event of a root compromise, a device MUST be reinstalled in accordance with the OS Reinstallation Procedure.
- If computing needs prevent full compliance with this policy, IRIS MAY setup a Private Network upon request from the system administrator.
- IRIS also offers the Restricted Network, a controlled, firewalled environment for hosting critical services.
- This policy does not apply to the AirBears wireless network.
Unused Names, Addresses, and Network Ports
- IRIS network staff MAY deactivate any network port which has not been used for 3 months with notification of system administrators of devices registered on the port.
- If a device is unconnected for 3 months, IRIS hostmaster MAY retire static DNS names and IP addresses with notification of the system administrator.
- If a device is unconnected for 6 months, IRIS hostmaster MAY terminate network access for the device with notification of the system administrator.
- This policy will be reviewed annually by IRIS.
- Comments regarding this policy may always be directed to
- Appendix A: Definitions
- Appendix B: Technical Limitations
- IRIS Network Best Practices and Explanations
- UC Berkeley Campuswide IT Policy and Privacy
- UC Berkeley Campus Computer Use Policy
- UC Berkeley Campuswide IT Security
- UC Berkeley Minimum Security Standards for Networked Devices
- Reinstalling Your Compromised Computer
IRIS Network Policy version 1.1, approved by CNIL 2009/09/09
Last updated: $Date: 2012/08/10 18:36:47 $