Re: [Int-area] [Captive-portals] [EXTERNAL] Re: [homenet] Evaluate impact of MAC address randomization to IP applications
Christian Huitema <huitema@huitema.net> Tue, 29 September 2020 16:23 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA5E13A0F25 for <int-area@ietfa.amsl.com>; Tue, 29 Sep 2020 09:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.112
X-Spam-Level:
X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.213, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3-Yvm2HgYGn for <int-area@ietfa.amsl.com>; Tue, 29 Sep 2020 09:23:09 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20CA93A0F3D for <int-area@ietf.org>; Tue, 29 Sep 2020 09:22:44 -0700 (PDT)
Received: from xse475.mail2web.com ([66.113.197.221] helo=xse.mail2web.com) by mx165.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kNIOo-0013Wb-IV for int-area@ietf.org; Tue, 29 Sep 2020 18:22:43 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4C14Rj4WvZzC12 for <int-area@ietf.org>; Tue, 29 Sep 2020 09:22:41 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kNIOn-0008OU-GN for int-area@ietf.org; Tue, 29 Sep 2020 09:22:41 -0700
Received: (qmail 16658 invoked from network); 29 Sep 2020 16:22:41 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.238]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <int-area@ietf.org>; 29 Sep 2020 16:22:41 -0000
To: Martin Thomson <mt@lowentropy.net>, "Lee, Yiu" <Yiu_Lee@comcast.com>, "captive-portals@ietf.org" <captive-portals@ietf.org>, "homenet@ietf.org" <homenet@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>
References: <20200922201317.097C3389D4@tuna.sandelman.ca> <15660.1600807202@localhost> <902400f2-9172-9581-25ab-59ad08e67bee@cs.tcd.ie> <D81695FF-973F-472D-BC0A-9B0F57278B21@comcast.com> <ca575a6b-987e-d998-2713-91e45190f5ea@cs.tcd.ie> <0A436777-D9CE-4A4C-BE45-C8C2CAB9FBF6@comcast.com> <29901277-6da1-46fc-b244-ca289005841d@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <af0451b1-8eae-4714-849f-d6e384dda075@huitema.net>
Date: Tue, 29 Sep 2020 09:22:41 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <29901277-6da1-46fc-b244-ca289005841d@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.221
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0Z1apovzGPsYhEeBL1aoZmqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDCbg6kmU9XzFYGliRsoWVo7hh 7ygbFjwra07pb0zfwJx6guQtU10Lyvrd60qd/7rkZfHZrMQ8Ke0Z8pjKFUegibQrHWZPpqYwb4n/ 5SxQwXAlwKhAEGVwhQsL2SvUkQCl9WdrrXNi8GYvGfEEu4zUocxKTagmQ3xMyVZ07UERWzx6BTXs FxcSzhpFHKuVDd8Suy8lNDS0QWWkADhl7glCR9PbrhSmW22tW1yBxgRT8bmxZJSIFVPkVVALPRKr lHlM3kWCH4Q79vaQ+COHDJAgLHQOD0r6/AaHZiEtdTMtMlgTBUa5LSawQcdT80HH17nNg8oiq9mz mwrbQbTulSg7juWBOXp8nHKe0R+FkIqN7hkFZqA6TBkpoO/ktnXt0JlLIRFsicyJMEhQFtD8PLoi nuxTyssp4L0plUGigax8zy4LpVxP5YFZg5fgueXLf6LKHDJ71JSXKkUqfqsTqwEEUOidX4Ts4xdG +C13IyWeZaIZ2583rDs3wC6DKHDf5Moa4nuZrRf7bMi0WRR6pZ+nWdGmZmQ8hLUiFhXsciu7O5FX 0SU68ek9wyYNR7nSKrZbQsAM8hGlAkv+YXlQiOyIRazNjLvclnGzlTC8ZgkR3laIWqvAxiBHuIuS y5fCAlEkBo/likyqVosKXMUfkYjGH1ACVO3tx78u0bG7If2TCVQ/D8QJTdBcu3QLQMzkLo6q7tWy gKdE9sL0Fbumvqvg2znzSXChKWk/itcbicJsIPcB1qmkSiRx3XSJpI0MeX7Qfqb5R4VemuUI6bcE ARsm0De6PaZO6/JToEyx4tmc5OljkPSpPXAVjl2oMr8a1xm0wfXUFMjTH2DyD8i5kO5bZlYFvf25 LVONYbYifH5OzZCwIgD/xDehea09OpnwSuobZrrGExMR7eTbBjMGDKI3ijhhJn7Muv/NHXl0o++8 3wM=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/pRh9HgFWFEJqyAnL_ELEJDEnc5g>
Subject: Re: [Int-area] [Captive-portals] [EXTERNAL] Re: [homenet] Evaluate impact of MAC address randomization to IP applications
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 16:23:15 -0000
On 9/22/2020 5:52 PM, Martin Thomson wrote: > There's an additional consideration that might be worth pulling out here. And it's not an impact on network operations, it's a potential for applications that interact with these network services to undo the work of lower parts of their stack. > > For instance, if your device connects to the same network and the same captive portal it might open a web browser to connect to that portal. If the web browser presents the cookies it received from the portal last time they talked, it undoes the work of the OS. > > Now, some implementations use these nasty browser-like things with aggressive sandboxing that don't save cookies. That comes with other costs, but it addresses the problem up until the point that the network connection is restored and then who knows what happens once the pseudo-browser is no longer involved. > > Maybe that is out of scope for your draft, but it shouldn't be out of scope for a group that attempts to look more closely at providing advice for dealing with these features. > > (Does this thread really need to be cross-posted so widely? Can we decide on a single venue?) Martin is making an important point here. There are a number of privacy enhancing technologies deployed at different layers: MAC address randomization at L2, Privacy addresses at L3, various forms of encryption and compartments at L4 and above. Each of these technologies is useful by itself, but they can easily be defeated by deployment mistakes. For example: 1) Using the same IP address with different MAC addresses negates a lot of the benefits of randomized MAC addresses, 2) Using a private IP address provides some privacy to client connections. However, if the same address is also used for a publicly accessible server, a lot of the privacy benefits disappear. 3) Using a private IP address without also using a randomized MAC address is not going to provide privacy against local observers. 4) Web cookies and other forms of web tracking are widely used to enable surveillance. Randomizing the MAC address and the IP address without also doing something about web tracking is not going to provide much gains. Defining that "something about web tracking" is challenging, given requirements for users to identify themselves to social media sites and other services. My personal choice would be some form of compartments, each with their own IP address and MAC address, but opinions will probably vary. That would be a great topic for a BOF. -- Christian Huitema
- [Int-area] Evaluate impact of MAC address randomi… Lee, Yiu
- Re: [Int-area] Evaluate impact of MAC address ran… Andy Smith
- Re: [Int-area] Evaluate impact of MAC address ran… Michael Richardson
- Re: [Int-area] Evaluate impact of MAC address ran… Michael Richardson
- Re: [Int-area] Evaluate impact of MAC address ran… Michael Richardson
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Stephen Farrell
- Re: [Int-area] [EXTERNAL] Re: Evaluate impact of … Lee, Yiu
- Re: [Int-area] [Captive-portals] Evaluate impact … Peter Yee
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Stephen Farrell
- Re: [Int-area] Evaluate impact of MAC address ran… Lee, Yiu
- Re: [Int-area] [homenet] Evaluate impact of MAC a… David R. Oran
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Lee, Yiu
- Re: [Int-area] [EXTERNAL] Re: [homenet] Evaluate … Lee, Yiu
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Bob Hinden
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Michael Richardson
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Brian Dickson
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Stephen Farrell
- Re: [Int-area] [Captive-portals] [EXTERNAL] Re: [… Martin Thomson
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Michael Richardson
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Michael Richardson
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Ralf Weber
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Pascal Thubert (pthubert)
- Re: [Int-area] Evaluate impact of MAC address ran… Stewart Bryant
- Re: [Int-area] [homenet] Evaluate impact of MAC a… Michael Richardson
- Re: [Int-area] [Captive-portals] [homenet] Evalua… Michael Richardson
- Re: [Int-area] Evaluate impact of MAC address ran… Eric Vyncke (evyncke)
- Re: [Int-area] Evaluate impact of MAC address ran… Joseph Touch
- Re: [Int-area] Evaluate impact of MAC address ran… Stewart Bryant
- Re: [Int-area] Evaluate impact of MAC address ran… Alan DeKok
- Re: [Int-area] Evaluate impact of MAC address ran… tom petch
- Re: [Int-area] [Captive-portals] Evaluate impact … Derek Fawcus
- Re: [Int-area] [Captive-portals] [homenet] Evalua… Malay Vadher
- Re: [Int-area] [Captive-portals] [EXTERNAL] Re: [… Christian Huitema
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Michael Richardson
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Brian Dickson
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Michael Richardson
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Stephen Farrell
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Christian Huitema
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Peter Yee
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Michael Richardson
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Juan Carlos Zuniga
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Stephen Farrell
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Weil, Jason
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Rolf Winter
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Michael Richardson
- Re: [Int-area] [homenet] [Captive-portals] [EXTER… Stephen Farrell
- Re: [Int-area] [Captive-portals] [homenet] [EXTER… Carsten Bormann
- Re: [Int-area] Evaluate impact of MAC address ran… Andrew G. Malis
- Re: [Int-area] [EXTERNAL] Re: Evaluate impact of … Lee, Yiu
- Re: [Int-area] [Captive-portals] [homenet] Re: Ev… Livingood, Jason