Re: How to activate MAC address randomization?

From: Dan Williams <dcbw redhat com>
To: poma <pomidorabelisima gmail com>, Thomas Haller <thaller redhat com>, Chris Laprise <tasket openmailbox org>, networkmanager-list gnome org, Lubomir Rintel <lrintel redhat com>
Subject: Re: How to activate MAC address randomization?
Date: Fri, 20 May 2016 12:36:55 -0500

On Fri, 2016-05-20 at 19:03 +0200, poma wrote:

On 19.05.2016 12:22, Thomas Haller wrote:


On Thu, 2016-05-19 at 01:41 +0200, poma wrote:


On 18.05.2016 16:49, Thomas Haller wrote:

 

I actually have a question for you, and Lubo;

In the wpa_supplicant, Pre-association MAC random-ization is
disabled
per default:

https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964
PreassocMacAddr
Pre-association MAC address policy

https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
#n41
8
# MAC address policy for pre-association operations (scanning,
ANQP)
# 0 = use permanent MAC address
# 1 = use random MAC address
# 2 = like 1, but maintain OUI (with local admin bit set)
#preassoc_mac_addr=0


and the same was said, toward NetworkManager, in:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N
EWS#
n8
* Added an option to enable use of random MAC addresses for Wi-Fi
access
    point scanning (defaults to disabled).  Controlled with
    'wifi.mac-address-randomization' property
(MAC_ADDRESS_RANDOMIZATION key in
    ifcfg files).

Yeah, this is wrong. I fixed it:

https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?
id=e0e1c5916073deac49d27a9ee2343073f5fe552a


-but- you said in:

https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
0042
.html
<quote>
When NM detects support in wpa-supplicant, it always sets
PreassocMacAddr to 1. This setting is only relevant during
scanning,
and thus NM *always* enables it.
</quote>


-and- as "published" by Lubo in:

https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
ckin
g-protection-in-wi-fi-networks
<quote>
What seems like a viable option is randomizing the MAC address
while
scanning,
changing it every now and then,
but still use the hard-wired MAC address for association and
actual
connectivity. [...]
With the upcoming NetworkManager 1.2 we’re doing this too. [...]
With the upcoming NetworkManager 1.2 (when using wpa_supplicant
2.4
or newer) we’re doing this too.
</quote>


Is not that, as mentioned in the NEWS, in fact MAC random-ization 
per
connecting, not MAC random-ization per scanning!?

You are right.


That is, in the wpa_supplicant, Connection MAC random-ization:

https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954
MacAddr
MAC address policy default

https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf
#n40
5
# MAC address policy default
# 0 = use permanent MAC address
# 1 = use random MAC address for each ESS connection
# 2 = like 1, but maintain OUI (with local admin bit set)
#
# By default, permanent MAC address is used unless policy is
changed
by
# the per-network mac_addr parameter. Global mac_addr=1 can be
used
to
# change this default behavior.
#mac_addr=0


toward NetworkManager, what -you- said in:

https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0
0042
.html
<quote>
The mac-address-randomization connection-setting on the other
hand,
configures the behavior while being connected.
</quote>


-and- as "published" by Lubo in:

https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra
ckin
g-protection-in-wi-fi-networks
<quote>
Could we randomize the permanent address too?
We added option for that to NetworkManager 1.2 too, but are
leaving
it off. [...]
</quote>


What is what, and what is not!? :)


Hi poma,


yes, the NEWS file was wrong.

Also, as we already found out, another mistake was that wpa-
supplicant
support is not yet available in 2.4. It is currently only on master
(and will be in supplicant version 2.6)
-- unless we backport it, for which you opened a Fedora bug (thank
you).


Lubo's "but are leaving it off." statement means:
if you leave the per-connection setting wifi.mac-address-
randomization
at "default", then the default means "off"
-- unless you overwrite it via a global default value in
/etc/NetworkManager/NetworkManager.conf, see `man
NetworkManager.conf`.



Does this resolve all unclarities?


Of course!

Here's the answer to your question - "Why do you say that "rand-mac"
does not work?"


 == Client ==

# cat /sys/class/net/wlp0s2f1u3/address
00:aa:bb:cc:dd:ee


# journalctl -o cat -b -u NetworkManager
...
NetworkManager[2125]: <debug> [[...]] platform: signal: link changed:
5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500
arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE driver
mt7601u
NetworkManager[2125]: <debug> [[...]] platform: signal: link changed:
5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup>
mtu 1500 arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE
driver mt7601u
NetworkManager[2125]: <debug> [[...]] platform: signal: link changed:
5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup>
mtu 1500 arp 1 wifi? init addrgenmode eui64 addr 00:AA:BB:CC:DD:EE
driver mt7601u


# nmcli connection show WiFiRd | grep rand
802-11-wireless.mac-address-randomization:default


# journalctl -o cat -b -u NetworkManager -f | grep -i rand

NetworkManager[2125]: <debug> [[...]] CONFIG:   wifi.mac-address-
randomization=2
NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address-
randomization = 1
NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address-
randomization = 1
...
NetworkManager[2125]: <info>  [[...]] sup-iface[[...],wlp0s2f1u3]:
config: set MAC randomization to 1
NetworkManager[2125]: <info>  [[...]] sup-iface[[...],wlp0s2f1u3]:
config: set MAC randomization to 1
NetworkManager[2125]: <info>  [[...]] sup-iface[[...],wlp0s2f1u3]:
config: set MAC randomization to 1


If you run the supplicant with debug logging, do you see messages like:

nl80211: set_mac_addr for wlp0s2f1u3 to XXXXXXXXXX
Using random MAC address XXXXXXXX

or do you see any messages like:

Failed to set random MAC address
Could not update MAC address information

?

Dan


 == Hotspot ==

# journalctl -o cat -b -u NetworkManager
...
<debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2
<UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500 arp 1 wifi?
init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb
<debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2
<UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1
wifi? init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb
<debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2
<UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1
wifi? init addrgenmode eui64 addr EE:DD:CC:BB:AA:00 driver rt2800usb


# tcpdump -i wlp2s2f7u2
...
[...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered,
xid, Flags [Response], length 6: 01 00
[...] EAPOL key (3) v2, len 95
[...] EAPOL key (3) v1, len 117
[...] EAPOL key (3) v2, len 199
[...] EAPOL key (3) v1, len 95
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc:
BOOTP/DHCP, Reply, length 300
[...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain,
length 28
[...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown),
length 28
.
[...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered,
xid, Flags [Response], length 6: 01 00
[...] EAPOL key (3) v2, len 95
[...] EAPOL key (3) v1, len 117
[...] EAPOL key (3) v2, len 199
[...] EAPOL key (3) v1, len 95
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc:
BOOTP/DHCP, Reply, length 300
[...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain,
length 28
[...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown),
length 28
.
[...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered,
xid, Flags [Response], length 6: 01 00
[...] EAPOL key (3) v2, len 95
[...] EAPOL key (3) v1, len 117
[...] EAPOL key (3) v2, len 199
[...] EAPOL key (3) v1, len 95
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request
from 00:aa:bb:cc:dd:ee (oui Unknown), length 300
[...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc:
BOOTP/DHCP, Reply, length 300
[...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain,
length 28
[...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown),
length 28

Follow-Ups:
- Re: How to activate MAC address randomization?
  - From: poma

References:
- Re: How to activate MAC address randomization?
  - From: Dan Williams
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Chris Laprise
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Thomas Haller
- Re: How to activate MAC address randomization?
  - From: poma
- Re: How to activate MAC address randomization?
  - From: Thomas Haller
- Re: How to activate MAC address randomization?
  - From: poma

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]