Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03

Oleg Pekar <> Mon, 28 June 2021 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C77933A0D1F for <>; Mon, 28 Jun 2021 08:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EPrp-R6eVSzq for <>; Mon, 28 Jun 2021 08:18:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 385773A0D1E for <>; Mon, 28 Jun 2021 08:18:56 -0700 (PDT)
Received: by with SMTP id k11so22675664ioa.5 for <>; Mon, 28 Jun 2021 08:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q23tG3ogEND9888qfU7iTYAf/phVMclXg7KI3kdsuyQ=; b=CvvBH+Tsjek3/8LG++7oWiWK7Nf+r1qenn0tKkGSHfOPfJq2JuFi+WM2su0pWf36eS vH2vQwdDcabTUR3xLUJL5J0za860/2SIv5eER3AyWoOhzdE6sJ8scWZr9WhVUAanUw/Y FygC6m9ahlgYaoTdFyVGLswBzYAehyO/vjRe1KqT26Q5G8RH/Qw8yq1ZVs/HXZagNUpB uNJacnNqCSPMJrMeGfexRgnXG1Ubj5oHPlM0vNc20pj1fbAITWiqwMf1fbWddu9hqQUc U2s9XZzZ6xBCN/4ZCHQwBCvXxpFDKhhvjdBvAs7rOHS3FTwdgWB5CS5afFWwNA0HjlWw VPdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q23tG3ogEND9888qfU7iTYAf/phVMclXg7KI3kdsuyQ=; b=mYZU7aKB67/neMxauMhVHspVjrylvurc2c0LBjepI6PRsjMSs1KYtOXzYPbpbtbtfx a5Z1GcBQ5KREJQo2Jmpr2X66QAqp4Uh7sr8NYRCFRzh9zKoYaEjndU/uOEtN/npK42V7 4+sJ6it2wdjwuGDVblH9isXACEPQDnPQp1/ZgCrbPu9z17YxqVjieF6/XCMIVzOOXn3w meRj92sKh/hGq/XjqXmLDoQVhvlz7sJRWlEwhENYXP7aYgMVYJtqlrCMwxYeYrcwVZ2A Q5hcL6zxZtReCwLl8oZSh72jlJHD0as1gWq/h9HA3hOIMvEPEYxGHPQtIet5j/mjBeOf 0uEw==
X-Gm-Message-State: AOAM533j/l1PLqBt0EpfC/4/0gR9Yb37XoD6wdIh5XbwtgB+GTpWyNtC 060IE3M/bxkxw3E9uDEzJYsUAg3EzdkMzJl/DESdl0qe
X-Google-Smtp-Source: ABdhPJyqyJUxDBsiwHgSLMLywFgVo/5WGuvwR8kwEOjJCqlD6x9Bs4JseKM1AvY/kdpSJIlNVT+7/c0SnCSC6vnATZk=
X-Received: by 2002:a6b:7905:: with SMTP id i5mr9273220iop.175.1624893534682; Mon, 28 Jun 2021 08:18:54 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Oleg Pekar <>
Date: Mon, 28 Jun 2021 18:18:43 +0300
Message-ID: <>
To: Alan DeKok <>
Cc: EMU WG <>
Content-Type: multipart/alternative; boundary="000000000000eec3c505c5d5019e"
Archived-At: <>
Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jun 2021 15:19:01 -0000

Alan, agree on the MAC randomization problem. Is there any existing
standard or proposal for the network deployments where the Network Access
Control server needs to track the device with randomized MAC moving between
intranet SSIDs?

About usage of physical MAC address - maybe some client systems will not
have access to the physical MAC rather than just to a randomized MAC.


On Mon, Jun 28, 2021 at 4:21 PM Alan DeKok <>

>   One thing missing in the current document is how to address the modern
> issue of MAC address randomization.
>   i.e. admins would like to ensure that only certain devices access the
> network.  But with MAC address randomization, it's difficult to have a
> static device identifier.  Even client certificates can be installed on
> multiple machines, if they're just sent to the user.
>   Would it be worth adding a note that systems SHOULD implement RFC 6677
> channel bindings to address this issue?  And that the Calling-Station-Id
> inside of the channel bindings MUST be the actual physical MAC, and not the
> public / randomized MAC?
>   I've seen this problem more and more in customer deployments.  It's
> becoming a serious security issue.
>   Alan DeKok.
> _______________________________________________
> Emu mailing list