On 20.05.2016 19:36, Dan Williams wrote: > On Fri, 2016-05-20 at 19:03 +0200, poma wrote: >> On 19.05.2016 12:22, Thomas Haller wrote: >>> >>> On Thu, 2016-05-19 at 01:41 +0200, poma wrote: >>>> >>>> On 18.05.2016 16:49, Thomas Haller wrote: >>>>> >>>>> >>>> I actually have a question for you, and Lubo; >>>> >>>> In the wpa_supplicant, Pre-association MAC random-ization is >>>> disabled >>>> per default: >>>> >>>> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n964 >>>> PreassocMacAddr >>>> Pre-association MAC address policy >>>> >>>> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf >>>> #n41 >>>> 8 >>>> # MAC address policy for pre-association operations (scanning, >>>> ANQP) >>>> # 0 = use permanent MAC address >>>> # 1 = use random MAC address >>>> # 2 = like 1, but maintain OUI (with local admin bit set) >>>> #preassoc_mac_addr=0 >>>> >>>> >>>> and the same was said, toward NetworkManager, in: >>>> >>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/N >>>> EWS# >>>> n8 >>>> * Added an option to enable use of random MAC addresses for Wi-Fi >>>> access >>>> point scanning (defaults to disabled). Controlled with >>>> 'wifi.mac-address-randomization' property >>>> (MAC_ADDRESS_RANDOMIZATION key in >>>> ifcfg files). >>> Yeah, this is wrong. I fixed it: >>> >>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/? >>> id=e0e1c5916073deac49d27a9ee2343073f5fe552a >>> >>> >>> >>> >>>> >>>> -but- you said in: >>>> >>>> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0 >>>> 0042 >>>> .html >>>> <quote> >>>> When NM detects support in wpa-supplicant, it always sets >>>> PreassocMacAddr to 1. This setting is only relevant during >>>> scanning, >>>> and thus NM *always* enables it. >>>> </quote> >>>> >>>> >>>> -and- as "published" by Lubo in: >>>> >>>> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra >>>> ckin >>>> g-protection-in-wi-fi-networks >>>> <quote> >>>> What seems like a viable option is randomizing the MAC address >>>> while >>>> scanning, >>>> changing it every now and then, >>>> but still use the hard-wired MAC address for association and >>>> actual >>>> connectivity. [...] >>>> With the upcoming NetworkManager 1.2 we’re doing this too. [...] >>>> With the upcoming NetworkManager 1.2 (when using wpa_supplicant >>>> 2.4 >>>> or newer) we’re doing this too. >>>> </quote> >>>> >>>> >>>> Is not that, as mentioned in the NEWS, in fact MAC random-ization >>>> per >>>> connecting, not MAC random-ization per scanning!? >>> You are right. >>> >>> >>> >>> >>>> >>>> That is, in the wpa_supplicant, Connection MAC random-ization: >>>> >>>> https://w1.fi/cgit/hostap/tree/doc/dbus.doxygen#n954 >>>> MacAddr >>>> MAC address policy default >>>> >>>> https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf >>>> #n40 >>>> 5 >>>> # MAC address policy default >>>> # 0 = use permanent MAC address >>>> # 1 = use random MAC address for each ESS connection >>>> # 2 = like 1, but maintain OUI (with local admin bit set) >>>> # >>>> # By default, permanent MAC address is used unless policy is >>>> changed >>>> by >>>> # the per-network mac_addr parameter. Global mac_addr=1 can be >>>> used >>>> to >>>> # change this default behavior. >>>> #mac_addr=0 >>>> >>>> >>>> toward NetworkManager, what -you- said in: >>>> >>>> https://mail.gnome.org/archives/networkmanager-list/2016-May/msg0 >>>> 0042 >>>> .html >>>> <quote> >>>> The mac-address-randomization connection-setting on the other >>>> hand, >>>> configures the behavior while being connected. >>>> </quote> >>>> >>>> >>>> -and- as "published" by Lubo in: >>>> >>>> https://blogs.gnome.org/lkundrak/2016/01/18/networkmanger-and-tra >>>> ckin >>>> g-protection-in-wi-fi-networks >>>> <quote> >>>> Could we randomize the permanent address too? >>>> We added option for that to NetworkManager 1.2 too, but are >>>> leaving >>>> it off. [...] >>>> </quote> >>>> >>>> >>>> What is what, and what is not!? :) >>>> >>> >>> Hi poma, >>> >>> >>> yes, the NEWS file was wrong. >>> >>> Also, as we already found out, another mistake was that wpa- >>> supplicant >>> support is not yet available in 2.4. It is currently only on master >>> (and will be in supplicant version 2.6) >>> -- unless we backport it, for which you opened a Fedora bug (thank >>> you). >>> >>> >>> Lubo's "but are leaving it off." statement means: >>> if you leave the per-connection setting wifi.mac-address- >>> randomization >>> at "default", then the default means "off" >>> -- unless you overwrite it via a global default value in >>> /etc/NetworkManager/NetworkManager.conf, see `man >>> NetworkManager.conf`. >>> >>> >>> >>> Does this resolve all unclarities? >>> >> >> Of course! >> >> Here's the answer to your question - "Why do you say that "rand-mac" >> does not work?" >> >> >> == Client == >> >> # cat /sys/class/net/wlp0s2f1u3/address >> 00:aa:bb:cc:dd:ee >> >> >> # journalctl -o cat -b -u NetworkManager >> ... >> NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: >> 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500 >> arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE driver >> mt7601u >> NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: >> 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> >> mtu 1500 arp 1 wifi? init addrgenmode none addr 00:AA:BB:CC:DD:EE >> driver mt7601u >> NetworkManager[2125]: <debug> [[...]] platform: signal: link changed: >> 5: wlp0s2f1u3 <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> >> mtu 1500 arp 1 wifi? init addrgenmode eui64 addr 00:AA:BB:CC:DD:EE >> driver mt7601u >> >> >> # nmcli connection show WiFiRd | grep rand >> 802-11-wireless.mac-address-randomization:default >> >> >> # journalctl -o cat -b -u NetworkManager -f | grep -i rand >> >> NetworkManager[2125]: <debug> [[...]] CONFIG: wifi.mac-address- >> randomization=2 >> NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address- >> randomization = 1 >> NetworkManager[2125]: <debug> [[...]] ++ 802-11-wireless.mac-address- >> randomization = 1 >> ... >> NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: >> config: set MAC randomization to 1 >> NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: >> config: set MAC randomization to 1 >> NetworkManager[2125]: <info> [[...]] sup-iface[[...],wlp0s2f1u3]: >> config: set MAC randomization to 1 > > If you run the supplicant with debug logging, do you see messages like: > > nl80211: set_mac_addr for wlp0s2f1u3 to XXXXXXXXXX > Using random MAC address XXXXXXXX > > or do you see any messages like: > > Failed to set random MAC address > Could not update MAC address information > > ? > > Dan >
# journalctl -o short-monotonic -b -u wpa_supplicant | egrep -i mac\|rand [ 38.736110] lnx wpa_supplicant[2422]: random: Trying to read entropy from /dev/random [ 38.738572] lnx wpa_supplicant[2422]: random: Got 20/20 bytes from /dev/random [ 174.447387] lnx wpa_supplicant[2422]: wlp0s2f1u3: Own MAC address: 00:aa:bb:cc:dd:ee [ 174.450838] lnx wpa_supplicant[2422]: wlp0s2f1u3: WPS: UUID based on MAC address: [...] [ 174.472250] lnx wpa_supplicant[2422]: wlp0s4f1u1: Own MAC address: ee:dd:cc:bb:aa:00 [ 174.483434] lnx wpa_supplicant[2422]: properties_get_or_set: Set(PreassocMacAddr) [ 174.483627] lnx wpa_supplicant[2422]: preassoc_mac_addr=1 [ 174.902680] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 5a:c2:ee:36:48:3f [ 174.954705] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 5a:c2:ee:36:48:3f [ 174.966249] lnx wpa_supplicant[2422]: properties_get_or_set: Set(PreassocMacAddr) [ 174.966446] lnx wpa_supplicant[2422]: preassoc_mac_addr=1 [ 175.380436] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 9a:a5:7a:36:7d:33 [ 175.614766] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 9a:a5:7a:36:7d:33 [ 178.006699] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet expired [ 178.013728] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet expired [ 201.018229] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet expired [ 201.020298] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet expired [ 234.022119] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet expired [ 234.023105] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet expired [ 277.432410] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 4a:73:b1:79:04:f4 [ 277.468792] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 4a:73:b1:79:04:f4 [ 277.890732] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to e2:0a:50:fb:3d:1d [ 278.098748] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address e2:0a:50:fb:3d:1d [ 330.120064] lnx wpa_supplicant[2422]: wlp0s2f1u3: Previously selected random MAC address has not yet expired [ 330.120976] lnx wpa_supplicant[2422]: wlp0s4f1u1: Previously selected random MAC address has not yet expired [ 393.426189] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to 06:d2:3a:84:9c:09 [ 393.457738] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address 06:d2:3a:84:9c:09 [ 393.881657] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 46:fd:91:cc:a9:5e [ 394.096735] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 46:fd:91:cc:a9:5e [ 456.452965] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to c2:cf:77:68:f2:f8 [ 456.498794] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address c2:cf:77:68:f2:f8 [ 456.911105] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 12:16:f6:16:28:f2 [ 457.143778] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 12:16:f6:16:28:f2 [ 519.441354] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to b2:23:e6:f5:ef:e0 [ 519.475777] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address b2:23:e6:f5:ef:e0 [ 519.899036] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 4a:3b:9a:a9:0b:bb [ 520.116736] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 4a:3b:9a:a9:0b:bb [ 582.464207] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to ae:16:d5:83:08:e0 [ 582.489822] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address ae:16:d5:83:08:e0 [ 582.918087] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to 66:6e:61:ab:c6:1d [ 583.127823] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address 66:6e:61:ab:c6:1d [ 645.443366] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s2f1u3 to e6:e9:69:4a:91:d9 [ 645.472711] lnx wpa_supplicant[2422]: wlp0s2f1u3: Using random MAC address e6:e9:69:4a:91:d9 [ 645.884186] lnx wpa_supplicant[2422]: nl80211: set_mac_addr for wlp0s4f1u1 to de:98:b2:d0:65:5b [ 646.108737] lnx wpa_supplicant[2422]: wlp0s4f1u1: Using random MAC address de:98:b2:d0:65:5b # systemctl status wpa_supplicant.service | grep sbin └─2422 /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -dd # man 8 wpa_supplicant ... COMMAND LINE OPTIONS ... -u Enable DBus control interface. If enabled, interface definitions may be omitted. (This is only available if wpa_supplicant was built with the CONFIG_DBUS option.) Is CONFIG_DBUS option necessary in https://pkgs.fedoraproject.org/cgit/rpms/wpa_supplicant.git/tree/build-config ? >> >> == Hotspot == >> >> # journalctl -o cat -b -u NetworkManager >> ... >> <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 >> <UP,LOWER_UP;broadcast,multicast,up,lowerup> mtu 1500 arp 1 wifi? >> init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb >> <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 >> <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 >> wifi? init addrgenmode none addr EE:DD:CC:BB:AA:00 driver rt2800usb >> <debug> [[...]] platform: signal: link changed: 3: wlp2s2f7u2 >> <UP,LOWER_UP;broadcast,multicast,up,running,lowerup> mtu 1500 arp 1 >> wifi? init addrgenmode eui64 addr EE:DD:CC:BB:AA:00 driver rt2800usb >> >> >> # tcpdump -i wlp2s2f7u2 >> ... >> [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, >> xid, Flags [Response], length 6: 01 00 >> [...] EAPOL key (3) v2, len 95 >> [...] EAPOL key (3) v1, len 117 >> [...] EAPOL key (3) v2, len 199 >> [...] EAPOL key (3) v1, len 95 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: >> BOOTP/DHCP, Reply, length 300 >> [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, >> length 28 >> [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), >> length 28 >> . >> [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, >> xid, Flags [Response], length 6: 01 00 >> [...] EAPOL key (3) v2, len 95 >> [...] EAPOL key (3) v1, len 117 >> [...] EAPOL key (3) v2, len 199 >> [...] EAPOL key (3) v1, len 95 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: >> BOOTP/DHCP, Reply, length 300 >> [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, >> length 28 >> [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), >> length 28 >> . >> [...] 00:aa:bb:cc:dd:ee (oui Unknown) > Broadcast Null Unnumbered, >> xid, Flags [Response], length 6: 01 00 >> [...] EAPOL key (3) v2, len 95 >> [...] EAPOL key (3) v1, len 117 >> [...] EAPOL key (3) v2, len 199 >> [...] EAPOL key (3) v1, len 95 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request >> from 00:aa:bb:cc:dd:ee (oui Unknown), length 300 >> [...] IP localhost.localdomain.bootps > 10.42.0.17.bootpc: >> BOOTP/DHCP, Reply, length 300 >> [...] ARP, Request who-has 10.42.0.17 tell localhost.localdomain, >> length 28 >> [...] ARP, Reply 10.42.0.17 is-at 00:aa:bb:cc:dd:ee (oui Unknown), >> length 28 _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list