Re: [sacm] ECP question

Jessica Fitzgerald-McKay <> Fri, 26 April 2019 12:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F2FC1120045; Fri, 26 Apr 2019 05:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y4VfBH7Iyysa; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CC6FC120183; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
Received: by with SMTP id y10so5599991itc.1; Fri, 26 Apr 2019 05:52:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nmUPE0TG85bi4JYlzQdNs8jdQPLAfQ9IMNHZspRuMg0=; b=NSftfKcvAGbL26+Xt4dLro3fSfXgeNJyNAGS8Mi0GTgB3vWoJfLi5dGP6HW8Jjtibq oql5WrSZDYAW2uRXrzPDmWQ2rNQE4gSAdYIiwMiXhcSgm7Lpcr58nGiRwVOInpSP8vCp 7dG7LuhlR8yAWB/JeQM3iwadIkF8yEH+qN7tnjGDPUpgxJMnskHUPGCauFQaYXMaqkmF xT3SG9eV3eCZOykaCfQS1hNOzP3iNfRui0TVrbAWUBHf0fXnTawYSV5Ey2SbSJvz2GF+ G+v7084E45I3T5PFD897j/Rf17Wa8SieHxHRmFBR5lPKtti9Lww+eAbeavVbqT8rM3qw QqYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nmUPE0TG85bi4JYlzQdNs8jdQPLAfQ9IMNHZspRuMg0=; b=jK4dYjWof552jZzs5sszhGy562zTe3C5FlyEsJ4LNWL+9PpG3O8eDUACldGD33fJ+Y NtBPOHZ7g5QjCFdwJ0FBjm0uWWnTks9tfGi8caLz0KeTVupaPMRnYTwvD8QOolHlDAXm EUU4dG6+R4+5gkGYTXvuskPHlkzwXKCyDyjc49v/OmPuIs5tzXWZ+JbEbARZwdCh9rV1 LD1+a9h7sJxRyGT4v8Zy5PyCTaScU4VoC0KRCRpPwItaOSSYMfuh+XvqhAcoBPkr++RQ eF4I8UpYYsazeeWO6Oh/rrcrU0wkufx3WEjEJQmX6ZIsf8nl7c5rh5p7AaxnuLM1JY6o Lu0A==
X-Gm-Message-State: APjAAAVDXWCEoN8H40Ty/Z9NwfNc99Eh1tywryRxsEslFe3MkMKe9aaH 8ytlD80/97vz6L7rogqyMgs9eWMucWzVVgqlXuNUJyVu
X-Google-Smtp-Source: APXvYqwEgeTCLT+z0Qy/w4judafO3pblxdOaUDPEpPZYk19RMp0Q2HBeBMNOJhCDidxuce2Tg4R2Ygu9sG4wyQc9DxE=
X-Received: by 2002:a24:22ca:: with SMTP id o193mr7981217ito.131.1556283159925; Fri, 26 Apr 2019 05:52:39 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Jessica Fitzgerald-McKay <>
Date: Fri, 26 Apr 2019 08:52:27 -0400
Message-ID: <>
To: Dan Ehrlich <>
Cc: "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000eada0c05876e686a"
Archived-At: <>
Subject: Re: [sacm] ECP question
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SACM WG mail list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Apr 2019 12:52:43 -0000


Thank you for the review! Your understanding of MAC addresses mirrors mine:
they are not trustworthy as a sole device identifier. I think that, despite
that, they are still worth collection, for two reasons:

1) For device identity correlation-- For some network analytics, the MAC
address is what they can see. These analytics should have the capability to
correlate the behavior they see from an endpoint with a particular MAC
address to a better device identifier. One way to do that is to provide all
the identifiers an endpoint has (IP address, MAC address, device
certificate, etc.) to the CMDB. For traditional endpoints, the ECP requires
IF- IMC and (on the server side) IF-IMV. These interfaces allow endpoints
to share multiple forms of identity to the server, and then stored in the
CMDB for this sort of use case.

2) For attack identification-- ECP enables event-driven collection of
endpoint data. That is, if something changes on the endpoint, ECP enables
that change to be immediately (or, close to immediately) sent to the
server, and then to the CMDB. An endpoint could share any changes to its
MAC address as a part of that event-driven collection, which would help
network tools notice a malicious change in near-real-time.

Given these reasons, I would like to keep MAC addresses as a type of device
identity in the ECP.

I wonder if we could resolve your comments by including a note in the
security considerations about the trust limitations of MAC addresses. We
can say that they really should not be used as a sole device identifier,
and, if other identities can be reported, they really ought to be collected
at the same time as a MAC address. What do you think?

Thanks again for taking the time to share your thoughts!


On Fri, Apr 12, 2019 at 8:45 PM Dan Ehrlich <dan=>; wrote:

> Link I mentioned:
> <>
> Section 3.2.1
> On Fri, Apr 12, 2019 at 5:42 PM Dan Ehrlich <>; wrote:
>> In the RFC for ECP, there is a section that mentions the potential use of
>> MAC addresses for identifying endpoints.
>> My understanding is that there are many things wrong with MAC addresses
>> today, such as that they can now be changed randomly by software, can't
>> really be verified, can be spoofed easily, etc.
>> I cannot find the link I was using from yesterday, but can the MAC
>> address mention be removed from ECP?
>> Apologies if I viewed an old draft or if this was previously discussed,
>> Dan Ehrlich
>> Austin, Texas
>> <>
> _______________________________________________
> sacm mailing list