IETF Logo Mail Archive

Re: [homenet] [Int-area] Evaluate impact of MAC address randomization to IP applications

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 23 September 2020 01:18 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E97C3A09DF; Tue, 22 Sep 2020 18:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcRSkm6M5kk1; Tue, 22 Sep 2020 18:18:01 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDF713A09D6; Tue, 22 Sep 2020 18:18:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9D4A23899F; Tue, 22 Sep 2020 20:56:36 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bPyHTUdXgyoD; Tue, 22 Sep 2020 20:56:31 -0400 (EDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:103c:9eff:fecb:2eac]) by tuna.sandelman.ca (Postfix) with ESMTP id 95FD93899E; Tue, 22 Sep 2020 20:56:31 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EEFC24F5; Tue, 22 Sep 2020 21:17:53 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brian Dickson <brian.peter.dickson@gmail.com>, captive-portals@ietf.org, HOMENET <homenet@ietf.org>, Internet Area <int-area@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
In-Reply-To: <CAH1iCipaRD=DQe7G_+EuXg=svVu6hzCicyKgzYrQszW243FaPQ@mail.gmail.com>
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost> <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie> <09A7F884-F102-4081-BB1D-F7760B2DCE9B@gmail.com> <20953.1600817118@localhost> <CAH1iCipaRD=DQe7G_+EuXg=svVu6hzCicyKgzYrQszW243FaPQ@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 22 Sep 2020 21:17:53 -0400
Message-ID: <13180.1600823873@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/iNZRlyoi3aopwcpkVTGnOjVmhMI>
Subject: Re: [homenet] [Int-area] Evaluate impact of MAC address randomization to IP applications
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 01:18:04 -0000

Brian Dickson <brian.peter.dickson@gmail.com> wrote:
    >> I don't get the NAPT issue though.
    >> The NAPT issues are because DHCP gave the device a different IP(v4), right?
    >> If you solve persistent DHCP, then you solve those, don't you?
    >>

    > I think there are some environments where that isn't technically accurate,
    > or might not be 100% accurate.
    > E.g. The difference between DHCP6 and that other wacky thing that is doing
    > random self-assigned IPv6 addresses.

Sure.  If there is a port mapping (or PCP created incoming ACL for IPv6),
which is bound to a particular IPv6 (however assigned), and that the IPv6
changes, then the mapping will break right?
This is independant of MAC address randomization right?
If we changed the MAC address, and then kept the IP address involved, then ND
would fix things up, and things would continue just fine.

    > (E.g. maintaining the IP address when the MAC changes, defeats at least one
    > possible purpose of changing the MAC.)

I strongly disagree here.
We use privacy IPv6 addresses in order to keep legitimate distant end points
(and their associated snoops) from tracking one for place to place.

We use different MAC addresses for different networks to keep from being
tracked by a federation of local snoops from place to place.

We change our MAC address at the same network to hide our time of use and
presence from local snoops.  But, also to deal with malicious attackers who
put up a common ESSID ("Starbucks").   We can, and do encrypt our IPv6
address on those networks.  But, we can't encrypt our MAC address, because as
you say, it used for media access control.

    > I sense a potential rat-hole, but also the possibility of finding common
    > ground to fix a bunch of things that are problematic to some degree or
    > another.

I hope so too.

    > I'm hopeful that something like 802.1x can be made use of effectively, but
    > again a lot depends on the use cases and will likely require pretty deep
    > dives on each of the relevant technologies and implementations.

    > IMNSHO, MACs should be relegated to the role reflected in their name: Media
    > Access Control, basically a disambiguator, not an identity.

    > Maybe MACs should be used the way the initial values selected by the two
    > parties doing DH key exchange are used, just as a stepping stone in
    > establishing a cryptographically-strong "thing" that only they know.
    > I.e. use the initial MAC (regardless of what it is) as an initial layer-2
    > communications things, during the set-up of {whatever the BOF/WG output
    > is}, after which the MAC gets changed to {something else}.

An interesting idea.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email