On 20.05.2016 19:36, Dan Williams wrote:
On Fri, 2016-05-20 at 19:03 +0200, poma wrote:On 19.05.2016 12:22, Thomas Haller wrote:On Thu, 2016-05-19 at 01:41 +0200, poma wrote:On 18.05.2016 16:49, Thomas Haller wrote:I actually have a question for you, and Lubo; In the wpa_supplicant, Pre-association MAC random-ization is disabled per default: https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964 PreassocMacAddr Pre-association MAC address policy https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf #n41 8 # MAC address policy for pre-association operations (scanning, ANQP) # 0 = use permanent MAC address # 1 = use random MAC address # 2 = like 1, but maintain OUI (with local admin bit set) #preassoc_mac_addr=0 and the same was said, toward NetworkManager, in: https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N EWS# n8 * Added an option to enable use of random MAC addresses for Wi-Fi access point scanning (defaults to disabled). Controlled with 'wifi.mac-address-randomization' property (MAC_ADDRESS_RANDOMIZATION key in ifcfg files).Yeah, this is wrong. I fixed it: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/? id=e0e1c5916073deac49d27a9ee2343073f5fe552a-but- you said in: https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0 0042 .html <quote> When NM detects support in wpa-supplicant, it always sets PreassocMacAddr to 1. This setting is only relevant during scanning, and thus NM *always* enables it. </quote> -and- as "published" by Lubo in: https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra ckin g-protection-in-wi-fi-networks <quote> What seems like a viable option is randomizing the MAC address while scanning, changing it every now and then, but still use the hard-wired MAC address for association and actual connectivity. [...] With the upcoming NetworkManager 1.2 we’re doing this too. [...] With the upcoming NetworkManager 1.2 (when using wpa_supplicant 2.4 or newer) we’re doing this too. </quote> Is not that, as mentioned in the NEWS, in fact MAC random-ization per connecting, not MAC random-ization per scanning!?You are right.That is, in the wpa_supplicant, Connection MAC random-ization: https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954 MacAddr MAC address policy default https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf #n40 5 # MAC address policy default # 0 = use permanent MAC address # 1 = use random MAC address for each ESS connection # 2 = like 1, but maintain OUI (with local admin bit set) # # By default, permanent MAC address is used unless policy is changed by # the per-network mac_addr parameter. Global mac_addr=1 can be used to # change this default behavior. #mac_addr=0 toward NetworkManager, what -you- said in: https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0 0042 .html <quote> The mac-address-randomization connection-setting on the other hand, configures the behavior while being connected. </quote> -and- as "published" by Lubo in: https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra ckin g-protection-in-wi-fi-networks <quote> Could we randomize the permanent address too? We added option for that to NetworkManager 1.2 too, but are leaving it off. [...] </quote> What is what, and what is not!? :)Hi poma, yes, the NEWS file was wrong. Also, as we already found out, another mistake was that wpa- supplicant support is not yet available in 2.4. It is currently only on master (and will be in supplicant version 2.6) -- unless we backport it, for which you opened a Fedora bug (thank you). Lubo's "but are leaving it off." statement means: if you leave the per-connection setting wifi.mac-address- randomization at "default", then the default means "off" -- unless you overwrite it via a global default value in /etc/NetworkManager/NetworkManager.conf, see `man NetworkManager.conf`. Does this resolve all unclarities?Of course! Here's the answer to your question - "Why do you say that "rand-mac" does not work?" == Client == # cat /sys/class/net/wlp0s2f1u3/address 00:aa:bb:cc:dd:ee # journalctl -o cat -b -u NetworkManager ... NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500 arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE driver mt7601u NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE driver mt7601u NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 wifi? init addrgenmode eui64 addr 00:AA:BB:CC:DD:EE driver mt7601u # nmcli connection show WiFiRd | grep rand 802-11-wireless.mac-address-randomization:default # journalctl -o cat -b -u NetworkManager -f | grep -i rand NetworkManager[2125]: <debug> [[...]] CONFIG: wifi.mac-address- randomization=2 NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address- randomization = 1 NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address- randomization = 1 ... NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: config: set MAC randomization to 1 NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: config: set MAC randomization to 1 NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: config: set MAC randomization to 1If you run the supplicant with debug logging, do you see messages like: nl80211: set_mac_addr for wlp0s2f1u3 to XXXXXXXXXX Using random MAC address XXXXXXXX or do you see any messages like: Failed to set random MAC address Could not update MAC address information ? Dan
# journalctl -o short-monotonic -b -u wpa_supplicant | egrep -i mac\|rand
[ 38.736110] lnx wpa_supplicant[2422]: random: Trying to read entropy from /dev/random
[ 38.738572] lnx wpa_supplicant[2422]: random: Got 20/20 bytes from /dev/random
[ 174.447387] lnx wpa_supplicant[2422]: wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee
[ 174.450838] lnx wpa_supplicant[2422]: wlp0s2f1u3: WPS: UUID based on MAC address: [...]
[ 174.472250] lnx wpa_supplicant[2422]: wlp0s4f1u1: Own MAC address: ee:dd:cc:bb:aa:00
[ 174.483434] lnx wpa_supplicant[2422]: properties_get_or_set: Set(PreassocMacAddr)
[ 174.483627] lnx wpa_supplicant[2422]: preassoc_mac_addr=1
[ 174.902680] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 5a:c2:ee:36:48:3f
[ 174.954705] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 5a:c2:ee:36:48:3f
[ 174.966249] lnx wpa_supplicant[2422]: properties_get_or_set: Set(PreassocMacAddr)
[ 174.966446] lnx wpa_supplicant[2422]: preassoc_mac_addr=1
[ 175.380436] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 9a:a5:7a:36:7d:33
[ 175.614766] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 9a:a5:7a:36:7d:33
[ 178.006699] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet
expired
[ 178.013728] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet
expired
[ 201.018229] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet
expired
[ 201.020298] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet
expired
[ 234.022119] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet
expired
[ 234.023105] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet
expired
[ 277.432410] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 4a:73:b1:79:04:f4
[ 277.468792] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 4a:73:b1:79:04:f4
[ 277.890732] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to e2:0a:50:fb:3d:1d
[ 278.098748] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address e2:0a:50:fb:3d:1d
[ 330.120064] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet
expired
[ 330.120976] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet
expired
[ 393.426189] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 06:d2:3a:84:9c:09
[ 393.457738] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 06:d2:3a:84:9c:09
[ 393.881657] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 46:fd:91:cc:a9:5e
[ 394.096735] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 46:fd:91:cc:a9:5e
[ 456.452965] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to c2:cf:77:68:f2:f8
[ 456.498794] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address c2:cf:77:68:f2:f8
[ 456.911105] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 12:16:f6:16:28:f2
[ 457.143778] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 12:16:f6:16:28:f2
[ 519.441354] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to b2:23:e6:f5:ef:e0
[ 519.475777] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address b2:23:e6:f5:ef:e0
[ 519.899036] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 4a:3b:9a:a9:0b:bb
[ 520.116736] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 4a:3b:9a:a9:0b:bb
[ 582.464207] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to ae:16:d5:83:08:e0
[ 582.489822] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address ae:16:d5:83:08:e0
[ 582.918087] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 66:6e:61:ab:c6:1d
[ 583.127823] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 66:6e:61:ab:c6:1d
[ 645.443366] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to e6:e9:69:4a:91:d9
[ 645.472711] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address e6:e9:69:4a:91:d9
[ 645.884186] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to de:98:b2:d0:65:5b
[ 646.108737] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address de:98:b2:d0:65:5b
# systemctl status wpa_supplicant.service | grep sbin
└─2422 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -dd
# man 8 wpa_supplicant
...
COMMAND LINE OPTIONS
...
-u Enable DBus control interface. If enabled, interface definitions may be omitted.
(This is only available if wpa_supplicant was built with the CONFIG_DBUS option.)
Is CONFIG_DBUS option necessary in
https://pkgs.fedoraproject.org/cgit/rpms/wpa_supplicant.git/tree/build-config
?
== Hotspot == # journalctl -o cat -b -u NetworkManager ... <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 <UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500 arp 1 wifi? init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 wifi? init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 wifi? init addrgenmode eui64 addr EE:DD:CC:BB:AA:00 driver rt2800usb # tcpdump -i wlp2s2f7u2 ... [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 [...] EAPOL key (3) v2, len 95 [...] EAPOL key (3) v1, len 117 [...] EAPOL key (3) v2, len 199 [...] EAPOL key (3) v1, len 95 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: BOOTP/DHCP, Reply, length 300 [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, length 28 [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), length 28 . [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 [...] EAPOL key (3) v2, len 95 [...] EAPOL key (3) v1, len 117 [...] EAPOL key (3) v2, len 199 [...] EAPOL key (3) v1, len 95 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: BOOTP/DHCP, Reply, length 300 [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, length 28 [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), length 28 . [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 6: 01 00 [...] EAPOL key (3) v2, len 95 [...] EAPOL key (3) v1, len 117 [...] EAPOL key (3) v2, len 199 [...] EAPOL key (3) v1, len 95 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: BOOTP/DHCP, Reply, length 300 [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, length 28 [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), length 28