| rfc9724v3.txt | rfc9724.txt | |||
|---|---|---|---|---|
| skipping to change at line 119 ¶ | skipping to change at line 119 ¶ | |||
| There have been several initiatives within the IETF and the IEEE 802 | There have been several initiatives within the IETF and the IEEE 802 | |||
| standards committees to address some of these privacy issues. This | standards committees to address some of these privacy issues. This | |||
| document provides an overview of these activities to help coordinate | document provides an overview of these activities to help coordinate | |||
| standardization activities within these bodies. | standardization activities within these bodies. | |||
| 2. Background | 2. Background | |||
| 2.1. MAC Address Usage | 2.1. MAC Address Usage | |||
| Most mobile devices used today are WLAN enabled (i.e., they are | Most mobile devices used today are Wi-Fi enabled (i.e., they are | |||
| equipped with an IEEE 802.11 wireless local area network interface). | equipped with an IEEE 802.11 wireless local area network interface). | |||
| Like any other kind of network interface based on IEEE 802 such as | Like any other kind of network interface based on IEEE 802 such as | |||
| Ethernet (i.e., IEEE 802.3), Wi-Fi interfaces have an L2 address | Ethernet (i.e., IEEE 802.3), Wi-Fi interfaces have an L2 address | |||
| (also referred to as a MAC address) that can be seen by anybody who | (also referred to as a MAC address) that can be seen by anybody who | |||
| can receive the radio signal transmitted by the network interface. | can receive the radio signal transmitted by the network interface. | |||
| The format of these addresses (for 48-bit MAC addresses) is shown in | The format of these addresses (for 48-bit MAC addresses) is shown in | |||
| Figure 1. | Figure 1. | |||
| +--------+--------+---------+--------+--------+---------+ | +--------+--------+---------+--------+--------+---------+ | |||
| | Organizationally Unique | Network Interface | | | Organizationally Unique | Network Interface | | |||
| skipping to change at line 230 ¶ | skipping to change at line 230 ¶ | |||
| developing new Internet protocol specifications (e.g., the | developing new Internet protocol specifications (e.g., the | |||
| considerations described in [RFC6973]). The tutorial highlighted | considerations described in [RFC6973]). The tutorial highlighted | |||
| some privacy concerns that apply specifically to link-layer | some privacy concerns that apply specifically to link-layer | |||
| technologies and provided suggestions on how IEEE 802 could help | technologies and provided suggestions on how IEEE 802 could help | |||
| address them. | address them. | |||
| Following the discussions and interest within the IEEE 802 community, | Following the discussions and interest within the IEEE 802 community, | |||
| on 18 July 2014, the IEEE 802 Executive Committee (EC) created the | on 18 July 2014, the IEEE 802 Executive Committee (EC) created the | |||
| IEEE 802 EC Privacy Recommendation Study Group (SG) | IEEE 802 EC Privacy Recommendation Study Group (SG) | |||
| [ieee_privacy_ecsg]. The work and discussions from the group have | [ieee_privacy_ecsg]. The work and discussions from the group have | |||
| generated multiple outcomes, such as: 802E PAR (Project Authorization | generated multiple outcomes, such Project Authorization Requests | |||
| Request, this is the means by which standards projects are started | (PARs) that resulted in the following documents: | |||
| within the IEEE. PARs define the scope, purpose, and contact points | ||||
| for a new project): Recommended Practice for Privacy Considerations | * "IEEE Recommended Practice for Privacy Considerations for IEEE | |||
| for IEEE 802 Technologies [IEEE_802E], and the 802c PAR: Standard for | 802(R) Technologies" [IEEE_802E] | |||
| Local and Metropolitan Area Networks - Overview and Architecture - | ||||
| Amendment 2: Local Medium Access Control (MAC) Address Usage | * "IEEE Standard for Local and Metropolitan Area Networks: Overview | |||
| [IEEE_802c]. | and Architecture - Amendment 2: Local Medium Access Control (MAC) | |||
| Address Usage" [IEEE_802c] | ||||
| In order to test the effects of MAC address randomization, | In order to test the effects of MAC address randomization, | |||
| experiments were conducted at the IETF and IEEE 802 meetings between | experiments were conducted at the IETF and IEEE 802 meetings between | |||
| November 2014 and March 2015 -- IETF 91, IETF 92, and the IEEE 802 | November 2014 and March 2015 -- IETF 91, IETF 92, and the IEEE 802 | |||
| Plenary in Berlin. The purpose of the experiments was to evaluate | Plenary in Berlin. The purpose of the experiments was to evaluate | |||
| the use of MAC address randomization from two different perspectives: | the use of MAC address randomization from two different perspectives: | |||
| (1) the effect on the connectivity experience of the end user, as | (1) the effect on the connectivity experience of the end user, as | |||
| well as any effect on applications and OSes, and (2) the potential | well as any effect on applications and OSes, and (2) the potential | |||
| impact on the network infrastructure itself. Some of the findings | impact on the network infrastructure itself. Some of the findings | |||
| were published in [CSCN2015]. | were published in [CSCN2015]. | |||
| skipping to change at line 280 ¶ | skipping to change at line 281 ¶ | |||
| basis for a specified mechanism that randomizes MAC addresses, which | basis for a specified mechanism that randomizes MAC addresses, which | |||
| was introduced in IEEE Std 802.11aq [IEEE_802.11aq] in 2018. | was introduced in IEEE Std 802.11aq [IEEE_802.11aq] in 2018. | |||
| More recent developments include turning on MAC address randomization | More recent developments include turning on MAC address randomization | |||
| in mobile OSes by default, which has an impact on the ability of | in mobile OSes by default, which has an impact on the ability of | |||
| network operators to customize services [rcm_user_experience_csd]. | network operators to customize services [rcm_user_experience_csd]. | |||
| Therefore, follow-on work in the IEEE 802.11 mapped effects of a | Therefore, follow-on work in the IEEE 802.11 mapped effects of a | |||
| potentially large uptake of randomized MAC identifiers on a number of | potentially large uptake of randomized MAC identifiers on a number of | |||
| commonly offered operator services in 2019 [rcm_tig_final_report]. | commonly offered operator services in 2019 [rcm_tig_final_report]. | |||
| In the summer of 2020, this work emanated in two new standards | In the summer of 2020, this work emanated in two new standards | |||
| projects with the purpose of developing mechanisms that do not | projects. The purpose of these projects was to develop mechanisms | |||
| decrease user privacy but enable an optimal user experience when the | that do not decrease user privacy but enable an optimal user | |||
| MAC address of a device in an Extended Service Set (a group of | experience when (1) the MAC address of a device in an Extended | |||
| interconnected IEEE 802.11 wireless access points and stations that | Service Set (a group of interconnected IEEE 802.11 wireless access | |||
| form a single logical network) is randomized or changes | points and stations that form a single logical network) is randomized | |||
| [rcm_user_experience_par] and user privacy solutions applicable to | or changes [rcm_user_experience_par] and (2) user privacy solutions | |||
| IEEE Std 802.11 [rcm_privacy_par]. | descibed in IEEE Std 802.11 [rcm_privacy_par] apply. | |||
| IEEE Std 802 [IEEE_802], as of the amendment IEEE 802c-2017 | IEEE Std 802 [IEEE_802], as of the amendment IEEE 802c-2017 | |||
| [IEEE_802c], specifies a local MAC address space structure known as | [IEEE_802c], specifies a local MAC address space structure known as | |||
| the Structured Local Address Plan (SLAP) [RFC8948]. The SLAP | the Structured Local Address Plan (SLAP) [RFC8948]. The SLAP | |||
| designates a range of Extended Local Identifiers for subassignment | designates a range of Extended Local Identifiers for subassignment | |||
| within a block of addresses assigned by the IEEE Registration | within a block of addresses assigned by the IEEE Registration | |||
| Authority via a Company ID. A range of local MAC addresses is | Authority via a Company ID. A range of local MAC addresses is | |||
| designated for Standard Assigned Identifiers to be specified by IEEE | designated for Standard Assigned Identifiers to be specified by IEEE | |||
| 802 standards. Another range of local MAC addresses is designated | 802 standards. Another range of local MAC addresses is designated | |||
| for Administratively Assigned Identifiers, which are subject to | for Administratively Assigned Identifiers, which are subject to | |||
| assignment by a network administrator. | assignment by a network administrator. | |||
| IEEE Std 802E-2020 ("IEEE Recommended Practice for Privacy | IEEE Std 802E-2020 ("IEEE Recommended Practice for Privacy | |||
| Considerations for IEEE 802(R) Technologies") [IEEE_802E] recommends | Considerations for IEEE 802(R) Technologies") [IEEE_802E] recommends | |||
| the use of temporary and transient identifiers if there are no | the use of temporary and transient identifiers if there are no | |||
| compelling reasons for a newly introduced identifier to be permanent. | compelling reasons for a newly introduced identifier to be permanent. | |||
| This recommendation is part of the basis for the review of user | This recommendation is part of the basis for the review of user | |||
| privacy solutions for IEEE Std 802.11 devices (also known as Wi-Fi | privacy solutions for IEEE Std 802.11 devices (also known as Wi-Fi | |||
| devices) as part of the RCM efforts [rcm_privacy_csd]. Annex T of | devices) as part of the RCM efforts [rcm_privacy_csd]. Annex I of | |||
| IEEE Std 802.1AEdk-2023 ("MAC Privacy Protection") [IEEE_802.1AEdk] | IEEE Std 802.1AEdk-2023 ("MAC Privacy Protection") [IEEE_802.1AEdk] | |||
| discusses privacy considerations in bridged networks. | discusses privacy considerations in bridged networks. | |||
| As of 2024, two task groups in IEEE 802.11 are dealing with issues | As of 2024, two task groups in IEEE 802.11 are dealing with issues | |||
| related to RCM addresses: | related to RCM addresses: | |||
| * The IEEE 802.11bh task group, which is looking at mitigating the | * The IEEE 802.11bh task group, which is looking at mitigating the | |||
| repercussions that RCM addresses create on 802.11 networks and | repercussions that RCM addresses create on 802.11 networks and | |||
| related services. | related services. | |||
| skipping to change at line 479 ¶ | skipping to change at line 480 ¶ | |||
| This form of MAC address is generated each time a new network | This form of MAC address is generated each time a new network | |||
| attachment is created. | attachment is created. | |||
| This is typically used with Wi-Fi networks (i.e., 802.11 networks) | This is typically used with Wi-Fi networks (i.e., 802.11 networks) | |||
| where the network is identified by an SSID Name. The generated | where the network is identified by an SSID Name. The generated | |||
| address is stored in non-volatile storage, indexed by the SSID. Each | address is stored in non-volatile storage, indexed by the SSID. Each | |||
| time the device returns to a network with the same SSID, the device | time the device returns to a network with the same SSID, the device | |||
| uses the saved MAC address. | uses the saved MAC address. | |||
| It is possible to use a PNGM address for wired Ethernet connections | It is possible to use a PNGM address for wired Ethernet connections | |||
| through some passive observation of network traffic (such as the | through some passive observation of network traffic (such as spanning | |||
| Spanning Tree Protocol (SPT) [IEEE_802.1D], the Link Layer Discovery | tree protocols [IEEE_802.1Q], the Link Layer Discovery Protocol | |||
| Protocol (LLDP) [IEEE_802.1AB], DHCP, or Router Advertisements) to | (LLDP) [IEEE_802.1AB], DHCP, or Router Advertisements) to determine | |||
| determine which network has been attached. | which network has been attached. | |||
| 6.5. Per-Period Generated MAC (PPGM) Address | 6.5. Per-Period Generated MAC (PPGM) Address | |||
| This form of MAC address is generated periodically, typically around | This form of MAC address is generated periodically, typically around | |||
| every twelve hours. Like PNGM addresses, it is used primarily with | every twelve hours. Like PNGM addresses, it is used primarily with | |||
| Wi-Fi. | Wi-Fi. | |||
| When the MAC address changes, the station disconnects from the | When the MAC address changes, the station disconnects from the | |||
| current session and reconnects using the new MAC address. This will | current session and reconnects using the new MAC address. This will | |||
| involve a new Wi-Fi Protected Access (WPA) or 802.1x session, as well | involve a new 802.1x session, as well as obtaining or refreshing a | |||
| as obtaining (or refreshing) a new IP address (e.g., using DHCP or | new IP address (e.g., using DHCP or SLAAC). | |||
| SLAAC). | ||||
| If DHCP is used, then a new DHCP Unique Identifier (DUID) is | If DHCP is used, then a new DHCP Unique Identifier (DUID) is | |||
| generated so as to not link to the previous connection; this usually | generated so as to not link to the previous connection; this usually | |||
| results in the allocation of new IP addresses. | results in the allocation of new IP addresses. | |||
| 6.6. Per-Session Generated MAC (PSGM) Address | 6.6. Per-Session Generated MAC (PSGM) Address | |||
| This form of MAC address is generated on a per-session basis. How a | This form of MAC address is generated on a per-session basis. How a | |||
| session is defined is implementation-dependent, for example, a | session is defined is implementation-dependent, for example, a | |||
| session might be defined by logging in to a portal, VPN, etc. Like | session might be defined by logging in to a portal, VPN, etc. Like | |||
| skipping to change at line 702 ¶ | skipping to change at line 702 ¶ | |||
| DOI 10.1109/IEEESTD.2016.7433915, March 2016, | DOI 10.1109/IEEESTD.2016.7433915, March 2016, | |||
| <https://doi.org/10.1109/IEEESTD.2016.7433915>. | <https://doi.org/10.1109/IEEESTD.2016.7433915>. | |||
| [IEEE_802.1AEdk] | [IEEE_802.1AEdk] | |||
| IEEE, "IEEE Standard for Local and metropolitan area | IEEE, "IEEE Standard for Local and metropolitan area | |||
| networks-Media Access Control (MAC) Security - Amendment | networks-Media Access Control (MAC) Security - Amendment | |||
| 4: MAC Privacy protection", IEEE Std 802.1AEdk-2023, | 4: MAC Privacy protection", IEEE Std 802.1AEdk-2023, | |||
| DOI 10.1109/IEEESTD.2023.10225636, August 2023, | DOI 10.1109/IEEESTD.2023.10225636, August 2023, | |||
| <https://doi.org/10.1109/IEEESTD.2023.10225636>. | <https://doi.org/10.1109/IEEESTD.2023.10225636>. | |||
| [IEEE_802.1D] | [IEEE_802.1Q] | |||
| IEEE, "IEEE Standard for Local and metropolitan area | IEEE, "IEEE Standard for Local and Metropolitan Area | |||
| networks: Media Access Control (MAC) Bridges", IEEE Std | Networks--Bridges and Bridged Networks", IEEE Std 802.1Q- | |||
| 802.1D-2004, DOI 10.1109/IEEESTD.2004.94569, June 2004, | 2022, DOI 10.1109/IEEESTD.2022.10004498, December 2022, | |||
| <https://doi.org/10.1109/IEEESTD.2004.94569>. | <https://doi.org/10.1109/IEEESTD.2022.10004498>. | |||
| [IEEE_802c] | [IEEE_802c] | |||
| IEEE, "IEEE Standard for Local and Metropolitan Area | IEEE, "IEEE Standard for Local and Metropolitan Area | |||
| Networks:Overview and Architecture--Amendment 2: Local | Networks:Overview and Architecture--Amendment 2: Local | |||
| Medium Access Control (MAC) Address Usage", IEEE Std 802c- | Medium Access Control (MAC) Address Usage", IEEE Std 802c- | |||
| 2017, DOI 10.1109/IEEESTD.2017.8016709, August 2017, | 2017, DOI 10.1109/IEEESTD.2017.8016709, August 2017, | |||
| <https://doi.org/10.1109/IEEESTD.2017.8016709>. | <https://doi.org/10.1109/IEEESTD.2017.8016709>. | |||
| [IEEE_802E] | [IEEE_802E] | |||
| IEEE, "IEEE Recommended Practice for Privacy | IEEE, "IEEE Recommended Practice for Privacy | |||
| skipping to change at line 773 ¶ | skipping to change at line 773 ¶ | |||
| [private_mac] | [private_mac] | |||
| Pantaleone, D., "Private MAC address on iOS 14", Wayback | Pantaleone, D., "Private MAC address on iOS 14", Wayback | |||
| Machine archive, September 2020, | Machine archive, September 2020, | |||
| <https://web.archive.org/web/20230905111429/ | <https://web.archive.org/web/20230905111429/ | |||
| https://www.fing.com/news/private-mac-address-on-ios-14>. | https://www.fing.com/news/private-mac-address-on-ios-14>. | |||
| [rcm_privacy_csd] | [rcm_privacy_csd] | |||
| IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | |||
| Changing MAC Addresses Study Group CSD on user experience | Changing MAC Addresses Study Group CSD on user experience | |||
| mechanisms", doc.:IEEE 802.11-20/1346r1, 2020. | mechanisms", doc.:IEEE 802.11-20/1346r1, 2020. Download | |||
| available at <https://mentor.ieee.org/802.11/ | ||||
| dcn/20/11-20-1346-04-0rcm-csd-draft-for-privacy-amendment- | ||||
| of-rcm- project.docx>. | ||||
| [rcm_privacy_par] | [rcm_privacy_par] | |||
| IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | |||
| Changing MAC Addresses Study Group PAR on privacy | Changing MAC Addresses Study Group PAR on privacy | |||
| mechanisms", doc.:IEEE 802.11-19/854r7, 2020. | mechanisms", doc.:IEEE 802.11-19/854r7, 2020. Download | |||
| available at <https://mentor.ieee.org/802.11/ | ||||
| dcn/20/11-20-0854-07-0rcm-par-proposal-for-privacy.docx>. | ||||
| [rcm_tig_final_report] | [rcm_tig_final_report] | |||
| IEEE 802.11 WG RCM TIG, "IEEE 802.11 Randomized And | IEEE 802.11 WG RCM TIG, "IEEE 802.11 Randomized And | |||
| Changing MAC Addresses Topic Interest Group Report", | Changing MAC Addresses Topic Interest Group Report", | |||
| doc.:IEEE 802.11-19/1442r9, 2019. | doc.:IEEE 802.11-19/1442r9, 2019. Download available at | |||
| <https://mentor.ieee.org/802.11/ dcn/19/11-19-1442-09- | ||||
| 0rcm-rcm-tig-draft-report-outline.odt>. | ||||
| [rcm_user_experience_csd] | [rcm_user_experience_csd] | |||
| IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | |||
| Changing MAC Addresses Study Group CSD on user experience | Changing MAC Addresses Study Group CSD on user experience | |||
| mechanisms", doc.:IEEE 802.11-20/1117r3, 2020. | mechanisms", doc.:IEEE 802.11-20/1117r3, 2020. Download | |||
| available at <https://mentor.ieee.org/802.11/ | ||||
| dcn/20/11-20-1117-05-0rcm-rcm-sg-proposed-rcm-csd- | ||||
| draft.docx>. | ||||
| [rcm_user_experience_par] | [rcm_user_experience_par] | |||
| IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | IEEE 802.11 WG RCM SG, "IEEE 802.11 Randomized And | |||
| Changing MAC Addresses Study Group PAR on user experience | Changing MAC Addresses Study Group PAR on user experience | |||
| mechanisms", doc.:IEEE 802.11-20/742r5, 2020. | mechanisms", doc.:IEEE 802.11-20/742r5, 2020. Download | |||
| available at <https://mentor.ieee.org/802.11/ | ||||
| dcn/20/11-20-0742-06-0rcm-proposed-par-draft.docx>. | ||||
| [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing | |||
| Architecture", RFC 4291, DOI 10.17487/RFC4291, February | Architecture", RFC 4291, DOI 10.17487/RFC4291, February | |||
| 2006, <https://www.rfc-editor.org/info/rfc4291>. | 2006, <https://www.rfc-editor.org/info/rfc4291>. | |||
| [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | |||
| Address Autoconfiguration", RFC 4862, | Address Autoconfiguration", RFC 4862, | |||
| DOI 10.17487/RFC4862, September 2007, | DOI 10.17487/RFC4862, September 2007, | |||
| <https://www.rfc-editor.org/info/rfc4862>. | <https://www.rfc-editor.org/info/rfc4862>. | |||
| skipping to change at line 847 ¶ | skipping to change at line 859 ¶ | |||
| "Temporary Address Extensions for Stateless Address | "Temporary Address Extensions for Stateless Address | |||
| Autoconfiguration in IPv6", RFC 8981, | Autoconfiguration in IPv6", RFC 8981, | |||
| DOI 10.17487/RFC8981, February 2021, | DOI 10.17487/RFC8981, February 2021, | |||
| <https://www.rfc-editor.org/info/rfc8981>. | <https://www.rfc-editor.org/info/rfc8981>. | |||
| [strint] W3C/IAB, "STRINT Workshop: A W3C/IAB workshop on | [strint] W3C/IAB, "STRINT Workshop: A W3C/IAB workshop on | |||
| Strengthening the Internet Against Pervasive Monitoring | Strengthening the Internet Against Pervasive Monitoring | |||
| (STRINT)", <https://www.w3.org/2014/strint/>. | (STRINT)", <https://www.w3.org/2014/strint/>. | |||
| [wba_paper] | [wba_paper] | |||
| Wireless Broadband Alliance, "Wi-Fi Identification Scope | Wireless Broadband Alliance, "Wi-Fi Device Identification | |||
| for Liasing - In a post MAC Randomization Era", doc.:WBA | – A Way Through MAC Randomization", WBA White Paper, July | |||
| Wi-Fi ID Intro: Post MAC Randomization Era v1.0 - IETF | 2022, <https://wballiance.com/resource/wi-fi-device- | |||
| liaison, March 2020. | identification-a-way-through-mac-randomization/>. | |||
| [when_mac_randomization_fails] | [when_mac_randomization_fails] | |||
| Martin, J., Mayberry, T., Donahue, C., Foppe, L., Brown, | Martin, J., Mayberry, T., Donahue, C., Foppe, L., Brown, | |||
| L., Riggins, C., Rye, E., and D. Brown, "A Study of MAC | L., Riggins, C., Rye, E., and D. Brown, "A Study of MAC | |||
| Address Randomization in Mobile Devices and When it | Address Randomization in Mobile Devices and When it | |||
| Fails", arXiv:1703.02874v2, DOI 10.48550/arXiv.1703.02874, | Fails", arXiv:1703.02874v2, DOI 10.48550/arXiv.1703.02874, | |||
| March 2017, <https://doi.org/10.48550/arXiv.1703.02874>. | March 2017, <https://doi.org/10.48550/arXiv.1703.02874>. | |||
| [wifi_tracking] | [wifi_tracking] | |||
| Vincent, J., "London's bins are tracking your smartphone", | Vincent, J., "London's bins are tracking your smartphone", | |||
| End of changes. 13 change blocks. | ||||
| 38 lines changed or deleted | 50 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||