IETF Logo Mail Archive

Re: [Captive-portals] [EXTERNAL] Re: [homenet] [Int-area] Evaluate impact of MAC address randomization to IP applications

Martin Thomson <mt@lowentropy.net> Wed, 23 September 2020 00:52 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DAB13A0913; Tue, 22 Sep 2020 17:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=HJl0Q7Av; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=bxs3LrDg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NvbpUYOck28g; Tue, 22 Sep 2020 17:52:40 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E44A3A090E; Tue, 22 Sep 2020 17:52:40 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 70D745C0190; Tue, 22 Sep 2020 20:52:39 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute2.internal (MEProxy); Tue, 22 Sep 2020 20:52:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=ZPRJh 6L2BjM+/iHFbUWGPiJIAJzq2tqDI3L7Y8SLpJM=; b=HJl0Q7AvbfyxOO7Dq8w61 86tr9yIhekG+A7YyvUGvfN0hmwNzhsvQs9sHwpkAsLogA0po+3VZrrEvay+ZZXkH 8BHPCZ56RH5ZaJLXXyze2EScZyg830/dSifzaarKSrpcvyquI9WCFihvsjJ6FDOi zSJLkHjeSXBDj4+zGPYltAfom1wZDxlzd5/PUZ4KdhPvX+XbybG/2SyMf8Q3YB/8 TjY8XJB3RHX0tPUFXHFfqgPLHUCSmNVP2mw22E14gtKP8IV9jYJVQLRy1T5cvooD hEfVsUaGceWyygyNN0GTlR8lRbp/f874sVtKIOhqBiUAgBYuaWTXZh8ookCmsEIL g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=ZPRJh6L2BjM+/iHFbUWGPiJIAJzq2tqDI3L7Y8SLp JM=; b=bxs3LrDgsWeMw/HwsQEYgZp05saQnHB8Qcjbhgkuu3uhCL727oPIb2L4+ 2vtz6XYTPwTP/MSQQGpCzwxH7j4TPszCzaB4TQdSE4KJf2BJmxbztSOF4Y7a9ceF zOgk02p6AwT9b8w6h04gcJsYzF+3MTqXzToyAEkj1BrJVag9DYy3uYAUz3ble84Y k946xDMs6fZTId4jTz74omp2MIBJRcC+e1sNcIjZSxqN515qEBTKGBHcfR8UM+C/ gC7xWCibnhfAMKwXa7AgwadnTbSPqI7OpqHo7zl7ND0LNetJZLSRlGLLiZj1f97Z Fy/K1Bc8zGCaaz0FrKBmflOawKg1g==
X-ME-Sender: <xms:V5xqXy7pwyQe7vjqSNtPm8n_yu4eUVXLff38ErQ0xGLRJ2PMuAlMrg> <xme:V5xqX764R83Pcwk5jYs71IDYArIFumaMblMf5-83Ms2jyCX7w-Rz6Bj9pDFBEWx9G aA_R5WI9tVt883ie1c>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudehgdeflecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepgfevvdejtdefkeefkeejudekgfethffgtddugedufeekgeevudet udevvdevuedunecuffhomhgrihhnpehurhhluggvfhgvnhhsvgdrtghomhdpihgvthhfrd horhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep mhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:V5xqXxe1DOIAJzM2BdXYfZntz0jrOtdif2erotkXbZq6ATC3HZLp8A> <xmx:V5xqX_IwM9IWVyg0HsA_PU9JZNR3Ke-4NwCjtbO0cTuxFu6IiFxFRA> <xmx:V5xqX2IHIbVx6qCkqXJ9Z7KM0CNV9o2z305TulHdh403P9-A6SFRxQ> <xmx:V5xqX4ioUGAMWIrI23kZ2NkfvbQjLDnaQbK3sVc8efYYQLF427f26w>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 017762006A; Tue, 22 Sep 2020 20:52:39 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-355-g3ece53b-fm-20200922.004-g3ece53b9
Mime-Version: 1.0
Message-Id: <29901277-6da1-46fc-b244-ca289005841d@www.fastmail.com>
In-Reply-To: <0A436777-D9CE-4A4C-BE45-C8C2CAB9FBF6@comcast.com>
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost> <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie> <D81695FF-973F-472D-BC0A-9B0F57278B21@comcast.com> <ca575a6b-987e-d998-2713-91e45190f5ea@cs.tcd.ie> <0A436777-D9CE-4A4C-BE45-C8C2CAB9FBF6@comcast.com>
Date: Wed, 23 Sep 2020 10:52:20 +1000
From: Martin Thomson <mt@lowentropy.net>
To: "Lee, Yiu" <Yiu_Lee@comcast.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, "homenet@ietf.org" <homenet@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/xKMbLI9C3MAKAJFZVGouJbH-uas>
Subject: Re: [Captive-portals] [EXTERNAL] Re: [homenet] [Int-area] Evaluate impact of MAC address randomization to IP applications
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 00:52:43 -0000

There's an additional consideration that might be worth pulling out here.  And it's not an impact on network operations, it's a potential for applications that interact with these network services to undo the work of lower parts of their stack.

For instance, if your device connects to the same network and the same captive portal it might open a web browser to connect to that portal.  If the web browser presents the cookies it received from the portal last time they talked, it undoes the work of the OS.

Now, some implementations use these nasty browser-like things with aggressive sandboxing that don't save cookies.  That comes with other costs, but it addresses the problem up until the point that the network connection is restored and then who knows what happens once the pseudo-browser is no longer involved.

Maybe that is out of scope for your draft, but it shouldn't be out of scope for a group that attempts to look more closely at providing advice for dealing with these features.

(Does this thread really need to be cross-posted so widely?  Can we decide on a single venue?)

On Wed, Sep 23, 2020, at 07:24, Lee, Yiu wrote:
> Noted and clear. Will keep this in mind in the next update.
> 
> Thanks,
> Yiu
> 
> On 9/22/20, 5:18 PM, "Stephen Farrell" <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
>     Hiya,
> 
>     On 22/09/2020 22:08, Lee, Yiu wrote:
>     > Hi Stephen,
>     >
>     > Thanks for the notes. Actually, we believe that there are good
>     > privacy reasons to randomize mac-address. This BoF isn't trying to
>     > "fix" randomized mac-address. On the contrary, we want the community
>     > to embrace it. In order to ease the anxiety for transitioning, we
>     > want to document what may break and propose best practice to
>     > transition to dynamic mac-address.
> 
>     Sure, I get that. However, we've seen a number of these
>     efforts start thusly but end up being perceived to be
>     partly trying to unwind the privacy benefits, so I think
>     a good way to avoid that mis-perception is to also present
>     the reasons for (in this case, MAC address randomisation)
>     as fully as the description of the challenges caused.
> 
>     Cheers,
>     S.
> 
> 
>     >
>     > Thanks, Yiu
>     >
>     >
>     > On 9/22/20, 4:51 PM, "Int-area on behalf of Stephen Farrell"
>     > <int-area-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie>
>     > wrote:
>     >
>     >
>     > That agenda and draft seem to make the seemingly common enough
>     > mistake of only focusing on what a new privacy or security 
> mechanism
>     > breaks and glossing over the good reasons why people introduce 
> these
>     > mechanisms. I hope the BoF proponents fix that because otherwise 
> they
>     > may end up giving the impression that they would prefer to not see
>     > the privacy benefits (which I'd guess is not their goal at all). 
> One
>     > reason those good reasons need to be included is that they 
> constrain
>     > the kinds of additions that might make sense to better handle the 
> new
>     > mechanism.
>     >
>     > We've seen a number of these kinds of reactions and I figure it'd
>     > really be better if the reaction were not to appear purely
>     > reactionary;-)
>     >
>     > If that were fixed, then there may be a better discussion of 
> what, if
>     > any, additional things need doing. If that is not fixed, I'd not 
> be
>     > surprised if the putative BoF were to devolve into a "it's bad" 
> vs.
>     > "no, it's good" bun fight that won't really take us further.
>     >
>     > Cheers, S.
>     >
>     > On 22/09/2020 21:40, Michael Richardson wrote:
>     >>
>     >> Damn. Spelt captive-portal without the s again.  Reposting, sorry
>     >> for duplicates. I hate when WG names and list names do not match,
>     >> and that we can't have aliases. And I think that reply-to gets
>     >> filtered.
>     >>
>     >> Archived-At:
>     >> 
> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/int-area/14Skgm84GslPZ9UcGoWY3uzmK6I__;!!CQl3mcHX2A!Q0pEjWrLTcmcryUR2EMbSc6uWBNU-xJadaznxWvwmDk2-ARoR0DYYq_eprXSEjo$
>     >> > To: int-area@ietf.org, captive-portal@ietf.org, 
> homenet@ietf.org
>     >> From: Michael Richardson <mcr+ietf@sandelman.ca> Date: Tue, 22 
> Sep
>     >> 2020 16:34:33 -0400
>     >>
>     >> This thread was started today on the INTAREA WG ML.
>     >>
>     >> While I don't object to a BOF, I don't know where it goes. What I
>     >> see is that much of this problem needs to be resolved through
>     >> increased use of 802.1X: making WPA-Enterprise easier to use and
>     >> setup, this changing core identity from MAC Address to IDevID.
>     >>
>     >> My understanding is that Apple intends to randomize MAC every 12
>     >> hours, even on the same "LAN" (ESSID), and that they will just
>     >> repeat the WPA authentication afterwards to get back on the
>     >> network.   If the per-device unique policy (including CAPPORT
>     >> authorization) can be tied to the device better, than the MAC
>     >> address based "physical" exception can be updated.
>     >>
>     >> But, WPA-PSK doesn't work, because it does not, in general,
>     >> distinguish between different devices.
>     >>
>     >> It can be made to work if every device is given a unique PSK, and
>     >> there are some successful experiments doing exactly that.  Mostly
>     >> it just works, but the challenge is communicating the unique PSK
>     >> through an unreliable human. BRSKI can certainly do this, and it
>     >> can leverage that unencrypted ESSID present at most hospitality
>     >> locations to get onto the encrypted WPA-Enterprise.  Or 
> BRSKI-TEEP,
>     >> or some other BRSKI-EAP method.  The unencrypted SSID is not 
> going
>     >> away at those locations.
>     >>
>     >> Thus QR-code based methods are best, yet those do not work for 
> many
>     >> IoT devices.   EMU's EAP-NOOB can help in certain cases, but we, 
> as
>     >> a community need be clear on what direction we want to go.  One
>     >> answer is that IoT devices have little reason to randomize their
>     >> MAC if they are not generally ported.
>     >>
>     >>
>     >> On 2020-09-22 3:49 p.m., Lee, Yiu wrote:
>     >>> Hi team,
>     >>>
>     >>> We proposed a BoF. The agenda is in
>     >>> 
> https://urldefense.com/v3/__https://github.com/jlivingood/IETF109BoF/blob/master/109-Agenda.md__;!!CQl3mcHX2A!Q0pEjWrLTcmcryUR2EMbSc6uWBNU-xJadaznxWvwmDk2-ARoR0DYYq_e7alyc8U$
>     >>> and the proposal is in
>     >>> 
> https://urldefense.com/v3/__https://github.com/jlivingood/IETF109BoF/blob/master/BoF-Proposal-20200918.md__;!!CQl3mcHX2A!Q0pEjWrLTcmcryUR2EMbSc6uWBNU-xJadaznxWvwmDk2-ARoR0DYYq_eNfKGqkE$
>     >>> . You can also find the draft here
>     >>> 
> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-lee-randomized-macaddr-ps-01__;!!CQl3mcHX2A!Q0pEjWrLTcmcryUR2EMbSc6uWBNU-xJadaznxWvwmDk2-ARoR0DYYq_erhCF3-A$
>     >>> .
>     >>>
>     >>> At this stage, we are looking for inputs for more use cases and
>     >>> interests of working together in this domain. Please post your
>     >>> comments in the mailing list.
>     >>>
>     >>> Thanks
>     >>>
>     >>
>     >>
>     >> -- Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT
>     >> consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
>     >>
>     >>
>     >> _______________________________________________ homenet mailing
>     >> list homenet@ietf.org
>     >> 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/homenet__;!!CQl3mcHX2A!Q0pEjWrLTcmcryUR2EMbSc6uWBNU-xJadaznxWvwmDk2-ARoR0DYYq_epVo5mQQ$
>     >
>     >>
>     >
>     >
>     > _______________________________________________ homenet mailing 
> list
>     > homenet@ietf.org 
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/homenet__;!!CQl3mcHX2A!QmyqyKwbOOxTGfm0x58b5xfYvrm-ivhzQUDCjlF7XvYCa411l20nyTY4Gc-Mvoc$
>     >
> 
> _______________________________________________
> Captive-portals mailing list
> Captive-portals@ietf.org
> https://www.ietf.org/mailman/listinfo/captive-portals
>

v2.23.0 | Report a Bug | By Email