Feature request: use random MAC addresses when scanning

Mathy vanhoefm at gmail.com
Sat Jun 14 19:33:28 EDT 2014


On Fri, Jun 13, 2014 at 10:51 PM, Björn Smedman <bs at anyfi.net> wrote:
> On Fri, Jun 13, 2014 at 9:30 AM, Johannes Berg
> <johannes at sipsolutions.net> wrote:
>> On Fri, 2014-06-13 at 02:53 +0200, Björn Smedman wrote:
>>> Again taking mac80211
>>> [8] as a reference there is an explicit check to avoid using probe
>>> responses addressed to other devices:
>>>
>>>     /* ignore ProbeResp to foreign address */
>>>     if ((!sdata1 || !ether_addr_equal(mgmt->da, sdata1->vif.addr)) &&
>>>         (!sdata2 || !ether_addr_equal(mgmt->da, sdata2->vif.addr)))
>>>             return;
>>>
>>> I think that code makes sense. Essentially that's what I'm (somewhat
>>> clumsily) trying to say in A below: "just because some other device
>>> got a certain Probe Response that doesn't mean I would necessarily get
>>> the same". Also of course in the negative: "just because some other
>>> device didn't get a response doesn't mean I wouldn't."
>>>
>>> (And the phrase "some other device" is of course logically
>>> interchangeable with my own incognito alter ego / random MAC.)
>>>
>>> 8. http://lxr.free-electrons.com/source/net/mac80211/scan.c?v=3.15#L186
>>
>> I think this is debatable. The check makes a certain amount of sense,
>> though I'd argue it's mostly for the case where there actually *are*
>> different probe responses. That's unlikely to start with.
>
> That depends on what you mean by unlikely... In addition to hidden and
> SDN-based networks there's e.g. band steering [9]: a dual-band
> AP/network makes note of the MAC addresses in 5Ghz Probe requests
> (because they indicate that the device has a 5Ghz-capable radio) and
> withhold Probe response to the same MACs in the 2.4Ghz band. This is a
> feature on just about every enterprise/carrier-grade AP (Cisco,
> Ruckus, Aruba, Meru, Extricom, Aerohive, Xirrus, etc). It's widely
> deployed.
>
> 9. https://kb.meraki.com/knowledge_base/dual-band-operation-with-band-steering
>

Isn't this problem avoided by using the *same* random MAC address in
both bands? So in one single "individual" scan (over all channels
and/or bands) all probe requests get the same random MAC address. In
the next scan a new random MAC address is generated, which is again
used in all channels/bands. This way we're using random MAC addresses,
yet band steering still works.


More information about the HostAP mailing list