14

If you knew from the public internet that a certain IP address belonged to a machine with a certain MAC address, can you see any security exposure associated with that? I know that some software will use a MAC address as an identifier, but I can't think of any security risks associated.

Context: static DHCP assignments for virtual machines where addresses / MAC pairs are pre-generated and the same for all software installations (e.g., any VM being assigned 192.168.1.1 will have the same MAC address).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171

3 Answers3

8

MACs are predictable in many existing environments. For example, on a typical enterprise network, you're likely to find many physical machine that are part of the same shipment from the same manufacturer and therefore have similar MACs (same OUI and consecutive low-order portion). Any system whose security depended on unpredictable MACs would fail in a typical enterprise environment.

Tying the IP address with the MAC might reveal something about the manufacturer, the type of device or the role of the device that's behind a certain address. That's unlikely to reveal anything that nmap wouldn't reveal, and for virtual machines I don't see how this would reveal anything. On the contrary, if you're worried about your network architecture being exposed, using the same naming scheme for both reduces the amount of information you're revealing (not that the MAC addresses are very likely to turn up on the outside anyway).

If your machines migrate over externally-distinguishable networks, then a MAC address becomes an identifying element and therefore a privacy concern. But in that case they'd likely change IPv4 addresses as they migrate. Tying the MAC to the dynamic IP address (if you somehow manage that — standard DHCP wouldn't apply) would increase the privacy in that case.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
6

MAC addresses are already quite predictable since they are only 48-bit values which are attributed by ranges to hardware vendors (see for instance this file). It is possible to change the MAC address used by a network interface, but most people do not. Also, a given device will broadcast its MAC address quite freely (it is included in the header of each ethernet frame it sends).

There are some sites where MAC addresses are filtered; i.e., data sent by a device is automatically dropped by the router unless it seems to come from a specific, registered MAC address. Many WiFi access points can be configured that way, and it is also common in organizational LAN (as a deterrent for people who thought BYOD might be a good idea). If you know the MAC address of an "allowed" host, then you can bypass this filter by changing your own MAC address to that value. That's not really a security issue related to knowing the MAC address of a machine; rather, the problem is sysadmins who believe that a MAC address can be used as a kind of secret password.

Theoretically, MAC addresses are local only, a matter of convention between the hosts on a LAN, and have no meaning beyond the first router. This would make security issues related to MAC knowledge impossible beyond the first router. IPv6 changes that a bit: if, on a given LAN, the following happens:

  • the sysadmin has configured everything for IPv4, with NAT: he feels confident that internal hosts cannot be contacted from the outside except by using the specific forwarding rules he sets on the exit router;
  • the operating systems of the router and internal hosts are actually IPv6-aware (all modern OS are);
  • the ISP, as an experiment, decides to "enable IPv6", and the cable/DSL modem used as exit point begins to broadcast router advertisement packets;

then, suddenly, the internal hosts of that network can be contacted from the outside, using IPv6. The IPv6 addresses will be derived from the MAC address, so trouble will not happen right away. But once attackers guess the MAC address of some internal hosts, they will be able to connect to them directly.

The problems here is that NAT is not a firewall; its isolation effect is only a byproduct. However, it can be predicted that many sysadmin see NAT as a security feature, and will consider privacy of the MAC address as another security feature.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

Personally I don't think so. The only potential security issue relating to knowledge of MAC addresses I can remember seeing is the privacy concern around disclosure of wireless AP MAC addresses over the Internet, as with all the geo-location databases there are that can amount to a physical location.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217