Pascal Thubert \(pthubert\) <pthubert=40cisco....@dmarc.ietf.org> wrote:
> Hello Dave and all:
> So far I have not seen how the MAC randomization deals with:
> - differentiated environments - the preferred behavior on a highway or
> at a coffee shop may differ from that at in a corporate or a DC
> network. In the corporate network, we can expect something like .1x to
> undo the privacy, for good reasons. And we can expect state to be
> maintained for each IP and each MAC. When a MAC changes, there can be
> unwanted state created and remaining in the DHCP server, LISP MSMR,
> SAVI switch, etc... Privacy MAC is only an additional hassle that we
> want to minimize.
If we can assume 802.1X using an Enterprise scheme, and using a TLS1.3
substrate, then if the identity resides in a (Client) TLS Certificate, it
will not been by a passive attacker.
The MAC address is outside of the WEP encryption, so it is always seen, even
if the traffic is otherwise encrypted.
An EAP-*TLS based upon TLS1.2 would reveal the identity, at least the first
time. Perhaps this is a reason to support resumption tokens in EAP-TLS!
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
