IETF Logo Mail Archive

Re: [Int-area] [Captive-portals] Evaluate impact of MAC address randomization to IP applications

Peter Yee <peter@akayla.com> Tue, 22 September 2020 21:09 UTC

Return-Path: <peter@akayla.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB2A3A19BD for <int-area@ietfa.amsl.com>; Tue, 22 Sep 2020 14:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2f9gqyIYc0E for <int-area@ietfa.amsl.com>; Tue, 22 Sep 2020 14:09:00 -0700 (PDT)
Received: from p3plsmtpa07-05.prod.phx3.secureserver.net (p3plsmtpa07-05.prod.phx3.secureserver.net [173.201.192.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42A683A19BC for <int-area@ietf.org>; Tue, 22 Sep 2020 14:09:00 -0700 (PDT)
Received: from spectre ([173.8.184.78]) by :SMTPAUTH: with ESMTPSA id KpUqkH97lls90KpUrkCdfV; Tue, 22 Sep 2020 14:06:45 -0700
X-CMAE-Analysis: v=2.3 cv=QfEYQfTv c=1 sm=1 tr=0 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:117 a=PF7/PIuz6ZQ4FM3W1XNKAQ==:17 a=IkcTkHD0fZMA:10 a=c9njP7fIAAAA:8 a=48vgC7mUAAAA:8 a=l70xHGcnAAAA:8 a=kDCMlKhJAAAA:20 a=RZQR-LyKMerh6KzPIDkA:9 a=jrJglDZWlyc3YXEN:21 a=QCgIVi4ARomWgeNi:21 a=QEXdDO2ut3YA:10 a=MCshM1S1O2piC4VqdL4N:22 a=w1C3t2QeGrPiZgrLijVG:22 a=JtN_ecm89k2WOvw5-HMO:22
X-SECURESERVER-ACCT: peter@akayla.com
From: Peter Yee <peter@akayla.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, captive-portals@ietf.org, homenet@ietf.org, int-area@ietf.org
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost>
In-Reply-To: <15660.1600807202@localhost>
Date: Tue, 22 Sep 2020 14:06:48 -0700
Message-ID: <08df01d69124$49ab1f90$dd015eb0$@akayla.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMHIWUk3ciIMSy+Ss7YNBHgXXt5/gGSEnqMpwdyCSA=
Content-Language: en-us
X-CMAE-Envelope: MS4wfHb+TU7z2cKf/TeiCy5KPjF0xwr7sZnQl4uvWampuaF7PXSo03wYrrJst8o8THhsdHUh2mVnYEbponx+fB+/W9By3PapCifU2IkFMq9xj3WXTCnwk2Pv HY9kQySMtqKerqx2+L/FezCUFnAsA+PaJCgNT3rkwXPLGcjA79u70jCFMAZx3twenZrNG64Fit55XXWLENRFWfeth+5ZzQJKs71HrRyLyL5VjN46fafusfS+ 06SHNT3CJifswvecvZS5hA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/DobW7cQjkQJ1K51Bc3XLTIN5XjQ>
Subject: Re: [Int-area] [Captive-portals] Evaluate impact of MAC address randomization to IP applications
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Sep 2020 21:09:02 -0000

Michael,

	I believe that the address randomization (Private Address) can be turned off in iOS 14, but it seems to be a manual operation per ESSID only.

	That said, IEEE 802.11 has a Random and Changing MAC Addresses Study Group that has just requested the creation of two new projects under IEEE 802.11 (subject to the usual approval by the management layers above it). One will deal with operational issues that arise from random addresses and how they can be alleviated, if possible. The other will look more closely at privacy in IEEE 802.11, since MAC address randomization was a first stab at privacy, but it leaves many other privacy-defeating vectors unaddressed.

	The Wi-Fi Alliance has the Device Provisioning Protocol (Wi-Fi Certified Easy Connect (https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect)), which may be of use in environments where traditional on-boarding methods are not available, such as for headless or IoT devices.

		-Peter

-----Original Message-----
From: Captive-portals [mailto:captive-portals-bounces@ietf.org] On Behalf Of Michael Richardson
Sent: Tuesday, September 22, 2020 1:40 PM
To: captive-portals@ietf.org; homenet@ietf.org; int-area@ietf.org
Subject: Re: [Captive-portals] [Int-area] Evaluate impact of MAC address randomization to IP applications


Damn. Spelt captive-portal without the s again.  Reposting, sorry for duplicates.
I hate when WG names and list names do not match, and that we can't have aliases.
And I think that reply-to gets filtered.

Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/14Skgm84GslPZ9UcGoWY3uzmK6I>
To: int-area@ietf.org, captive-portal@ietf.org, homenet@ietf.org
From: Michael Richardson <mcr+ietf@sandelman.ca>
Date: Tue, 22 Sep 2020 16:34:33 -0400

This thread was started today on the INTAREA WG ML.

While I don't object to a BOF, I don't know where it goes.
What I see is that much of this problem needs to be resolved through increased use of 802.1X: making WPA-Enterprise easier to use and setup, this changing core identity from MAC Address to IDevID.

My understanding is that Apple intends to randomize MAC every 12 hours, even on the same "LAN" (ESSID), and that they will just repeat the WPA
authentication afterwards to get back on the network.   If the per-device
unique policy (including CAPPORT authorization) can be tied to the device better, than the MAC address based "physical" exception can be updated.

But, WPA-PSK doesn't work, because it does not, in general, distinguish between different devices.

It can be made to work if every device is given a unique PSK, and there are some successful experiments doing exactly that.  Mostly it just works, but the challenge is communicating the unique PSK through an unreliable human.
BRSKI can certainly do this, and it can leverage that unencrypted ESSID present at most hospitality locations to get onto the encrypted WPA-Enterprise.  Or BRSKI-TEEP, or some other BRSKI-EAP method.  The unencrypted SSID is not going away at those locations.

Thus QR-code based methods are best, yet those do not work for many IoT
devices.   EMU's EAP-NOOB can help in certain cases, but we, as a community
need be clear on what direction we want to go.  One answer is that IoT devices have little reason to randomize their MAC if they are not generally ported.


On 2020-09-22 3:49 p.m., Lee, Yiu wrote:
> Hi team,
>
> We proposed a BoF. The agenda is in
> https://github.com/jlivingood/IETF109BoF/blob/master/109-Agenda.md and 
> the proposal is in 
> https://github.com/jlivingood/IETF109BoF/blob/master/BoF-Proposal-2020
> 0918.md. You can also find the draft here 
> https://tools.ietf.org/html/draft-lee-randomized-macaddr-ps-01.
>
> At this stage, we are looking for inputs for more use cases and 
> interests of working together in this domain. Please post your 
> comments in the mailing list.
>
> Thanks
>


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email