On Tue, 14 May 2019, WILSON Sam wrote:
Except those nasty security people are now allowing systems to randomise their MAC addresses. I'm sure some people's Life Goal is to make life as difficult as possible for us network operators.
That's why one should always create solutions that do not depend on any kind of uniqueness.
15 years ago I checked the mac addresses of our customers (ADSL customer base). I noticed that 5% of the customers were using the same mac address. Tracked that down to D-Link shipping lots of routers via electronics stores, all with the same mac address. Then I was happy I had designed the solution with single broadcast domain (vlan) per customer so this still worked. Other ISPs weren't so lucky, and this caused significant customer service costs.
If you want a robust access network, make sure it works even if the customers have customer-controlled identifiers that overlap, such as DUID, MAC addresses etc. Track people on physical ports (so you know where that port/cable goes) or on username/password (802.1x). Make sure the customers/users can't affect each other (protect the Internet from them).
-- Mikael Abrahamsson email: swm...@swm.pp.se
