The industry is moving away from any hardware identifier being sent off device. I don’t think the physical MAC should ever be used as a device identifier, even for channel binding.
If a strong hardware-bound identifier is required, the organization should use the TPM/SE for private key generation during provisioning/onboarding. From: Oleg Pekar<mailto:[email protected]> Sent: Monday, June 28, 2021 11:19 AM To: Alan DeKok<mailto:[email protected]> Cc: EMU WG<mailto:[email protected]> Subject: Re: [Emu] Question for draft-ietf-emu-tls-eap-types-03 Alan, agree on the MAC randomization problem. Is there any existing standard or proposal for the network deployments where the Network Access Control server needs to track the device with randomized MAC moving between intranet SSIDs? About usage of physical MAC address - maybe some client systems will not have access to the physical MAC rather than just to a randomized MAC. Regards, Oleg On Mon, Jun 28, 2021 at 4:21 PM Alan DeKok <[email protected]<mailto:[email protected]>> wrote: One thing missing in the current document is how to address the modern issue of MAC address randomization. i.e. admins would like to ensure that only certain devices access the network. But with MAC address randomization, it's difficult to have a static device identifier. Even client certificates can be installed on multiple machines, if they're just sent to the user. Would it be worth adding a note that systems SHOULD implement RFC 6677 channel bindings to address this issue? And that the Calling-Station-Id inside of the channel bindings MUST be the actual physical MAC, and not the public / randomized MAC? I've seen this problem more and more in customer deployments. It's becoming a serious security issue. Alan DeKok. _______________________________________________ Emu mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/emu<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femu&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Ce5271f5f556b451a09bd08d93a4812ac%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637604903581345612%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=73wWIXCtD%2BLZz6IEsxzLgHDDUs0Jj64sdyHH56DSFWU%3D&reserved=0>
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
