Hi Diana! > Am 28.12.2021 um 15:58 schrieb [email protected]: > > I'm still interested in why you are concerned about "leaking" the MAC address?
Well, knowing the vendor of an interface might lead an attacker to exploit known security issues relevant to that vendor. While I deem the risk with OpenBSD to be very low, in the case of a hypervisor generating the MAC, knowing which one might make the target more interesting. > Changing the MAC with laddr will still leak the MAC but now it will be the > one you created. Yes, I’ll be trying this method shortly. > If you do decide to change the MAC to a long defunct NIC manufacturer. That > is what I do for fun. Some of my 10G interfaces use Western Digital OUI, > from 10base-2 era. Good idea! :-) I checked the IEEE registry and determined that currently no prefix of 0xF2, 0xF6, 0xFA or 0xFE is allocated. So combining such a prefix with 5 bytes from /dev/random should work as well. I have read somewhere that two bits might need to/should have a fixed value in the first octet: 0bxxxxxx10. But I couldn’t find any reference yet. Thus the above values to be on the safe side. Still have to make sure no two interfaces on the same network segment use the same MAC though, but the odds are pretty good. Mike > > G.day > diana > KI5PGJ > > On December 28, 2021 6:05:54 AM MST, Mike Fischer <[email protected]> > wrote: >> >>> Am 28.12.2021 um 13:09 schrieb Paul de Weerd <[email protected]>: >>> >>> On Tue, Dec 28, 2021 at 12:35:07PM +0100, Mike Fischer wrote: >>> | So I guess the only way to get a stable IID with dynamic prefixes is >>> | to use the eui64 method? (Which is based on the MAC-address and >>> | leaks information.) >>> >>> What information leak are you afraid of? Someone else knowing the >>> MAC-address of your system? You can fix that by changing the MAC >>> address of your interface (see the lladdr option in the ifconfig(8) >>> manpage at http://man.openbsd.org/ifconfig#lladdr for details) >> >> Interesting! I hadn’t thought of that. >> > SNIP >> >> My thoughts exactly. >> >> >> Thanks for your input! >> >> Mike
