If you can’t trust a MAC address, what can you trust? – Cisco Blogs


Whether you read papers published by Xerox PARC in the 1970’s, or the latest Wikipedia entry on MAC address, you’ll certainly be familiar with the description of a MAC address being a globally unique identifier of a Network Interface Card (NIC). In layman’s terms, a MAC address can safely be used to identify a device on a network.

Or can it?

Over the years we learned about the fun things you could do by arbitrarily changing the MAC address of devices on the network. But by and large, we continued to rely on the burnt-in MAC address of a network interface card to be the globally unique identifier of a network interface, and thus, the device. For Cisco Identity Services Engine (ISE), like for many software platforms built for managing the network, a device’s MAC address was indeed sacred.

This view of the world started to crumble when Google and Apple started making changes to their respective mobile operating systems, Android 8 and iOS 8. The initial change ensured that mobile devices used a randomized MAC address when probing for new networks, as an end-user privacy measure – it suddenly became harder to track users, their location, and their behaviour. Later versions of the operating systems started using a different MAC address per SSID – initially as an optional feature and then eventually as the default. In the future, we may may see MAC addresses changed even while connected to a single SSID after expiry of varying or fixed time intervals. Beyond the two dominating mobile platforms, this trend is also now being seen in Windows 10.

Similar issues can be seen in hot-desk environments where laptops may be connected to a different networking dongle or docking station each day. Some dongles and docking stations present their own MAC address on the network rather than that of the laptop connected to it. From a network point of view, this is equivalent to the laptop having a different MAC address every day.

The moral of the story is that the trusty MAC address is no longer the static, globally unique identifier it once was.

So, what now?

As a network administrator, if you have not experienced the lack of correlation between MAC addresses and devices connected to your network, you’ll surely start to experience it soon. For your corporate-owned devices, you can easily minimize this by making use of profiles, settings, or Windows Group Policies to ensure those corporate-managed devices continue to use the burnt-in MAC address. Things start to become tricky, however, when you have to consider all the non-corporate devices connecting to the network, your guest users, and the BYOD that your staff bring into the office. However, this still leaves you at the mercy of the product roadmap of your OS vendors.

Now is the time to start looking into the various tools you use to manage your network and understand how random and changing MAC addresses can impact the ongoing usefulness of that tool, and whether there are options available to mitigate what might otherwise cause serious problems. Cisco ISE administrators, for example, can follow our Community Guide.

What else is Cisco doing?

Cisco’s engineering teams continue to work at removing internal product dependencies on static MAC addresses. First and foremost, this is within the mobile ecosystem. We are not just making improvements internally, but we have been collaborating with our partners to ensure wide levels of interoperability between Cisco and third-party products in non-static MAC address environments.

Ivanti, maker of the market-leading MobileIron Unified Endpoint Manager, is the first of many device management solution partners to collaborate with us in order to provide seamless interoperability between Cisco ISE and their own platform.

“Replacing the MAC address as unique identifier was a complex problem to solve, but we knew we needed an alternative hook between the two products. Collaborating with Cisco, we developed a joint solution that maintains feature interoperability and better enables our customers in their endeavors to seamlessly secure and manage their network and endpoints.” Nayaki Nayyar – President, Service Management Solutions & Chief Product Officer

Bye-Bye MAC address?

Just like the introduction of DHCP in 1993 led to the acceptance that IP addresses were of litle use as permanent global device identifier, despite their role in addressing and routing. We now see the same thing happening with MAC addresses, which continue to be required to address and route traffic, but can no longer be seen as static.

Stay tuned for part two of this blog where I will discuss the next in the journey that Nayaki Nayyar alluded to.

In the meantime, tell us what you think will be the next tenet in networking to require adjusting?

 

Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog

Share:



Source link