Re: Software to test MAC address privacy

2014-08-04 Thread Glen Turner 
Robert Moskowitz wrote:
> There is talk about partitioning the use of the LAS.  I am against that as it 
> increases the collision probablity.  Perhaps by usage domain.
> 
> In any case we will have to work out probe/discovery methods to discover 
> collisions for readdressing.

Hi Robert,

I would strongly encourage you not to use the entirety of the LAS. The IEEE has 
already divided usage of the LAS by the most significant byte, last I checked 
values 00:… through to 05:… had been used in various IEEE documents. Simply 
allocate the next free most significant byte for the purposes of showing the 
LAS is intended to be a random LAS. You would be doing a service if you also 
allocated LAS MSBs for VMs and SDNs.

Discovery protocols have been historically problematic. I would encourage you 
to read carefully the extensive security analysis of IPv4 ARP, IPv6 ND and DAD.

1) Discovery protocols assume that you can trust your neighbours. You cannot 
trust your neighbours. For example, a neighbour can claim to hold all of the 
MAC address space apart from a small amount which it can later readily search. 
Or a neighbour may deny service by claiming every probed address.

2) You can write discovery protocols which do not have these issues, but they 
are very expensive to run and may defeat your privacy goal (eg, require all 
interfaces on a ethernet to provide their MAC address upon occassional request, 
then the booting host can choose a MAC address not on that list).

3) You can of course somewhat protect against misuse of discovery protocols by 
using features of ethernet switches, wireless access points, etc. But no other 
working group has specified the required security features of a switch port, so 
this is a substantial undertaking. The result is not applicable to all 802.3 
systems.

4) A discovery protocol is also another protocol which has to succeed prior to 
establishing contact with a partner interface. The farce of ethernet auto 
negotiation shows that these protocols have high demands for robustness which 
are difficult to meet.

If you wish to use the entire LAS then the greatest problem of a discovery 
protocol running across  is that it does not solve the problem of duplicate 
addressing. A LAS-using protocol may be required to use a *particular* MAC 
address (eg- DECnet or some SDN algorithms) and if that machine is offline when 
discovery is run then that machine cannot join the network afterwards.

In short, constrain the random LASs to using a particular most significant byte 
to prevent collisions with other users of the LAS.

As for the search space argument, you are arguing that a search space of 2^46 
is large enough but a space of 2^40 is not.

Note that the use of the LAS is not mostly historical. Software-defined 
networks in data centres use LAS to contain hierarchical forwarding 
information. Again, all the more reason to use the most significant byte of the 
LAS to indicate the allocation intent of the LAS.

If you are doing this work because of the presence of EUI-64 addresses in IPv6 
addressing then the IETF is altering the IPv6 SLAAC specification to require 
randomisation of Interface IDs (typically the lower /64 of the IPv6 address). 
The Interface ID is randomised on the first-ever boot of the system and then 
that Interface ID is retained for the lifetime of the machine or until sysadmin 
action). See http://www.rfc-editor.org/rfc/rfc7217.txt

Best wishes with your project,
glen

PS: probably best to move any further discussion off-list.

-- 
 Glen Turner 
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Software to test MAC address privacy

2014-08-04 Thread Robert Moskowitz 


On 08/03/2014 04:58 AM, Glen Turner wrote:

On 19/07/2014 Robert Moskowitz wrote:

Actually the standard uses the first 2 bits for this. It is called local scope 
MAC addresses. This leaves 46 bits for the random content. Thus if you have a 
network of 1 devices the probablity of a collision is 7x10^-7

Hello Robert,

Not all locally-assigned addresses are available for use as random MAC 
addresses. Last I looked that are historical uses of LAS for DECnet and other 
protocols from 00:… through to 05:…. It would be useful if the IEEE recommended 
a range of LAS for host use (ie, virtual machine MAC addresses) and specified a 
range for your random MAC address proposal. Such a range should leave 
sufficient LAS for other potential future applications.


This is actually in progress.  We are forming a study group in IEEE 802 
(first session will be at the November San Antonio meeting) to fully 
document this and come out with a recommended practice.  One of the 
other drivers is the cloud computing world.  There is talk about 
partitioning the use of the LAS.  I am against that as it increases the 
collision probablity.  Perhaps by usage domain.


In any case we will have to work out probe/discovery methods to discover 
collisions for readdressing.


thanks for your input.  I will see it gets included in the discussion.


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Software to test MAC address privacy

2014-08-03 Thread Glen Turner 

On 19/07/2014 Robert Moskowitz wrote:
> Actually the standard uses the first 2 bits for this. It is called local 
> scope MAC addresses. This leaves 46 bits for the random content. Thus if you 
> have a network of 1 devices the probablity of a collision is 7x10^-7

Hello Robert,

Not all locally-assigned addresses are available for use as random MAC 
addresses. Last I looked that are historical uses of LAS for DECnet and other 
protocols from 00:… through to 05:…. It would be useful if the IEEE recommended 
a range of LAS for host use (ie, virtual machine MAC addresses) and specified a 
range for your random MAC address proposal. Such a range should leave 
sufficient LAS for other potential future applications.

Regards, glen
___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Software to test MAC address privacy

2014-07-18 Thread Robert Moskowitz 


On 07/18/2014 11:02 AM, Stuart Gathman wrote:

On 07/17/2014 09:05 PM, Robert Moskowitz wrote:


draft-ietf-6man-ipv6-address-generation-privacy-01.txt

privacy for both global and local scope IPv6 addresses.

So how do I get interest in this effort and get some revised test app 
for me (and other Linux users) to participate?
To guarantee compatibility, the first few bits should mark the MAC as 
a "private" one, and not conflict with any vendor id or pseudo vendor 
(like statically generated MACs for virtual machine virtual network 
interfaces).


Actually the standard uses the first 2 bits for this. It is called local 
scope MAC addresses. This leaves 46 bits for the random content. Thus if 
you have a network of 1 devices the probablity of a collision is 7x10^-7


And some SOC ARM cards do not have an eeprom so the software install has 
to create a MAC address. My Cubieboard is one such.



___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Software to test MAC address privacy

2014-07-18 Thread Stuart Gathman 

On 07/17/2014 09:05 PM, Robert Moskowitz wrote:


draft-ietf-6man-ipv6-address-generation-privacy-01.txt

privacy for both global and local scope IPv6 addresses.

So how do I get interest in this effort and get some revised test app 
for me (and other Linux users) to participate?
To guarantee compatibility, the first few bits should mark the MAC as a 
"private" one, and not conflict with any vendor id or pseudo vendor 
(like statically generated MACs for virtual machine virtual network 
interfaces).

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Re: Software to test MAC address privacy

2014-07-18 Thread Tom Gundersen 
Hi Robert,

On Fri, Jul 18, 2014 at 3:06 AM, Robert Moskowitz  wrote:
> Greetings from IEEE 802 plenay in San Diego.  We are winding down, but
> Monday night we had a talk on Pervasive Surveillance:
>
> https://mentor.ieee.org/802-ec/dcn/14/ec-14-0043-00-00EC-internet-privacy-tutorial.pdf
>
> I discussed this with the 802 chair and presentation moderator, and we are
> looking to see if we can actually test the consequences of using random
> local MAC addresses.  The idea is to have an opt-in SSID at future 802
> meetings, and perhaps at the IETF as well (same network support company)
> where only random local MAC addresses are allowed and then to see what
> problems occur (DHCP, ARP tables, bridging tables, etc.).
>
> So we (those of us that want to figure this out to see if it is worth doing)
> are looking to the OS providers to help.  I have been tasked with reaching
> to the Linux community as I run Fedora.
>
> The thought is the MAC address is temporarily overwritten with a local MAC
> random address.  This address should be changed with some periodicity.

Recent versions of udev has the possibility of optionally set a random
mac address on every boot (or device hotplug) [0]. However, it will
not change the mac address at runtime (which appears to be what you
want).

> We have not worked out this part yet.

As I have advocated in the past, I think it may make sense to set a
random MAC address per SSID, so that you won't change the MAC address
whilst connected, but at the same time you can not be tracked across
SSIDs (there are still some issues to solve with that though). One
should obviously also do as OSX does and use random MAC addresses when
scanning.

Sounds like a nice initiative. Best of luck!

Cheers,

Tom

[0]: 

___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list

Software to test MAC address privacy

2014-07-17 Thread Robert Moskowitz 
Greetings from IEEE 802 plenay in San Diego.  We are winding down, but 
Monday night we had a talk on Pervasive Surveillance:


https://mentor.ieee.org/802-ec/dcn/14/ec-14-0043-00-00EC-internet-privacy-tutorial.pdf

I discussed this with the 802 chair and presentation moderator, and we 
are looking to see if we can actually test the consequences of using 
random local MAC addresses.  The idea is to have an opt-in SSID at 
future 802 meetings, and perhaps at the IETF as well (same network 
support company) where only random local MAC addresses are allowed and 
then to see what problems occur (DHCP, ARP tables, bridging tables, etc.).


So we (those of us that want to figure this out to see if it is worth 
doing) are looking to the OS providers to help.  I have been tasked with 
reaching to the Linux community as I run Fedora.


The thought is the MAC address is temporarily overwritten with a local 
MAC random address.  This address should be changed with some 
periodicity.  We have not worked out this part yet.  Also per Internet 
Draft:


draft-ietf-6man-ipv6-address-generation-privacy-01.txt

privacy for both global and local scope IPv6 addresses.

So how do I get interest in this effort and get some revised test app 
for me (and other Linux users) to participate?


thank you


___
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list