On Tue, Sep 29, 2020 at 10:30 AM Michael Richardson <m...@sandelman.ca> wrote:
> Christian Huitema <huit...@huitema.net> wrote: > > Martin is making an important point here. There are a number of > privacy > > enhancing technologies deployed at different layers: MAC address > > randomization at L2, Privacy addresses at L3, various forms of > > encryption and compartments at L4 and above. Each of these > technologies > > is useful by itself, but they can easily be defeated by deployment > > mistakes. For example: > > You are spot on. > But, even your four points muddle things. > > We need some diagrams that we can all agree upon, and we need to name the > different observers. > > Each thing defends against different kinds of observers, and not all > observers can see all things. > Some observers may collaborate (I invoke, the WWII French resistance > emotion > for this term...) > Some observers may have strong reasons not to. > > > 1) Using the same IP address with different MAC addresses negates a > lot > > of the benefits of randomized MAC addresses, > > This assumes that a single observer can observe both at the same time. > WEP++ leaves MAC addresses visible, but encrypts the rest of L3 content. > Any host/interface that uses ARP (not sure whether any flavor of WiFi does, or if so which flavors), exposes the L3/L2 mapping. So, wired IPv4 for certain (except in very locked-down enterprise settings with static MAC addresses, perhaps) leaks this information to every host on the same broadcast domain (same subnet and possibly additional subnets on the same LAN/VLAN). ARP L2 broadcasts solicit information about IP addresses, and at a minimum each such query exposes its own MAC and IP address. Responses may be unicast or broadcast, not sure which. An active compromised host can easily solicit that information by iterating over all the IP addresses on the subnet and performing an ARP for each one. Brian
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
