Re: How to activate MAC address randomization?

From: Chris Laprise <tasket openmailbox org>
To: Dan Williams <dcbw redhat com>, poma <pomidorabelisima gmail com>, networkmanager-list gnome org
Subject: Re: How to activate MAC address randomization?
Date: Wed, 18 May 2016 21:10:49 -0400



On 05/18/2016 02:25 PM, Dan Williams wrote:


Randomization happens in the supplicant, and the supplicant also
controls scanning.  If randomization is enabled, the supplicant will
change the MAC address before it scans, so this should not be a
problem.

Of course, if you run 'iw dev wlan0 scan' manually, that does not go
through the supplicant, and you will leak your MAC.

If you use NM's MAC cloning functionality, then yes, that might leak
your MAC because that only clones the MAC address for the duration of
the connection to a specific access point.  It's not randomization,
it's the same as ethernet MAC cloning.

It does seem like a primary use case for randomization would be randomaddresses during scans only, and transition to chosen non-originaladdresses for connections (per-AP). The users and admins aren't going tothink to themselves: "We're going to assign different addresses to theseconnections, so we're OK with the hardware address coming through." Notif they're using pre-connection randomization (which should beconsidered the operational norm by now).

And its not that connection randomization isn't important, too. I justthink that pre-connection randomization would work very well towardsprivacy if the 'randomization' were on a per-AP basis and not aper-session basis (the latter being less compatible with someinstitutional security schemes). Per-AP is more realistic and far morelikely to be used.

So I would like to know if NM can coordinate with supplicant well enoughto transition the NIC between randomized pre-connection scanning andstatically-spoofed connections without allowing the original address tobe broadcast.

If you're looking for a more generic MAC randomization feature that
also works for ethernet, then yes that would be NM's responsibility.
  Internally NM would handle ethernet MAC randomization itself, but
delegate to the supplicant for WiFi.  Since the supplicant handles
scanning, it must also handle WiFi MAC randomization to ensure
synchronization of the changes.

Dan

Ethernet is probably not as pressing a concern because of the physicallink aspect, but thanks for the insight.


Chris

Follow-Ups:
- Re: How to activate MAC address randomization?
  - From: Dan Williams

References:
- Re: How to activate MAC address randomization?
  - From: Dan Williams
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Chris Laprise
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Chris Laprise
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Chris Laprise
- Re: How to activate MAC address randomization?
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]