Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [STDS-802-11] On the need for standard language on MAC randomization (and more)



--- This message came from the IEEE 802.11 Working Group Reflector ---

 

  Hello,

 

  I received several emails in support of this effort and one of them noted that since this issue deals

with the behavior of STAs prior to association and while they are discovering network services, it should

best be addressed in 11aq instead of waiting for 11md. I agree and am working on a submission to

address it there. This will also allow us to address the urgent need identified by the US Naval Academy

below in a timely manner as the timeline for 11md completion is several years out.

 

  regards,

 

  Dan.

 

On 3/14/17, 11:43 AM, "*** IEEE stds-802-11 List *** on behalf of Harkins, Daniel" <STDS-802-11@xxxxxxxx on behalf of daniel.harkins@xxxxxxx> wrote:

 

--- This message came from the IEEE 802.11 Working Group Reflector ---

 

  Greetings,

 

  Exactly 3 years ago I presented 11-14/0367r2 in 11mc. That submission proposed some language in

the 802.11 standard to define certain behavior when MAC address randomization is used. There were

a number of comments but the big one was that it was not necessary. Over time, implementations

have come on the market that randomize MAC addresses and the results are in: we really do need

some language in the standard that says exactly what to do when privacy is desired, both how and

when to randomize a MAC address and how to remove information from 802.11 frames that can

be used to perform tracking even when a randomized MAC address is used.

 

  Researchers from the U.S. Naval Academy have performed a study [1] and conclude with:

 

“We propose the following best practices for MAC address randomization. Firstly, mandate

a universal randomization policy to be used across the spectra of 802.11 client devices. We

have illustrated that when vendors implement unique MAC address randomization schemes

it becomes easier to identify and track those devices.” concluded the experts. “A universal

policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE

usage, and sequence number behavior,” 

 

  Based on this sage advice, I plan on introducing a submission to 11md (when formed) to define a

privatization policy to be used by STAs that wish to make it harder to track them. If you wish to

contribute to this effort or if you have legitimate concerns on 802.11 privacy, please unicast

me back.

 

  regards,

 

  Dan.

 

[1] http://securityaffairs.co/wordpress/57076/uncategorized/mac-address-randomization-flaws.html

 

 

_______________________________________________________________________________

If you wish to be removed from this reflector, do not send your request to this reflector - it will have no effect.

Instead, go to http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11 and then press the LEAVE button.

If there is no LEAVE button here, try http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-RO.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html _______________________________________________________________________________

_______________________________________________________________________________

If you wish to be removed from this reflector, do not send your request to this reflector - it will have no effect.

Instead, go to http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11 and then press the LEAVE button.

If there is no LEAVE button here, try http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-RO.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html _______________________________________________________________________________