IETF Logo Mail Archive

Re: [radext] New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt

Alan DeKok <aland@deployingradius.com> Mon, 08 November 2021 15:35 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E483A101C for <radext@ietfa.amsl.com>; Mon, 8 Nov 2021 07:35:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFtvIVhlsB_0 for <radext@ietfa.amsl.com>; Mon, 8 Nov 2021 07:35:45 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 508BE3A101A for <radext@ietf.org>; Mon, 8 Nov 2021 07:35:45 -0800 (PST)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 30FDE1DB; Mon, 8 Nov 2021 15:35:41 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <7E1500CE-0320-4DB4-9615-604D4EC5E39E@gmail.com>
Date: Mon, 08 Nov 2021 10:35:38 -0500
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, radext@ietf.org, "Jerome Henry (jerhenry)" <jerhenry@cisco.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A131BFA-597D-4DB9-8D92-F808B04FD205@deployingradius.com>
References: <800563F0-0675-4B19-8286-E03589F2B64D@deployingradius.com> <7E1500CE-0320-4DB4-9615-604D4EC5E39E@gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/MiOcycvWtbYvIk8venaqTANPxDk>
Subject: Re: [radext] New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 15:35:49 -0000

On Nov 8, 2021, at 10:25 AM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> The problem is not clearly stated.

  Agreed.

> There are issues created by changing MAC addresses that could affect the user experience. The document mentions mapping of the MAC address to assigned IP addresses.

  " Continuity might include for example obtaining the same IP address from the DHCP server"

  If the same IP is assigned based on SMI and not RMC MAC, then that sort of negates the reason to use random MAC addresses.  You can tell it's the "same" machine, because it has the same IP address.

> I would note that the point of randomized MAC addresses is to reduce the ability to track users and devices. EAP supports both machine and user authentication and lately there have been efforts to protect those identifiers from exposure in clear text so as to limit tracking. Presumably similar concerns would exist about any machine identifier.  

  I see it as useful to have a unique device identifier, which is visible only to the device and to the RADIUS server.  Ideally, this identifier shouldn't be visible to anyone else in the network. 

 The document implies that changes will need to be made to the Ethernet / radio layer:

  "Additionally, once a protected link has been established between the client and the AP/WLC, as in 2.1, the client requests from the NAS a stable identifier or provides to the NAS a stable identifier."

  This process requires involvement from the IEEE, in addition to the IETF.  I'm not sure why using a stable identifier requires changes to the lower-layer protocols.

  TBH, the identifier could just be put it in a TLS extension.   Require TLS 1.3 for security, and that's it.  Have the device generate a random 128-bit identifier.  No negotiation is necessary.

  A similar method is already being proposed in https://datatracker.ietf.org/doc/html/draft-friel-tls-eap-dpp-01

  Alan DeKok.

v2.23.0 | Report a Bug | By Email