IETF Logo Mail Archive

Re: [Iotops] [Madinas] advice on IoT MAC address randomization (or not)

Juan Carlos Zuniga <juancarlos.zuniga@sigfox.com> Thu, 15 July 2021 17:19 UTC

Return-Path: <juancarlos.zuniga@sigfox.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D731E3A0FEF; Thu, 15 Jul 2021 10:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sigfox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwpEyT8I3Kgj; Thu, 15 Jul 2021 10:19:48 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2111.outbound.protection.outlook.com [40.107.22.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727F13A0FEA; Thu, 15 Jul 2021 10:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QzbQokcyYoBcMGezIlJFm/lSayayFDn5CfAJkA739VKO3Fj47hZH7Sjuf865rQCLcUYbAceBl7xIGLP2je8sizTNiCAzlrJQKAUpDa7H9lCvS5ri2O9RUGflV7KF+P0gn81WgGki1b9ESAwb4z+ipmHl7p10g7khG6aQjhqUuBRN31CA9W91oVaplZlCXjwbce2c+vaT7pkEm/70/jY4ZQ3+koJFgdBiUi3FG+EUl0ch7zh9Ff7kXMqFsxl3hpEoUis9R0WuDBuJs5Sf3KcRxGFhwkmleFzWO4Q67z8nVYBGHQRRtbRFoCylTPrnw/gLev1+hqwj0FZEOixMf/65xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j4iv8l+UoglHQ3din6a3rz0T67lYZvN8rCjVBJP9tDE=; b=OlQ5wEKdhL9xOMfcYvsJoIJNm2cq8P0zNV2SvWyMWW81ZSS82eGpRC/Lyu3jwTJLKFqVng41QCcR2WhsgZ54NwMSldfhmNTZl/UqAQzPzLFfBmF7kWFsk8KIwnXgng1JONRNfekxQMvbKRGBKLgqn66M5Atcd9y6FiAzOVBtDfzD9rsQiydUqhuZf7/4rM+jr2f1uaWTbPgy2hjg12hdzTgu0LlGdKU5MXChowMbpAalJqUvPNZVPAaTHfQt9CXmtoymwdb7IsnPPauaEBKiMBuNUUhqsFFx3RhBPmLzliDuMZJXyOo7Hxgay/UnAMEM+IRqROWt4WzZbCW1PJ5v4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sigfox.com; dmarc=pass action=none header.from=sigfox.com; dkim=pass header.d=sigfox.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigfox.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j4iv8l+UoglHQ3din6a3rz0T67lYZvN8rCjVBJP9tDE=; b=TRyMWC6YpkfnvIwppLF05OQ2NQWg7gbVJ458QSdvYmG0pnGdnrq6A0IUkQ24JCnZva2p1vB5l4yXPz6wDqprM8yOHHENzCrcrc9Tr7pXL2aiUqgBnqAnI14AvUHJ40Ap47Liel3uGGIUFsLIkgZcKsY/PZqCyOXjjr737hYnV1c=
Received: from DB7PR08MB3179.eurprd08.prod.outlook.com (2603:10a6:5:25::29) by DB6PR0801MB1623.eurprd08.prod.outlook.com (2603:10a6:4:3b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.23; Thu, 15 Jul 2021 17:19:45 +0000
Received: from DB7PR08MB3179.eurprd08.prod.outlook.com ([fe80::f048:c6d1:955e:432d]) by DB7PR08MB3179.eurprd08.prod.outlook.com ([fe80::f048:c6d1:955e:432d%4]) with mapi id 15.20.4331.023; Thu, 15 Jul 2021 17:19:45 +0000
From: Juan Carlos Zuniga <juancarlos.zuniga@sigfox.com>
To: Tim Cappalli <Tim.Cappalli=40microsoft.com@dmarc.ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "aland@deployingradius.com" <aland@deployingradius.com>
CC: "madinas@ietf.org" <madinas@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Madinas] advice on IoT MAC address randomization (or not)
Thread-Index: AQHXeOYUoVYm936dgEykub/CVF3q7KtC+BaAgAElRoCAAClogIAAAjmQ
Date: Thu, 15 Jul 2021 17:19:45 +0000
Message-ID: <DB7PR08MB3179CED888FAF954914267FD89129@DB7PR08MB3179.eurprd08.prod.outlook.com>
References: <2660.1626290680@localhost> <04DE814C-BB42-4039-9172-826EBE5AE473@deployingradius.com>, <16696.1626360125@localhost> <PH0PR00MB102997FB0CA238A23D222BC495129@PH0PR00MB1029.namprd00.prod.outlook.com>
In-Reply-To: <PH0PR00MB102997FB0CA238A23D222BC495129@PH0PR00MB1029.namprd00.prod.outlook.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-07-15T17:08:20.3048121Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=sigfox.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2563e7e0-8185-440b-5d9f-08d947b4bdcd
x-ms-traffictypediagnostic: DB6PR0801MB1623:
x-microsoft-antispam-prvs: <DB6PR0801MB1623D5A46542DEF0B693D9B689129@DB6PR0801MB1623.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o8c8iSWnkSzb2TvfJ8JHDnMQXdZzBwXYI+h/E3mfP85WsINS6L4wCswP7FNNcbt0G7ZEefCV9yZDmi8u2YfLvSUd1UG1Jxmcb/gbF7b6mPWKa1GX5soZiY6OVYHPozwJ/9PJFysr7lYnmTY9gD15htcZUQwP0LxgfSJ+p0//YtGqpqZNoEkvR4HQTYrx/DlvexEvGiipBnRRxKJAz5QFaNrepsaQ6OU20ktdIH+rcHjrU39Q8HVVCWrjpCL/Q1A7jH8hKNg1LkhJjwQ8aHXfBerEn8tLNEWfkmhu3O2vKaJbR7dg3jSTX+tZ7WmUL9DgkmBzjmGvTH3hnoog9nll11WqH+s86VMO/0Smpcg/HbhbPzqhV0Er6LMNLfR/rbV9RqiY+Z8FlUGM9q9rFENduqHGVBri8bCwDdabsmS9FkSidijSwpPH2J+2kqM8xL6plFgj9jf3wC45MKL5G5tIc3ccTAtyzACBKX2Xs7dTFTj3fDr8UWaQc6xfqzFOSsasOORDLV0EDIQj/lMHCTfQ0o/8LUwKgfO7Pw1j26cDxspZVg1s/VMuMJgLx/b/UVosLp2tCPKfUqYSl50xMHLHefZ5Sscj/uSqxV9VYwegKPtSLUoAno4ueDJJmmdY7TbOdVMKXMr1ln79tsO/uK5pZPlKw3S0EMy6XCcX6eQuraDzR7oVHZNNnG8wS2WHMKm0bLYayeXVrZt4ywNCHcoKWpI9npFXlrbuUsljILuiuTtR7UX4Xn4elfVK7/vp1KK8xmndf40+T8Y1mx27MBKM3jB6nAEPmZaQ4AVLk0GE94c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR08MB3179.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(478600001)(6506007)(966005)(86362001)(45080400002)(64756008)(7696005)(53546011)(38100700002)(33656002)(2906002)(186003)(26005)(166002)(66946007)(316002)(55016002)(66574015)(5660300002)(54906003)(52536014)(66476007)(66446008)(66556008)(9686003)(110136005)(8936002)(4326008)(83380400001)(71200400001)(8676002)(76116006)(122000001)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: op1N2n8WP0cIOEFkZzbjXukxhqjyRa8xLv4rM+cCNRmIvvFPXaFz0amQht1zp1+7UDv3W3kkcI7gHr93eyvXCLeIxONrFjFwk98gG0HhUy9Bq8Bk4NGS6MGfEVysQQg8XTGtyuReQ0QwSP5p7/+DxZAoopUj5a/g1+rFEkdelCYQx9JFzq6ALgmJ0C7tizdP3/Z1tEllIiRpe+GJKpryvzQx6BcbUvpB6+eyxe8M8xKrte+DyugJ5Pfvk97VydMQEreqJxrGM2Vq/mlGKzP5PAxP9riu37id+LMYsARKazgrayRgN2e4iQzMKoz4MEip1ubQcJir9Wwwt89af3Cq6o1PxusHDxvlUi5NSBLJAc3PLe8Ulp/Qcj0hS6v98YUI1ba8w3Wp3RCSFRewUckSxhT6pZs8mARMEAHcK3zEp5WNHKK17RpIhzxcyo9SQNFFV7trAYHRAiVnWb6UI+nMG04G2zluiudzwRYlTp3lM762gSKQBHijhNdrMZ1uJi2TFeD5dc+9U7XSG0hNduj9B3ecUzSfFAZBVEUfemcM3vSdRTR5V+K8O6h4lFja2pVdTBnAYmSCD3vb9EocLZbK6oYBzMfFf+1L1sw9w6G1OY2br0vxj4rtMEn2umTU+i4oF8wft0L64uFl3a9JgWDjCVg8dw5esv2ULpexS+3BeVGw66TPQi3OHB8Gl8lzcYmwxyseRkQhnjbqATPpvEwbncrsFNTdOpKayY+68vrTWPBX8Vnh5BWNP3tAou9gF1vm6a2c/p9vAy8N9+aKPWcUB/9ySuwEhJkriKNxPewW81kbHH0sUlzSiewxXEAu5gcflJxoh4nVcNkgc1KsU8l5GwWxdz+j/lqLbS7ypXcjDgQan33OZ/zGfSLnoafsGB0FQCRi1KPJIPpIS5OVS4A/drE1omtsacS2W4DEVHfuzq/psYKDLapBZk9XUsZp4M4HWAACF3w2Y2/AIM8l47nOjo8aO45d2sjuY54ZicppFkZ3E+HiigCxpQVz1TvgFtnlT9qnkRRTSl6kalTuG3EAkW9FB8UwF7egF2lqFCYfJJvv/OKxfIfDw1ECswoiz8nH1Q8Lx/GkQRiuRPQeMIMuQGjgN+kXkkMRUqPuhFM5pz5b+XmBoWRk3HMK6Fs47SlNugXsBqmZRfxODyt0EhhULDCxMDq3RYqyHWTVVUC9jYnWw5PDODg7eKEhrdEfEiwOswY3xA6P8MWSbZpwSUSjoyqq8YKSaC0CU8ut95vuXUQBJSkm+dy2edLUVWnA5Mx0gHcMdg6kLLwEoAkgx7LmBsjNLQG91xm67zKwgzXYR7XyRmq0LryJxV/nTuwYGtRb
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB7PR08MB3179CED888FAF954914267FD89129DB7PR08MB3179eurp_"
MIME-Version: 1.0
X-OriginatorOrg: sigfox.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB7PR08MB3179.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2563e7e0-8185-440b-5d9f-08d947b4bdcd
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2021 17:19:45.2984 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fcbc8bb1-061e-4b94-9f70-3ad917b0c8d3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5ylfrfHm4WnOzQs4eWRdxZdCw7W3Fzqz0IixKTZ1/xn8Ol2XJ4fT8ukyvir1AMuThJcZu1ZP49tbSQsxAVGzaMg+ftRx7fpQlTILEw1wgSY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB1623
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/cqsLPvXbkd9A3ZYQUjR3f29LJAM>
Subject: Re: [Iotops] [Madinas] advice on IoT MAC address randomization (or not)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 17:19:55 -0000

We have added some information about OS current practices in the latest version of:

https://datatracker.ietf.org/doc/html/draft-zuniga-mac-address-randomization-01

Juan Carlos

From: Madinas <madinas-bounces@ietf.org> On Behalf Of Tim Cappalli
Sent: July 15, 2021 1:10 PM
To: mcr+ietf@sandelman.ca; aland@deployingradius.com
Cc: madinas@ietf.org; iotops@ietf.org
Subject: Re: [Madinas] advice on IoT MAC address randomization (or not)

Just a clarification: Apple does not rotate MAC addresses every 24 hours (as of iOS 14 and macOS 12). They assign a MAC address on initlal connection to an ESSID, the same as Google implemented in Android 10.

Windows has the option for daily rotation, but it is an opt in feature.

________________________________
From: Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>>
Sent: 2021-07-15 10:42
To: Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>>
Cc: madinas@ietf.org<mailto:madinas@ietf.org> <madinas@ietf.org<mailto:madinas@ietf.org>>; iotops@ietf.org<mailto:iotops@ietf.org> <iotops@ietf.org<mailto:iotops@ietf.org>>
Subject: Re: [Madinas] advice on IoT MAC address randomization (or not)


Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> wrote:
    > On Jul 14, 2021, at 3:24 PM, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:
    >> I think that a BCP document on IoT devices, including routers,
    >> switches and other infrastructure would be good.

    > I agree.

    >> The short of it, for me, is that
    >> a) wired interfaces for non-movable things (home gateways, fridges,
    >> furnaces) should not change their MAC address.  (Whether they use
    >> OUI derived addresses is a second question)
    >>
    >> b) Until WPA-Enterprise aka EAP-TLS,.. is ubiquitous among wifi IoT
    >> devices, that they should always use the same MAC address for the
    >> same ESSID.

    > It's probably fine to change it periodically.  Right now, IIRC it's 24
    > hours for most vendors.

No, just Apple rotates on 24hr basis at this point.  Others could start.
The reason they do this has to do with the visibility of the MAC address,
even when encrypted (see below).

Others have said that they support the same MAC on the same ESSID.
See the madinas slides from the BOF.

    >> Combining (a) and (b), I'm fine if wired devices that do 802.1x want to do
    >> RCM.  That would apply to many security paranoid enterprise
    >> desktops/laptops.  But, I don't think that the IDS systems will be ready for
    >> a long time, as they mostly haven't caught up to IPv6 Temporary addresses yet.

    > If devices do 802.1X, then the authenticator can already identify the
    > device.  The question then is which part of the network should be seen
    > as untrusted?

If they are doing 802.1X, then the authenticator, when it authenticates the
device, already knows how to tell the network about the policy for the MAC
address (whether permanent or dujour).
That's the point we need to get to for all devices that wish to do RCM.
Networks that aren't using 802.1X do not necessarily have that mechanism.
This means 95% of home networks.

    > If the device is roaming, then it makes sense to hide it's identity
    > from the visited network.  It's also useful to hide the device identity
    > on public WiFi frames.  But once 802.1X is done, the link to the AP is
    > secure.  And the device usually might as well use it's own, physical
    > MAC address.

No, that's not true.

The MAC address part of the frame is not encrypted by wifi, only the payload.
In many encryption modes, the MAC address is used as part of the input to the
CTR, Nonce or IV (depending upon mode), such that two devices with the same
(WEP) key don't produce packets that are identical when encrypted.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca<mailto:mcr@sandelman.ca>  https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sandelman.ca%2F&amp;data=04%7C01%7Ctim.cappalli%40microsoft.com%7C88a1636683ac467bbe6c08d9479ec449%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637619569525845289%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=ApBsRqrPLeOiPK38EfXrt%2BJK2A7TWzkhZfD734Mv3uo%3D&amp;reserved=0<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.sandelman.ca%2F&data=04%7C01%7Cjuancarlos.zuniga%40sigfox.com%7C04bc5353ada646b2891c08d947b374d9%7Cfcbc8bb1061e4b949f703ad917b0c8d3%7C0%7C0%7C637619658353488841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Ln9mXdmHiMMH38vFm06fkDJ92iJACOs8bIZNrPJ%2BBHo%3D&reserved=0>        |   ruby on rails    [




--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email