Hi, > So Š this year as we introduce Œephemeral MAC addresses¹ into 802.11. > The IETF should be prepared to fix upper layers as they break :-) > > The simplest change is for hourly or daily changes of a link local MAC > address.
What a wonderful idea. IEEE 802.1X authenticates sessions by MAC address. If you change it while you are in an authenticated session, you'll be kicked off the net instantly. > This breaks the long term tracking and any usage of MAC address for > authentication. > > Longer term, the ephemeral address could be bound to an authentication > process. That is what IEEE 802.1X does today. It binds the current session, identified by MAC address, to a user identity, identified by an EAP credential. Its only requirement is that the MAC address remains unchanged during the session. However ephemeral the MAC address may be, it should survive a session, independent of the session duration. > My favored key centric approach would be > > mac_address = h(pk, nonce)[:6] | 0x800000000000 # upper 6 octets with > bitwise to set link local In eduroam, we do see people changing their MAC address *between* sessions, and that's know to work. I don't know or care about their algorithms. Their motivation is to get around "fair use" capping which some hotspots may have in place. Change MAC, change outer EAP identity, and you'll appear as a "brand new" user. That is one of the reasons why we introduced the use of Chargeable-User-Identity (CUI, RFC4372) for our authentications. CUI can be implemented in a way which prevents tracking (by hashing the CUI including the Operator-Name attribute, so that different hotspots get different CUIs for the same user). I think I can say with some confidence that RADIUS and EAP won't "break" if MAC addresses change. The change should happen in a sane moment though to avoid session disruption. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
0x8A39DC66.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
