IETF Logo Mail Archive

Re: [Int-area] [homenet] Evaluate impact of MAC address randomization to IP applications

Bob Hinden <bob.hinden@gmail.com> Tue, 22 September 2020 23:15 UTC

Return-Path: <bob.hinden@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D483A0406; Tue, 22 Sep 2020 16:15:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBn7mHzNJNuh; Tue, 22 Sep 2020 16:15:06 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04DED3A0407; Tue, 22 Sep 2020 16:15:06 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id g4so18867557wrs.5; Tue, 22 Sep 2020 16:15:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=m84BOahoC+V798yVeHQrV5C8E7b145+pFc4c8WAstvw=; b=imtnPM8kxHB3NIp58UGlibd/vnLFO5H8YagWhIlLDkEQur1inDYtv1FP3+OtEOgXn9 vzRsACae1n7OBL/xmghJkHR/Y8CQHXADSb0CdRw/Z5a2jdJ5SZQRkxSzmbqaUk9r9J1X WlLLWKWGyiCUmr/XwO7XJWsXNWC/0938PHvP7X6ZXtYkqBseDmJULngqg5WqMvr4GC+y Yi16WEU3Ixl1rtImwvaIRGdeE1zzYpT3hkPDTCblcUC4A94QqehB1/f6gz3Tt0BqONYD vWuxSPL3g9zsXMrvk/gnQVDb+QB6p/cOtM8ZX1/XtYYGCfBU0cpNyKkREXL9hOQK72mr BaUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=m84BOahoC+V798yVeHQrV5C8E7b145+pFc4c8WAstvw=; b=C9LnDJX7PB7pce0VTU7agXfbF69AAcPUgjcVcOsQX9er1cIr0YpEqR8qahs/Z37o8j SOcdZRJ3WJZryCz3/5VeUhy5b6g0E44p0H+9H6Exd2vpB4g6sSkdIZPBX3I+XgTTrPxx MfXMKpheX4PvOwr8WGJk1AK+4F91mczLg5VeryDov7Z/tQCMCyWkt0K6qmUpfLcuR/9j a8dGJACs3xbqKOsFxXOIgaqirchXKllJvGUiceM2baa82m1d9dlugoTJZQAN6ftzCQbq 8ClhI4Pnk+LEzOk3K6Gr7UmJVSXJOOdHRW05POnvZmuX6Gw9KHGE8tu8Qc5AHtXGpLpn gVoQ==
X-Gm-Message-State: AOAM530zgCnGRVdeUz05smncf4oEz5spB9fI6HQHy4N+NzM6FatYFMJx R0laMpeBuD8EgSS/5VqfiUlWek+hkAt/7A==
X-Google-Smtp-Source: ABdhPJxi8pyx0mr+OW5A+jacx7+yKGEiNhwM2y1PxAJ2/dwt6tSZn6r342IFWU99MNO+NdcAUZTjOQ==
X-Received: by 2002:a5d:4088:: with SMTP id o8mr7752261wrp.112.1600816503846; Tue, 22 Sep 2020 16:15:03 -0700 (PDT)
Received: from ?IPv6:2601:647:5a00:ef0b:9c8:b694:bc3e:659c? ([2601:647:5a00:ef0b:9c8:b694:bc3e:659c]) by smtp.gmail.com with ESMTPSA id f14sm6577546wme.22.2020.09.22.16.15.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 22 Sep 2020 16:15:03 -0700 (PDT)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <09A7F884-F102-4081-BB1D-F7760B2DCE9B@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C52525DE-422E-4B47-8B8E-FB268F286B40"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.15\))
Date: Tue, 22 Sep 2020 16:14:57 -0700
In-Reply-To: <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie>
To: captive-portals@ietf.org, homenet@ietf.org, Internet Area <int-area@ietf.org>
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost> <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie>
X-Mailer: Apple Mail (2.3445.104.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/BvGvezqq_CFRsfNnthiPXSR6n44>
Subject: Re: [Int-area] [homenet] Evaluate impact of MAC address randomization to IP applications
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 23:15:08 -0000

I have read the emails and the draft <draft-lee-randomized-macaddr-ps-01>.   I am not clear what the goal of the BOF is.

Could the proponents state it clearly?

From the agenda, Use Cases:

	• LAN gateway NAPT forwarding - (PRESENTER TBD)
	• Static NAPT policies - (PRESENTER TBD)
	• Persistent DHCP IP address assignments - (PRESENTER TBD)
	• Device-to-user or group association for malware protection - (PRESENTER TBD)
	• Device-to-user or group association for parental controls - (PRESENTER TBD)
	• Device-to-user or group association to restrict or authorize unwanted or unverified device connections to the LAN - (PRESENTER TBD)

It seems like this is a list of topics where randomized MAC addresses might break things, so I wonder what the intent is here.   No mention of the privacy benefits, or what the tradeoff are.

I note that while MAC addresses are commonly used for things like this, it’s never been very secure as it is easy on most devices to change the MAC address.   Like when some cable modems locked on to a specific MAC address, and the way to get around this was to change to a different MAC address in the device.

I also wonder how much of this is an IETF issue, vs. IEEE.

Bob




> On Sep 22, 2020, at 1:51 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> That agenda and draft seem to make the seemingly common
> enough mistake of only focusing on what a new privacy or
> security mechanism breaks and glossing over the good
> reasons why people introduce these mechanisms. I hope the
> BoF proponents fix that because otherwise they may end up
> giving the impression that they would prefer to not see
> the privacy benefits (which I'd guess is not their goal
> at all). One reason those good reasons need to be included
> is that they constrain the kinds of additions that might
> make sense to better handle the new mechanism.
> 
> We've seen a number of these kinds of reactions and I
> figure it'd really be better if the reaction were not to
> appear purely reactionary;-)
> 
> If that were fixed, then there may be a better discussion
> of what, if any, additional things need doing. If that is
> not fixed, I'd not be surprised if the putative BoF were
> to devolve into a "it's bad" vs. "no, it's good" bun fight
> that won't really take us further.
> 
> Cheers,
> S.
> 
> On 22/09/2020 21:40, Michael Richardson wrote:
>> 
>> Damn. Spelt captive-portal without the s again.  Reposting, sorry for duplicates.
>> I hate when WG names and list names do not match, and that we can't have aliases.
>> And I think that reply-to gets filtered.
>> 
>> Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/14Skgm84GslPZ9UcGoWY3uzmK6I>
>> To: int-area@ietf.org, captive-portal@ietf.org, homenet@ietf.org
>> From: Michael Richardson <mcr+ietf@sandelman.ca>
>> Date: Tue, 22 Sep 2020 16:34:33 -0400
>> 
>> This thread was started today on the INTAREA WG ML.
>> 
>> While I don't object to a BOF, I don't know where it goes.
>> What I see is that much of this problem needs to be resolved through
>> increased use of 802.1X: making WPA-Enterprise easier to use and setup, this
>> changing core identity from MAC Address to IDevID.
>> 
>> My understanding is that Apple intends to randomize MAC every 12 hours, even
>> on the same "LAN" (ESSID), and that they will just repeat the WPA
>> authentication afterwards to get back on the network.   If the per-device
>> unique policy (including CAPPORT authorization) can be tied to the device
>> better, than the MAC address based "physical" exception can be updated.
>> 
>> But, WPA-PSK doesn't work, because it does not, in general, distinguish
>> between different devices.
>> 
>> It can be made to work if every device is given a unique PSK, and there are
>> some successful experiments doing exactly that.  Mostly it just works, but
>> the challenge is communicating the unique PSK through an unreliable human.
>> BRSKI can certainly do this, and it can leverage that unencrypted ESSID
>> present at most hospitality locations to get onto the encrypted
>> WPA-Enterprise.  Or BRSKI-TEEP, or some other BRSKI-EAP method.  The
>> unencrypted SSID is not going away at those locations.
>> 
>> Thus QR-code based methods are best, yet those do not work for many IoT
>> devices.   EMU's EAP-NOOB can help in certain cases, but we, as a community
>> need be clear on what direction we want to go.  One answer is that IoT
>> devices have little reason to randomize their MAC if they are not generally
>> ported.
>> 
>> 
>> On 2020-09-22 3:49 p.m., Lee, Yiu wrote:
>>> Hi team,
>>> 
>>> We proposed a BoF. The agenda is in
>>> https://github.com/jlivingood/IETF109BoF/blob/master/109-Agenda.md and the
>>> proposal is in
>>> https://github.com/jlivingood/IETF109BoF/blob/master/BoF-Proposal-20200918.md. You
>>> can also find the draft here
>>> https://tools.ietf.org/html/draft-lee-randomized-macaddr-ps-01.
>>> 
>>> At this stage, we are looking for inputs for more use cases and interests
>>> of working together in this domain. Please post your comments in the
>>> mailing list.
>>> 
>>> Thanks
>>> 
>> 
>> 
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>>           Sandelman Software Works Inc, Ottawa and Worldwide
>> 
>> 
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
>> 
> <0x5AB2FAF17B172BEA.asc>_______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email