IETF Logo Mail Archive

Re: [perpass] Fwd: New Version Notification for draft-barnes-pervasive-problem-00.txt

Stefan Winter <stefan.winter@restena.lu> Thu, 09 January 2014 06:53 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119F61AC862 for <perpass@ietfa.amsl.com>; Wed, 8 Jan 2014 22:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.837
X-Spam-Level:
X-Spam-Status: No, score=-1.837 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, RP_MATCHES_RCVD=-0.538, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7vyFlWp4a6h for <perpass@ietfa.amsl.com>; Wed, 8 Jan 2014 22:53:44 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 456061A1F61 for <perpass@ietf.org>; Wed, 8 Jan 2014 22:53:44 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 7112210583; Thu, 9 Jan 2014 07:53:34 +0100 (CET)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 5EF131057E; Thu, 9 Jan 2014 07:53:34 +0100 (CET)
Message-ID: <52CE4767.6000303@restena.lu>
Date: Thu, 09 Jan 2014 07:53:27 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Paul Lambert <paul@marvell.com>, Eliot Lear <lear@cisco.com>, "perpass@ietf.org" <perpass@ietf.org>
References: <20140107021702.7140.81609.idtracker@ietfa.amsl.com> <CAL02cgRsBQNYd2n05548ZbK-ciPkSNJ=U2V0iv+080p9-1gQbA@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B7D6E1E4@SC-VEXCH2.marvell.com> <CAL02cgT5u1w-MJfxWHZOdiDQRU_Ov_wGYf7=0O-BH_td-Nis8Q@mail.gmail.com> <CEF1B205.2BC2A%paul@marvell.com> <52CCF598.3000605@restena.lu> <52CCF769.9080303@cisco.com> <CEF2D09C.2BD88%paul@marvell.com>
In-Reply-To: <CEF2D09C.2BD88%paul@marvell.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="MO0J9b9o5HwcMux45jhnk4IElW6trwlvK"
X-Virus-Scanned: ClamAV
Subject: Re: [perpass] Fwd: New Version Notification for draft-barnes-pervasive-problem-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 06:53:47 -0000

Hi,

> So Š this year as we introduce Œephemeral MAC addresses¹ into 802.11.
> The IETF should be prepared to fix upper layers as they break :-)
> 
> The simplest change is for hourly or daily changes of a link local MAC
> address.

What a wonderful idea. IEEE 802.1X authenticates sessions by MAC
address. If you change it while you are in an authenticated session,
you'll be kicked off the net instantly.

> This breaks the long term tracking and any usage of MAC address for
> authentication.
> 
> Longer term, the ephemeral address could be bound to an authentication
> process.

That is what IEEE 802.1X does today. It binds the current session,
identified by MAC address, to a user identity, identified by an EAP
credential.
Its only requirement is that the MAC address remains unchanged during
the session. However ephemeral the MAC address may be, it should survive
a session, independent of the session duration.

> My favored key centric approach would be
> 
> mac_address = h(pk, nonce)[:6] | 0x800000000000 # upper 6 octets with
> bitwise to set link local

In eduroam, we do see people changing their MAC address *between*
sessions, and that's know to work. I don't know or care about their
algorithms. Their motivation is to get around "fair use" capping which
some hotspots may have in place. Change MAC, change outer EAP identity,
and you'll appear as a "brand new" user. That is one of the reasons why
we introduced the use of Chargeable-User-Identity (CUI, RFC4372) for our
authentications. CUI can be implemented in a way which prevents tracking
(by hashing the CUI including the Operator-Name attribute, so that
different hotspots get different CUIs for the same user).

I think I can say with some confidence that RADIUS and EAP won't "break"
if MAC addresses change. The change should happen in a sane moment
though to avoid session disruption.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

v2.30.2 | Report a Bug | By Email | System Status