Re: [Int-area] [Captive-portals] [homenet] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 29 September 2020 18:41 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988CC3A1043; Tue, 29 Sep 2020 11:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mT516XJ7vEq8; Tue, 29 Sep 2020 11:41:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E4C83A103D; Tue, 29 Sep 2020 11:41:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 9C3CD389D4; Tue, 29 Sep 2020 14:46:18 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id lcHtrGGy5jTJ; Tue, 29 Sep 2020 14:46:18 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 1D261389D3; Tue, 29 Sep 2020 14:46:18 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 64C0150C; Tue, 29 Sep 2020 14:41:24 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Brian Dickson <brian.peter.dickson@gmail.com>
cc: "int-area@ietf.org" <int-area@ietf.org>, "captive-portals@ietf.org" <captive-portals@ietf.org>, "homenet@ietf.org" <homenet@ietf.org>
In-Reply-To: <CAH1iCip7UBe+FR-Cz+sP6SdS11NUQC9gV_s=99yO0tjcvCcX6A@mail.gmail.com>
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost> <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie> <D81695FF-973F-472D-BC0A-9B0F57278B21@comcast.com> <ca575a6b-987e-d998-2713-91e45190f5ea@cs.tcd.ie> <0A436777-D9CE-4A4C-BE45-C8C2CAB9FBF6@comcast.com> <29901277-6da1-46fc-b244-ca289005841d@www.fastmail.com> <af0451b1-8eae-4714-849f-d6e384dda075@huitema.net> <19117.1601400596@localhost> <CAH1iCip7UBe+FR-Cz+sP6SdS11NUQC9gV_s=99yO0tjcvCcX6A@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 29 Sep 2020 14:41:24 -0400
Message-ID: <4215.1601404884@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/h0j56j6ZkWFDGltWRI-UzM5Mcqs>
Subject: Re: [Int-area] [Captive-portals] [homenet] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 18:41:29 -0000

<#secure method=pgpmime mode=sign>

Brian Dickson <brian.peter.dickson@gmail.com> wrote:
    > Any host/interface that uses ARP (not sure whether any flavor of WiFi
    > does, or if so which flavors), exposes the L3/L2 mapping.

Yes, WIFI does use ARP. On all flavours.

Encrypted WIFI, which is mostly the default now, encrypts everything above
the L2, so the L3 part of the mapping is not seen by passive EM observers.

ARP broadcasts as you mention, so other stations on the network could see the
mapping, and the AP by default helpfully re-encrypts broadcasts to every
station.  But, that's not a passive observer: the observer is on the network.
Many APs filter ARP broadcasts as being useless chatter.

    > So, wired
    > IPv4 for certain (except in very locked-down enterprise settings with
    > static MAC addresses, perhaps) leaks this information to every host on
    > the same broadcast domain (same subnet and possibly additional subnets
    > on the same LAN/VLAN).

Yes, but that's not wifi.  Phones do not have wired connections.

    > ARP L2 broadcasts solicit information about IP addresses, and at a
    > minimum each such query exposes its own MAC and IP address. Responses
    > may be unicast or broadcast, not sure which.  An active compromised
    > host can easily solicit that information by iterating over all the IP
    > addresses on the subnet and performing an ARP for each one.

It will be good if we can get a document from the MAC randomization
proponents (if there is such a group), to explain the thread profile.
I don't think it includes active compromised hosts.

Such hosts can also ARP/ND spoof, and can even do that for the router (".1"),
capturing all the traffic on the network.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide