IETF Logo Mail Archive

Re: [perpass] Fwd: New Version Notification for draft-barnes-pervasive-problem-00.txt

Stefan Winter <stefan.winter@restena.lu> Wed, 08 January 2014 06:52 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: perpass@ietfa.amsl.com
Delivered-To: perpass@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C0961AE2F8 for <perpass@ietfa.amsl.com>; Tue, 7 Jan 2014 22:52:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, WEIRD_PORT=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBURGHZK3dL6 for <perpass@ietfa.amsl.com>; Tue, 7 Jan 2014 22:52:25 -0800 (PST)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 2174E1AE2F5 for <perpass@ietf.org>; Tue, 7 Jan 2014 22:52:25 -0800 (PST)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id 42B3510583 for <perpass@ietf.org>; Wed, 8 Jan 2014 07:52:15 +0100 (CET)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id 318EE10580 for <perpass@ietf.org>; Wed, 8 Jan 2014 07:52:15 +0100 (CET)
Message-ID: <52CCF598.3000605@restena.lu>
Date: Wed, 08 Jan 2014 07:52:08 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: perpass@ietf.org
References: <20140107021702.7140.81609.idtracker@ietfa.amsl.com> <CAL02cgRsBQNYd2n05548ZbK-ciPkSNJ=U2V0iv+080p9-1gQbA@mail.gmail.com> <7BAC95F5A7E67643AAFB2C31BEE662D018B7D6E1E4@SC-VEXCH2.marvell.com> <CAL02cgT5u1w-MJfxWHZOdiDQRU_Ov_wGYf7=0O-BH_td-Nis8Q@mail.gmail.com> <CEF1B205.2BC2A%paul@marvell.com>
In-Reply-To: <CEF1B205.2BC2A%paul@marvell.com>
X-Enigmail-Version: 1.6
OpenPGP: id=8A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="rrG2DHdMLNfFradH5jBwvJUuhSgE7kNJc"
X-Virus-Scanned: ClamAV
Subject: Re: [perpass] Fwd: New Version Notification for draft-barnes-pervasive-problem-00.txt
X-BeenThere: perpass@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <perpass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perpass>, <mailto:perpass-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/perpass/>
List-Post: <mailto:perpass@ietf.org>
List-Help: <mailto:perpass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perpass>, <mailto:perpass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 06:52:28 -0000

Hi,

>     I also wonder to what degree this is a "pervasive attack" issue.  If
>     the attack involves being physically close to the victim, it's hard
>     to see how the attacker would achieve a pervasive scale.
> 
> MAC address are readily picked up by any hotspot, mobile device, or by
> special monitoring devices.  Commercial systems already exist to
> aggregate, track and identify people based on unique identifiers in our
> radio transmissions.  

Another attack vector is the routing of RADIUS authentication requests
for enterprise WiFi. The client device's MAC address is transported in
the clear inside the RADIUS attribute Calling-Station-Id; so if your
RADIUS server is "somewhere on the internet" (e.g. if you are part of a
roaming consortium and send your authentication traffic via a off-site
clearing house) then anybody who happens to listen on the wire learns
about those MAC addresses and the associated user identity (or at least
the realm he comes from, if the end user was mindful enough to configure
identity privacy on his device).

Partial mitigations for that are possible; RADIUS/TLS for example makes
the clear-text transmission on IP level go away; but the fact that the
clearinghouse gets to see all traffic does not go away with that.

You should read
https://tools.ietf.org/html/draft-wierenga-ietf-eduroam-01 section 3.5 -
this issue is discussed in some detail there.

A partial solution that may make some clearing houses go away is direct
dynamic discovery of RADIUS servers as per
https://datatracker.ietf.org/doc/draft-ietf-radext-dynamic-discovery/
which can (but does not necessarily always) bypass central clearing houses.

In short: MAC addresses are NOT necessarily local to the LAN; if they
leak beyond, privacy is at risk. The LAN may be IEEE's domain; protocols
that transport information about MAC addresses on the layers above are
most certainly IETF work.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

v2.30.2 | Report a Bug | By Email | System Status