MAC randomisation and DHCP pools

glenn.satchell at uniq.com.au glenn.satchell at uniq.com.au
Sun Jul 26 08:50:54 UTC 2020 

Hi Rudy,

That's good to know, but bypasses all the security offered by random MAC 
addresses, since a site can track using the DHCP ID :)

regards,
-glenn

On 2020-07-26 18:26, Rudy Zijlstra wrote:
> Hi Glenn,
> 
> The DHCP Id should be stable, at least according to the dhcp RFC. I
> need to start playing around a bit...
> 
> I do understand the privacy concerns here, and why this is being 
> implemented.
> 
> Cheers
> 
> Rudy
> 
> On 26-07-2020 05:02, glenn.satchell at uniq.com.au wrote:
>> Hi Mike,
>> 
>> I think in the short term setting the lease time to 24 hours would 
>> free up old leases after the MAC address changes, meaning the old 
>> client effectively goes away. Public places like shopping malls, 
>> should already have shorter leases due to the massive churn in 
>> clients, so it's not going to bother them much.
>> 
>> But that doesn't address any of the issues with identifying individual 
>> devices, eg to put into different classes. For that I think it will 
>> need an education scheme with your users to turn off the feature on 
>> networks where identifying the client matters, eg corporate or home 
>> networks.
>> 
>> I think this will evolve to having some other persistent identifier 
>> for systems to use.
>> 
>> regards,
>> -glenn
>> 
>> On 2020-07-25 11:46, Joshua Stark wrote:
>>> The user can decide to turn the feature off on the Apple device per
>>> WiFi network:
>>> 
>>> Rarely, a network might allow you to join with a private address, but
>>> won't allow Internet access. If that happens, you can choose to stop
>>> using private addresses [1] with that network
>>> (https://support.apple.com/en-us/HT211227)
>>> 
>>> I agree, this will make things different, harder initially. One
>>> example that comes to mind is white/black lists on WiFi networks, 
>>> that
>>> will go out the window.
>>> And the other of being able to set a static IPv4 will be next to
>>> impossible.
>>> 
>>> But was that not the point of IPv6 - totally random
>>> 
>>> In my mind this means we need an evolution of how we do things, like
>>> how AWS/GCP have taken the classic firewall of IP/Port to a Service
>>> Layer Firewall.
>>> There is going to need to be another way to identify a device to 
>>> allow
>>> automatic re-authentication, like public WiFi where you purchase
>>> access for greater then 24hrs.
>>> 
>>> How we do that, I don't know, but it's time to start thinking about
>>> how to implement the next evolution in technology!
>>> 
>>> Thanks
>>> Josh
>>> 
>>> On 24/7/20 20:59, Mike Richardson wrote:
>>> 
>>>>> Hi Mike,
>>>>> 
>>>>> This is not something new, it has been around since IOS 8 in 2014.
>>>>> I think
>>>>> this page summarises how it works and has links to Apple's site
>>>>> with more
>>>>> details.
>>>>> 
>>>>> 
>>>> 
>>> https://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-address-randomization-feature-works-and-when-it-doesnt/
>>>>> 
>>>>> It appears that it randomises the MAC address when the device is
>>>>> passively
>>>>> scanning for networks and other particular settings are enabled or
>>>>> disabled,
>>>>> so systems can't use the MAC address to persistently track
>>>>> wherever you go.
>>>>> However, it seems that any associations/joining of networks is
>>>>> based on the
>>>>> actual MAC address.
>>>>> 
>>>>> Or am I talking about something else entirely different?
>>>> 
>>>> Something new I believe:
>>>> 
>>>> 
>>> https://wifinowglobal.com/news-and-blog/new-private-wi-fi-address-iphone-feature-could-severely-impact-the-wi-fi-industry-expert-says/?mc_cid=9ff8988c11&mc_eid=000d85d9e3
>>>> https://support.apple.com/en-us/HT211227
>>>> 
>>>> Apple, in IOS14, are going to implement the changing of MACs every
>>>> 24 hours
>>>> as the default, and different ones for each SSID, I believe.
>>>> 
>>>> I'm just trying to evaluate the impact on things like DHCP, but I'm
>>>> not sure
>>>> about exactly what happens when pools are, sort of, exhausted.
>>>> 
>>>> Thanks,
>>>> 
>>>> Mike
>>> 
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] https://support.apple.com/en-us/HT211227#onoff
>>> _______________________________________________
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>> 
>>> dhcp-users mailing list
>>> dhcp-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/dhcp-users
>> _______________________________________________
>> ISC funds the development of this software with paid support 
>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> information.
>> 
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
> 
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> 
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list