Feature request: use random MAC addresses when scanning

Björn Smedman bs at anyfi.net
Fri Jun 13 16:51:35 EDT 2014 

On Fri, Jun 13, 2014 at 9:30 AM, Johannes Berg
<johannes at sipsolutions.net> wrote:
> On Fri, 2014-06-13 at 02:53 +0200, Björn Smedman wrote:
>> Again taking mac80211
>> [8] as a reference there is an explicit check to avoid using probe
>> responses addressed to other devices:
>>
>>     /* ignore ProbeResp to foreign address */
>>     if ((!sdata1 || !ether_addr_equal(mgmt->da, sdata1->vif.addr)) &&
>>         (!sdata2 || !ether_addr_equal(mgmt->da, sdata2->vif.addr)))
>>             return;
>>
>> I think that code makes sense. Essentially that's what I'm (somewhat
>> clumsily) trying to say in A below: "just because some other device
>> got a certain Probe Response that doesn't mean I would necessarily get
>> the same". Also of course in the negative: "just because some other
>> device didn't get a response doesn't mean I wouldn't."
>>
>> (And the phrase "some other device" is of course logically
>> interchangeable with my own incognito alter ego / random MAC.)
>>
>> 8. http://lxr.free-electrons.com/source/net/mac80211/scan.c?v=3.15#L186
>
> I think this is debatable. The check makes a certain amount of sense,
> though I'd argue it's mostly for the case where there actually *are*
> different probe responses. That's unlikely to start with.

That depends on what you mean by unlikely... In addition to hidden and
SDN-based networks there's e.g. band steering [9]: a dual-band
AP/network makes note of the MAC addresses in 5Ghz Probe requests
(because they indicate that the device has a 5Ghz-capable radio) and
withhold Probe response to the same MACs in the 2.4Ghz band. This is a
feature on just about every enterprise/carrier-grade AP (Cisco,
Ruckus, Aruba, Meru, Extricom, Aerohive, Xirrus, etc). It's widely
deployed.

9. https://kb.meraki.com/knowledge_base/dual-band-operation-with-band-steering

>> The case I'm thinking about is when there is no connection when the
>> device wakes up, because no suitable network has been found with
>> incognito scan. As I see it there can be two reasons for that: 1)
>> there simply is no suitable network or 2) there is at least one
>> suitable network but it's not visible in incognito scan mode. Now the
>> latter (2) could be a hidden network, or an SDN-based network, or
>> possibly some other type of networks we haven't yet thought of here at
>> all. In this case I think it makes sense to do an active scan.
>
> That's a bit of an integration question I guess. I'd guess that it ends
> up that everyone who wants to do something like this will do the same
> Apple did ;-)

That makes sense. :)

Björn

More information about the HostAP mailing list