rfc9797.original   rfc9797.txt 
Internet Engineering Task Force J. Henry Internet Engineering Task Force (IETF) J. Henry
Internet-Draft Cisco Systems Request for Comments: 9797 Cisco Systems
Intended status: Informational Y. Lee Category: Informational Y. Lee
Expires: 23 June 2025 Comcast ISSN: 2070-1721 Comcast
20 December 2024 June 2025
Randomized and Changing MAC Address: Context, Network Impacts, and Use Randomized and Changing Media Access Control (MAC) Addresses: Context,
Cases Network Impacts, and Use Cases
draft-ietf-madinas-use-cases-19
Abstract Abstract
To limit the privacy issues created by the association between a To limit the privacy issues created by the association between a
device, its traffic, its location, and its user in [IEEE_802] device, its traffic, its location, and its user in IEEE 802 networks,
networks, client and client Operating System vendors have started client vendors and client OS vendors have started implementing Media
implementing MAC address randomization. This technology is Access Control (MAC) address randomization. This technology is
particularly important in Wi-Fi [IEEE_802.11] networks due to the particularly important in Wi-Fi networks (defined in IEEE 802.11) due
over-the-air medium and device mobility. When such randomization to the over-the-air medium and device mobility. When such
happens, some in-network states may break, which may affect network randomization happens, some in-network states may break, which may
connectivity and user experience. At the same time, devices may affect network connectivity and user experience. At the same time,
continue using other stable identifiers, defeating the MAC address devices may continue using other stable identifiers, defeating the
randomization purposes. purpose of MAC address randomization.
This document lists various network environments and a range of This document lists various network environments and a range of
network services that may be affected by such randomization. This network services that may be affected by such randomization. This
document then examines settings where the user experience may be document then examines settings where the user experience may be
affected by in-network state disruption. Last, this document affected by in-network state disruption. Last, this document
examines two existing frameworks to maintain user privacy while examines some existing frameworks that maintain user privacy while
preserving user quality of experience and network operation preserving user quality of experience and network operation
efficiency. efficiency.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 23 June 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9797.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. MAC Address as Identity: User vs. Device . . . . . . . . . . 4 2. MAC Address as Identity: User vs. Device
2.1. Privacy of MAC Address . . . . . . . . . . . . . . . . . 6 2.1. Privacy of MAC Addresses
3. The Actors: Network Functional Entities and Human Entities . 6 3. The Actors: Network Functional Entities and Human Entities
3.1. Network Functional Entities . . . . . . . . . . . . . . . 7 3.1. Network Functional Entities
3.2. Human-related Entities . . . . . . . . . . . . . . . . . 8 3.2. Human-Related Entities
4. Degrees of Trust . . . . . . . . . . . . . . . . . . . . . . 9 4. Degrees of Trust
5. Environment . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Environments
6. Network Services . . . . . . . . . . . . . . . . . . . . . . 13 6. Network Services
6.1. Device Identification and Associated Problems . . . . . . 13 6.1. Device Identification and Associated Problems
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 7. IANA Considerations
8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations
9. Informative References . . . . . . . . . . . . . . . . . . . 16 9. Informative References
Appendix A. Existing Frameworks . . . . . . . . . . . . . . . . 18 Appendix A. Existing Frameworks
A.1. 802.1X with WPA2 / WPA3 . . . . . . . . . . . . . . . . . 18 A.1. IEEE 802.1X with WPA2 / WPA3
A.2. OpenRoaming . . . . . . . . . . . . . . . . . . . . . . . 19 A.2. OpenRoaming
A.3. Proprietary RCM schemes . . . . . . . . . . . . . . . . . 20 A.3. Proprietary RCM Schemes
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses
1. Introduction 1. Introduction
When MAC-Address was first introduced in [IEEE_802] Standard, it was When the MAC address was first introduced in [IEEE_802], it was used
used in wired Ethernet network [IEEE_802.3]. Due to the nature of in wired Ethernet networks [IEEE_802.3]. Due to the nature of wired
the wired network, devices were relatively stationary and the networks, devices were relatively stationary, and the physical
physical connection imposed a boundary to restrict attackers to connection imposed a boundary that restricted attackers from easily
easily access the network data. But [IEEE_802.11] (Wi-Fi) brought accessing the network data. However, [IEEE_802.11] (Wi-Fi) brought
new challenges when it was introduced. new challenges when it was introduced.
The flexibility of Wi-Fi technology has revolutionized communications The flexibility of Wi-Fi technology has revolutionized communications
and become the preferred, and sometimes the only technology used by and become the preferred, and sometimes the only, technology used by
devices such as laptops, tablets, and Internet of Things (IoT) devices such as laptops, tablets, and Internet of Things (IoT)
devices. Wi-Fi is an over-the-air medium that allows attackers with devices. Wi-Fi is an over-the-air medium that allows attackers with
surveillance equipment to monitor WLAN packets and track the activity surveillance equipment to monitor WLAN packets and track the activity
of WLAN devices. It is also sometimes possible for attackers to of WLAN devices. It is also sometimes possible for attackers to
monitor the WLAN packets behind the Wi-Fi Access Point (AP) over the monitor the WLAN packets behind the Wi-Fi Access Point (AP) over the
wired Ethernet. Once the association between a device and its user wired Ethernet. Once the association between a device and its user
is made, identifying the device and its activity is sufficient to is made, identifying the device and its activity is sufficient to
deduce information about what the user is doing, without the user's deduce information about what the user is doing, without the user's
consent. consent.
skipping to change at page 3, line 24 skipping to change at line 117
MAC addresses (RCM). By randomizing the MAC address, it becomes MAC addresses (RCM). By randomizing the MAC address, it becomes
harder to use the MAC address to construct a persistent association harder to use the MAC address to construct a persistent association
between a flow of data packets and a device, assuming no other between a flow of data packets and a device, assuming no other
visible unique identifiers or stable patterns are in use. When visible unique identifiers or stable patterns are in use. When
individual devices are no longer easily identifiable, it also becomes individual devices are no longer easily identifiable, it also becomes
difficult to associate a series of network packet flows in a difficult to associate a series of network packet flows in a
prolonged period with a particular individual using one specific prolonged period with a particular individual using one specific
device if the device randomizes the MAC address governed by the OS device if the device randomizes the MAC address governed by the OS
privacy policies. privacy policies.
However, such address change may affect the user experience and the However, such address changes may affect the user experience and the
efficiency of legitimate network operations. For a long time, efficiency of legitimate network operations. For a long time,
network designers and implementers relied on the assumption that a network designers and implementers relied on the assumption that a
given machine, in a network implementing [IEEE_802] technologies, given machine, in a network implementing IEEE 802 technologies
would be represented by a unique network MAC address that would not [IEEE_802], would be represented by a unique network MAC address that
change over time. When this assumption is broken, network would not change over time. When this assumption is broken, network
communication may be disrupted. For example, sessions established communication may be disrupted. For example, sessions established
between the end-device and network services may break and packets in between the end device and the network services may break, and
transit may suddenly be lost. If multiple clients implement packets in transit may suddenly be lost. If multiple clients
aggressive (e.g., once an hour or shorter) MAC address randomization implement aggressive (e.g., once an hour or shorter) MAC address
without coordination with network services, some network services randomization without coordination with network services, some
such as MAC address cache in the AP and the upstream layer-2 switch network services, such as MAC address caching in the AP and the
may not be able to handle the load that may result in unexpected upstream Layer 2 switch, may not be able to handle the load, which
network interruption. may result in an unexpected network interruption.
At the same time, some network services rely on the end station (as At the same time, some network services rely on the end station (as
defined by the [IEEE_802] Standard, also called in this document defined by [IEEE_802]) to provide an identifier, which can be the MAC
device, or machine) providing an identifier, which can be the MAC address or another value. This document also refers to the end
address or another value. If the client implements MAC address station as a "device" or "machine". If the client implements MAC
randomization but continues sending the same static identifier, then address randomization but continues sending the same static
the association between a stable identifier and the station continues identifier, then the association between a stable identifier and the
despite the RCM scheme. There may be environments where such station continues despite the RCM scheme. There may be environments
continued association is desirable, but others where user privacy has where such continued association is desirable, but there may be
more value than any continuity of network service state. others where user privacy has more value than any continuity of
network service state.
It is useful for implementations of client and network devices to It is useful for implementations of client and network devices to
enumerate services that may be affected by RCM and evaluate possible enumerate services that may be affected by RCM and to evaluate
framework to maintain both the quality of user experience and network possible frameworks to maintain both the quality of user experience
efficiency while RCM happens, and user privacy is strengthened. This and network efficiency while RCM happens and user privacy is
document presents these assessments and recommendations. strengthened. This document presents these assessments and
recommendations.
Although this document mainly discusses MAC-Address randomization in Although this document mainly discusses MAC address randomization in
Wi-Fi [IEEE_802.11] networks, same principles can be easily extended Wi-Fi networks [IEEE_802.11], the same principles can be easily
to any [IEEE_802.3] networks. extended to any IEEE 802 networks [IEEE_802].
This document is organized as follows. Section 2 discusses the This document is organized as follows:
current status of using MAC address as identity. Section 3 discusses
various actors in the network that will be impacted by MAC address * Section 2 discusses the current status of using MAC address as
randomization. Section 4 examines the degrees of trust between identity.
personal devices and the entities at play in a network domain.
Section 5 discusses various network environments that will be * Section 3 discusses various actors in the network that will be
impacted. Section 6 analyzes some existing network services that impacted by MAC address randomization.
will be impacted. Finally, Appendix A includes some frameworks that
are being worked on. * Section 4 examines the degrees of trust between personal devices
and the entities at play in a network domain.
* Section 5 discusses various network environments that will be
impacted.
* Section 6 analyzes some existing network services that will be
impacted.
* Appendix A includes some existing frameworks.
2. MAC Address as Identity: User vs. Device 2. MAC Address as Identity: User vs. Device
The Media Access Control (MAC) layer of IEEE 802.3 [IEEE_802.3] In IEEE 802 [IEEE_802] technologies, the Media Access Control (MAC)
technologies define rules to control how a device accesses the shared layer defines rules to control how a device accesses the shared
medium. In a network where a machine can communicate with one or medium. In a network where a machine can communicate with one or
more other machines, one such rule is that each machine needs to be more other machines, one such rule is that each machine needs to be
identified either as the target destination of a message or as the identified as either the target destination of a message or the
source of a message (and the target destination of the answer). source of a message (and the target destination of the answer).
Initially intended as a 48-bit (6 octets) value in the first versions Initially intended as a 48-bit (6-octet) value in the first versions
of the [IEEE_802.3] Standard, other Standards under the [IEEE_802.3] of IEEE 802, other standards under the IEEE 802 [IEEE_802] umbrella
umbrella allow this address to take an extended format of 64 bits (8 allow this address to take an extended format of 64 bits (8 octets),
octets) which enable a larger number of MAC addresses to coexist as which enabled a larger number of MAC addresses to coexist as IEEE 802
the 802.3 technologies became widely adopted. technologies became widely adopted.
Regardless of the address length, different networks have different Regardless of the address length, different networks have different
needs, and several bits of the first octet are reserved for specific needs, and several bits of the first octet are reserved for specific
purposes. In particular, the first bit is used to identify the purposes. In particular, the first bit is used to identify the
destination address as an individual (bit set to 0) or a group destination address as an individual (bit set to 0) or a group
address (bit set to 1). The second bit, called the Universally or address (bit set to 1). The second bit, called the Universal/Local
Locally Administered (U/L) Address Bit, indicates whether the address (U/L) address bit, indicates whether the address has been assigned by
has been assigned by a universal or local administrator. Universally a universal or local administrator. Universally administered
administered addresses have this bit set to 0. If this bit is set to addresses have this bit set to 0. If this bit is set to 1, the
1, the entire address is considered locally administered (clause 8.4 entire address is considered to be locally administered (see Clause
of [IEEE_802]). Note that universally administered MAC addresses are 8.4 of [IEEE_802]). Note that universally administered MAC addresses
required to register to IEEE while locally administered MAC addresses are required to be registered with the IEEE, while locally
are not. administered MAC addresses are not.
The intent of this provision is important for the present document. The intent of this provision is important for the present document.
The [IEEE_802] Standard recognized that some devices (e.g., smart [IEEE_802] recognizes that some devices (e.g., smart thermostats) may
thermostats) may never change their attachment network and will not never change their attachment network and will not need a globally
need a globally unique MAC address to prevent address collision unique MAC address to prevent address collision against any other
against any other device in any other network. The U/L bit can be device in any other network. The U/L bit can be set to signal to the
set to signal to the network that the MAC Address is intended to be network that the MAC address is intended to be locally unique (not
locally unique (not globally unique). [IEEE_802] did not initially globally unique). [IEEE_802] did not initially define the MAC
define the MAC Address allocation schema when the U/L bit is set to address allocation schema when the U/L bit is set to 1. It states
1. It states the address must be unique in a given broadcast domain the address must be unique in a given broadcast domain (i.e., the
(i.e., the space where the MAC addresses of devices are visible to space where the MAC addresses of devices are visible to one another).
one another).
It is also important to note that the purpose of the Universal It is also important to note that the purpose of the universal
version of the address was to avoid collisions and confusion, as any version of the address was to avoid collisions and confusion, as any
machine could connect to any network, and each machine needs to machine could connect to any network, and each machine needs to
determine if it is the intended destination of a message or its determine if it is the intended destination of a message or its
response. Clause 8.4 of [IEEE_802] reminds network designers and response. Clause 8.4 of [IEEE_802] reminds network designers and
operators that all potential members of a network need to have a operators that all potential members of a network need to have a
unique identifier in that network (if they are going to coexist in unique identifier in that network (if they are going to coexist in
the network without confusion on which machine is the source or the network without confusion on which machine is the source or
destination or any message). The advantage of an administrated destination of any message). The advantage of an administrated
address is that a node with such an address can be attached to any address is that a node with such an address can be attached to any
Local Area Network (LAN) in the world with an assurance that its Local Area Network (LAN) in the world with an assurance that its
address is unique in that network. address is unique in that network.
With the rapid development of wireless technologies and mobile With the rapid development of wireless technologies and mobile
devices, this scenario became very common. With a vast majority of devices, this scenario became very common. With a vast majority of
networks implementing [IEEE_802] radio technologies at the access, networks implementing IEEE 802 radio technologies [IEEE_802] at the
the MAC address of a wireless device can appear anywhere on the access, the MAC address of a wireless device can appear anywhere on
planet and collisions should still be avoided. However, the same the planet and collisions should still be avoided. However, the same
evolution brought the distinction between two types of devices that evolution brought the distinction between two types of devices that
the [IEEE_802] Standard generally referred to as ‘nodes in a [IEEE_802] generally refers to as "nodes in a network" (see
network’. Their definition is found in the [IEEE_802E] Recommended Section 6.2 of [IEEE_802E] for definitions of these devices):
Practice stated in Section 6.2 of [IEEE_802].
1. Shared Service Device, whose functions are used by enough people Shared Service Device: A device used by enough people that the
that the device itself, functions, or its traffic cannot be device itself, its functions, or its traffic cannot be associated
associated with a single or small group of people. Examples of with a single or small group of people. Examples of such devices
such devices include switches in a dense network, [IEEE_802.11] include switches in a dense network, (WLAN) access points
(WLAN) access points in a crowded airport, task-specific device [IEEE_802.11] in a crowded airport, and task-specific devices
(e.g., barcode scanners). (e.g., barcode scanners).
2. Personal Device, which is a machine or node primarily used by a Personal Device: A machine or node primarily used by a single person
single person or small group of people, and so that any or small group of people, so that any identification of the device
identification of the device or its traffic can also be or its traffic can also be associated with the identification of
associated with the identification of the primary user or their the primary user or their online activity.
online activity.
Identifying the device is trivial if it has a unique MAC address. Identifying the device is trivial if it has a unique MAC address.
Once this unique MAC address is established, detecting any elements Once this unique MAC address is established, detecting any elements
that directly or indirectly identify the user of the device that directly or indirectly identify the user of the device (i.e.,
(Personally Identifiable Information, or PII) is enough to link the Personally Identifiable Information (PII)) is enough to link the MAC
MAC address to that user. Then, any detection of traffic that can be address to that user. Then, any detection of traffic that can be
associated with the device will also be linked to the known user of associated with the device will also be linked to the known user of
that device (Personally Correlated Information, or PCI). that device (i.e., Personally Correlated Information (PCI)).
2.1. Privacy of MAC Address 2.1. Privacy of MAC Addresses
This possible identification or association presents a privacy issue, The possible identification or association presents a privacy issue,
especially with wireless technologies. For most of them, and in especially with wireless technologies. For most of them
particular for [IEEE_802.11], the source and destination MAC ([IEEE_802.11] in particular), the source and destination MAC
addresses are not encrypted even in networks that implement addresses are not encrypted even in networks that implement
encryption (so that each machine can easily detect if it is the encryption. This lack of encryption allows each machine to easily
intended target of the message before attempting to decrypt its detect if it is the intended target of the message before attempting
content, and also identify the transmitter, to use the right to decrypt its content and also helps identify the transmitter in
decryption key when multiple unicast keys are in effect). order to use the right decryption key when multiple unicast keys are
in effect.
This identification of the user associated with a node was clearly This identification of the user associated with a node was clearly
not the intent of the 802 MAC address. A logical solution to remove not the intent of the IEEE 802 MAC address. A logical solution to
this association is to use a locally administered address instead and remove this association is to use a locally administered address
change the address in a fashion that prevents a continuous instead and change the address in a fashion that prevents a
association between one MAC address and some PII. However, other continuous association between one MAC address and some PII.
network devices on the same LAN implementing a MAC layer also expect However, other network devices on the same LAN implementing a MAC
each device to be associated with a MAC address that would persist layer also expect each device to be associated with a MAC address
over time. When a device changes its MAC address, other devices on that would persist over time. When a device changes its MAC address,
the same LAN may fail to recognize that the same machine is other devices on the same LAN may fail to recognize that the same
attempting to communicate with them. This type of MAC addresses is machine is attempting to communicate with them. This type of MAC
referred to as 'persistent' MAC address in this document. This address is referred to as 'persistent' MAC address in this document.
assumption sometimes adds to the PII confusion, for example in the This assumption sometimes adds to the PII confusion, for example, in
case of Authentication, Authorization, and Accounting (AAA) services the case of Authentication, Authorization, and Accounting (AAA)
[RFC3539] authenticating the user of a machine and associating the services [RFC3539] authenticating the user of a machine and
authenticated user to the device MAC address. Other services solely associating the authenticated user to the device MAC address. Other
focus on the machine (e.g., DHCPv4 [RFC2131]), but still expect each services solely focus on the machine (e.g., DHCPv4 [RFC2131]) but
device to use a persistent MAC address, for example to re-assign the still expect each device to use a persistent MAC address, for
same IP address to a returning device. Changing the MAC address may example, to reassign the same IP address to a returning device.
disrupt these services. Changing the MAC address may disrupt these services.
3. The Actors: Network Functional Entities and Human Entities 3. The Actors: Network Functional Entities and Human Entities
The risk of service disruption is weighed against the privacy The risk of service disruption is weighed against the privacy
benefits. However, the plurality of actors involved in the exchanges benefits. However, the plurality of actors involved in the exchanges
tends to blur the boundaries of what privacy violations should be tends to blur the boundaries of which privacy violations should be
protected against. It is therefore useful to list the actors protected against. Therefore, it is useful to list the actors
associated with the network exchanges, either because they actively associated with the network exchanges because they either actively
participate in these exchanges, or because they can observe them. participate in these exchanges or can observe them. Some actors are
Some actors are functional entities, while some others are human (or functional entities, while others are human (or related) entities.
related) entities.
3.1. Network Functional Entities 3.1. Network Functional Entities
Network communications based on IEEE 802 technologies commonly rely Network communications based on IEEE 802 technologies commonly rely
on station identifiers based on a MAC address. This MAC address is on station identifiers based on a MAC address. This MAC address is
utilized by several types of network functional entities such as utilized by several types of network functional entities such as
applications or devices that provide a service related to network applications or devices that provide a service related to network
operations. operations.
1. Wireless access network infrastructure devices (e.g., WLAN access 1. Wireless access network infrastructure devices (e.g., WLAN access
points or controllers): these devices participate in IEEE 802 LAN points or controllers): These devices participate in IEEE 802 LAN
operations. As such, they need to identify each machine as a operations. As such, they need to identify each machine as a
source or destination to successfully continue exchanging frames. source or destination to successfully continue exchanging frames.
As a device changes its network attachment (roams) from one As a device changes its network attachment (roams) from one
access point to another, the access points can exchange access point to another, the access points can exchange
contextual information, (e.g., device MAC, keying material), contextual information (e.g., device MAC address and keying
allowing the device session to continue seamlessly. These access material), allowing the device session to continue seamlessly.
points can also inform devices further in the wired network about These access points can also inform devices further in the wired
the roam to ensure that layer-2 frames are redirected to the new network about the roam to ensure that Layer 2 frames are
device access point. redirected to the new device access point.
2. Other network devices operating at the MAC layer: many wireless 2. Other network devices operating at the MAC layer: Many wireless
network access devices (e.g., [IEEE_802.11] access points) are network access devices (e.g., access points [IEEE_802.11]) are
conceived as layer-2 devices, and as such, they bridge a frame conceived as Layer 2 devices, and as such, they bridge a frame
from one medium (e.g., [IEEE_802.11] or Wi-Fi) to another (e.g., from one medium (e.g., Wi-Fi [IEEE_802.11]) to another (e.g.,
[IEEE_802.3] or Ethernet). This means that a wireless device MAC Ethernet [IEEE_802.3]). This means that the MAC address of a
address often exists on the wire beyond the wireless access wireless device often exists on the wire beyond the wireless
device. Devices connected to this wire also implement access device. Devices connected to this wire also implement
[IEEE_802.3] technologies and, as such, operate on the IEEE 802.3 technologies [IEEE_802.3], and as such, they operate
expectation that each device is associated with a MAC address on the expectation that each device is associated with a MAC
that persists for the duration of continuous exchanges. For address that persists for the duration of continuous exchanges.
example, switches and bridges associate MAC addresses to For example, switches and bridges associate MAC addresses to
individual ports (so as to know to which port to send a frame individual ports (so as to know to which port to send a frame
intended for a particular MAC address). Similarly, AAA services intended for a particular MAC address). Similarly, AAA services
can validate the identity of a device and use the device's MAC can validate the identity of a device and use the device MAC
address as a first pointer to the device identity (before address as the first pointer to the device identity (before
operating further verification). Similarly, some networking operating further verification). Similarly, some networking
devices offer layer-2 filtering policies that may rely on the devices offer Layer 2 filtering policies that may rely on the
connected MAC addresses. 802.1X-enabled [IEEE_802.1X] devices may connected MAC addresses. IEEE 802.1X-enabled devices
also selectively put the interface in a blocking state until a [IEEE_802.1X] may also selectively put the interface in a
connecting device is authenticated. These services then use the blocking state until a connecting device is authenticated. These
MAC address as a first pointer to the device identity to allow or services then use the MAC address as the first pointer to the
block data traffic. This list is not exhaustive. Multiple device identity to allow or block data traffic. This list is not
services are defined for [IEEE_802.3] networks, and multiple exhaustive. Multiple services are defined for Ethernet networks
services defined by the IEEE 802.1 working group are also [IEEE_802.3], and multiple services defined by the IEEE 802.1
applicable to [IEEE_802.3] networks. Wireless access points may working group are also applicable to Ethernet networks
also connect to other mediums than [IEEE_802.3] (e.g., DOCSIS [IEEE_802.3]. Wireless access points may also connect using
other mediums (e.g., the Data-Over-Cable Service Interface
[DOCSIS]), which also implements mechanisms under the umbrella of Specification (DOCSIS) [DOCSIS]) that implement mechanisms under
the general 802 Standard, and therefore expect the unique and the umbrella of the general 802 Standard and therefore expect the
persistent association of a MAC address to a device. unique and persistent association of a MAC address to a device.
3. Network devices operating at upper layers: some network devices 3. Network devices operating at upper layers: Some network devices
provide functions and services above the MAC layer. Some of them provide functions and services above the MAC layer. Some of them
also operate a MAC layer function: for example, routers provide also operate a MAC layer function. For example, routers provide
IP forwarding services but rely on the device MAC address to IP forwarding services but rely on the device MAC address to
create the appropriate frame structure. Other devices and create the appropriate frame structure. Other devices and
services operate at upper layers but also rely upon the 802 services operate at upper layers but also rely upon the IEEE 802
principles of unique MAC-to-device mapping. For example, Address principles of unique MAC-to-device mapping. For example, the
Resolution Protocol (ARP) [RFC826] and Neighbor Discovery Address Resolution Protocol (ARP) [RFC826] and Neighbor Discovery
Protocol (NDP) [RFC4861] use MAC address to create the mapping of Protocol (NDP) [RFC4861] use a MAC address to create the mapping
an IP address to a MAC address for packet forwarding. If a of an IP address to a MAC address for packet forwarding. If a
device changes its MAC address without a mechanism to notify the device changes its MAC address without a mechanism to notify the
layer-2 switch it is connected to or the provider of a service Layer 2 switch it is connected to or is the provider of a service
that expects a stable MAC-to-device mapping, the provider of the that expects a stable MAC-to-device mapping, the provider of the
service and traffic forwarding may be disrupted. service and traffic forwarding may be disrupted.
3.2. Human-related Entities 3.2. Human-Related Entities
Humans may actively participate in the network structure and Humans may actively participate in the network structure and
operations, or be observers at any point of the network lifecycle. operations or be observers at any point of the network lifecycle.
Humans could be wireless device users or people operating wireless Humans could be users of wireless devices or people operating
networks. wireless networks.
1. Over-The-Air (OTA) observers: as the transmitting or receiving 1. Over-the-Air (OTA) observers: The transmitting or receiving MAC
MAC address is usually not encrypted in wireless 802-technologies address is usually not encrypted in wireless exchanges using IEEE
exchanges, and as any protocol-compatible device in range of the 802 technologies, and any protocol-compatible device in range of
signal can read the frame header. As such OTA observers are able the signal can read the frame header. As such, OTA observers are
to read the MAC addresses of individual transmissions. Some able to read the MAC addresses of individual transmissions. Some
wireless technologies also support techniques to establish wireless technologies also support techniques to establish
distances or positions, allowing the observer, in some cases, to distances or positions, allowing the observer, in some cases, to
uniquely associate the MAC address with a physical device and its uniquely associate the MAC address with a physical device and its
associated location. An OTA observer may have a legitimate associated location. An OTA observer may have a legitimate
reason to monitor a particular device, for example, for IT reason to monitor a particular device, for example, for IT
support operations. However, another actor might also monitor support operations. However, another actor might also monitor
the same device to obtain PII or PCI. the same device to obtain PII or PCI.
2. Wireless access network operators: some wireless access networks 2. Wireless access network operators: Some wireless access networks
host devices that meet specific requirements, such as device type host devices that meet specific requirements, such as device type
(e.g., IoT-only networks, factory operational networks). (e.g., IoT-only networks and factory operational networks).
Therefore, operators can attempt to identify the devices (or the Therefore, operators can attempt to identify the devices (or the
users) connecting to the networks under their care. They often users) connecting to the networks under their care. They often
use the MAC address to represent an identified device. use the MAC address to represent an identified device.
3. Network access providers: wireless access networks are often 3. Network access providers: Wireless access networks are often
considered beyond the first 2 layers of the OSI model. For considered beyond the first two layers of the OSI model. For
example, law enforcement agency (e.g., FBI in the United States) example, a law enforcement agency (e.g., the FBI in the United
may legally require the network access provider to identify States) may legally require the network access provider to
communications from a subject. In this context, the operating identify communications from a subject. In this context, the
access networks need to identify the devices used by the subjects operating access networks need to identify the devices used by
and cross-reference the data generated by the devices in the the subjects and cross-reference the data generated by the
network. In other contexts, the operating access networks assign devices in the network. In other contexts, the operating access
resources based on contractual conditions (e.g., fee, bandwidth networks assign resources based on contractual conditions (e.g.,
fair share). In these scenarios, the operators may use the MAC fee and bandwidth fair share). In these scenarios, the operators
address to identify the devices and the users of their networks. may use the MAC address to identify the devices and the users of
their networks.
4. Over-The-Wired internal (OTWi) observers: because the device 4. Over-the-Wired internal (OTWi) observers: Because the device
wireless MAC address continues to be present over the wire if the wireless MAC address continues to be present over the wire if the
infrastructure connection device (e.g., access point) functions infrastructure connection device (e.g., access point) functions
as a layer-2 bridge, observers may be positioned over the wire as a Layer 2 bridge, observers may be positioned over the wire
and read transmission MAC addresses. Such capability supposes and may read transmission MAC addresses. Such capability
that the observer has access to the wired segment of the supposes that the observer has access to the wired segment of the
broadcast domain where the frames are exchanged. A broadcast broadcast domain where the frames are exchanged. A broadcast
domain is a logical segment of a network in which devices can domain is a logical segment of a network in which devices can
send, receive, and monitor data frames from all other devices send, receive, and monitor data frames from all other devices
within the same segment. In most networks, such capability within the same segment. In most networks, such capability
requires physical access to an infrastructure wired device in the requires physical access to an infrastructure wired device in the
broadcast domain (e.g., switch closet), and is therefore not broadcast domain (e.g., switch closet) and is therefore not
accessible to all. accessible to all.
5. Over-The-Wired external (OTWe) observers: beyond the broadcast 5. Over-the-Wired external (OTWe) observers: Beyond the broadcast
domain, frame headers are removed by a routing device, and a new domain, frame headers are removed by a routing device, and a new
layer-2 header is added before the frame is transmitted to the Layer 2 header is added before the frame is transmitted to the
next segment. The device MAC address is not visible anymore next segment. The device MAC address is not visible anymore
unless a mechanism copies the MAC address into a field that can unless a mechanism copies the MAC address into a field that can
be read while the packet travels onto the next segment (e.g., be read while the packet travels to the next segment (e.g., IPv6
pre- [RFC4941] and pre-[RFC7217] IPv6 addresses built from the addresses built from the MAC address prior to the use of the
MAC address). Therefore, unless this last condition exists, OTWe methods defined in [RFC4941] and [RFC7217]). Therefore, unless
observers are not able to see the device's MAC address. this last condition exists, OTWe observers are not able to see
the device MAC address.
4. Degrees of Trust 4. Degrees of Trust
The surface of PII exposures that can drive MAC address randomization The surface of PII exposures that can drive MAC address randomization
depends on (1) the environment where the device operates, (2) the depends on (1) the environment where the device operates, (2) the
presence and nature of other devices in the environment, and (3) the presence and nature of other devices in the environment, and (3) the
type of network the device is communicating through. Consequently, a type of network the device is communicating through. Consequently, a
device can use an identifier (such as a MAC address) that can persist device can use an identifier (such as a MAC address) that can persist
over time if trust with the environment is established, or that can over time if trust with the environment is established, or it can use
be temporary if an identifier is required for a service in an an identifier that is temporary if an identifier is required for a
environment where trust has not been established. Note that trust is service in an environment where trust has not been established. Note
not binary. It is useful to distinguish what trust a personal device that trust is not binary. It is useful to distinguish what trust a
may establish with the different entities at play in a network domain personal device may establish with the different entities at play in
where a MAC address may be visible: a network domain where a MAC address may be visible:
1. Full trust: there is environment where a device establishes a 1. Full trust: The device establishes a trust relationship and
trust relationship, and the device can share its persistent MAC shares its persistent MAC address with the access network devices
address with the access network devices (e.g., access point and (e.g., access point and WLAN controller). The network provides
WLAN Controller). In this environment, the network provides
necessary security measures to prevent observers or network necessary security measures to prevent observers or network
actors from accessing PII. The device (or its user) also has actors from accessing PII. The device (or its user) also has
confidence that its MAC address is not shared beyond the layer-2 confidence that its MAC address is not shared beyond the Layer 2
broadcast domain boundary. broadcast domain boundary.
2. Selective trust: in another environment, depending on the pre- 2. Selective trust: Depending on the predefined privacy policies, a
defined privacy policies, a device may decide to use one pseudo- device may decide to use one pseudo-persistent MAC address for a
persistent MAC address for a set of network elements and another set of network elements and another pseudo-persistent MAC address
pseudo-persistent MAC address for another set of network for another set of network elements. Examples of privacy
elements. Examples of privacy policies can be SSID and BSSID policies can be a combination of Service Set Identifier (SSID)
combination, a particular time-of-day, or a pre-set time and Basic Service Set Identifier (BSSID), a particular time of
duration. day, or a preset time duration.
3. Zero trust: in another environment, a device may randomize its 3. Zero trust: A device may randomize its MAC address with any local
MAC address with any local entity reachable through the AP. It entity reachable through the AP. It may generate a temporary MAC
may generate a temporary MAC address to each of them. That address to each of them. That temporary MAC address may or may
temporary MAC address may or may not be the same for different not be the same for different services.
services.
5. Environment 5. Environments
The trust relationship depends on the relationship between the user The trust relationship depends on the relationship between the user
of a personal device and the operator of a network service that the of a personal device and the operator of a network service that the
personal device may use. It is useful to observe the typical trust personal device may use. It is useful to observe the typical trust
structure of common environments: structure of common environments:
A. Residential settings under the control of the user: this is a (A) Residential settings under the control of the user: This is a
typical home network with Wi-Fi in the LAN and Internet in the typical home network with Wi-Fi in the LAN and Internet in the
WAN. In this environment, traffic over the Internet does not WAN. In this environment, traffic over the Internet does not
expose the MAC address of the internal device if it is not copied expose the MAC address of the internal device if it is not
to another field before routing happens. The wire segment within copied to another field before routing happens. The wire
the broadcast domain is under the control of the user and is segment within the broadcast domain is under the control of the
usually not at risk of hosting an eavesdropper. Full trust is user and is usually not at risk of hosting an eavesdropper.
typically established at this level among users and with the Full trust is typically established at this level among users
network elements. Note that Full trust in this context is and with the network elements. Note that "Full trust" in this
referring to the MAC address persistency. It does not extend to context is referring to the MAC address persistency. It does
full trust between applications or devices. The device trusts not extend to full trust between applications or devices. The
the access point and all layer-2 domain entities beyond the device trusts the access point and all Layer 2 domain entities
access point, where the Wi-Fi transmissions can be detected, beyond the access point, where the Wi-Fi transmissions can be
there is no guarantee that an eavesdropper will not observe the detected, but there is no guarantee that an eavesdropper will
communications. As such, it is common to assume that, even in not observe the communications. As such, even in this
this environment, attackers may still be able to monitor the environment, it is common to assume that attackers may still be
unencrypted information such as MAC addresses. If a device able to monitor unencrypted information such as MAC addresses.
decided to not fully trust the network, it might apply any If a device decides to not fully trust the network, it might
necessary policy to protect its identity. Most devices in the apply any necessary policy to protect its identity. Most users
network only require simple connectivity so that the network connecting to a residential network only expect simple Internet
services are simple. For network support, it is also simple. It connectivity services, so the network services are simple. If
is usually related to Internet connectivity. users have issues connecting to the network or accessing the
Internet, they expect limited to no technical support.
B. Managed residential settings: examples of this type of (B) Managed residential settings: Examples of this type of
environments include shared living facilities and other environment include shared living facilities and other
collective environments where an operator manages the network for collective environments where an operator manages the network
the residents. The OTA exposure is similar to (A). The operator for the residents. The OTA exposure is similar to (A). The
may be requested to provide IT support to the residents and may operator may be requested to provide IT support to the residents
need to identify a device activity in real-time. It may also and may need to identify device activity in real time or analyze
need to analyze logs. The infrastructure is shared and covers a logs. The infrastructure is shared and covers a larger area
larger area than (A), residents may connect to the network from than in (A); residents may connect to the network from different
different locations. For example, they may regularly connect to locations. For example, they may regularly connect to the
the network from their own apartments. They may occasionally network from their own apartments and occasionally connect from
connect to the network from common areas. The device may decide common areas. The device may decide to use different pseudo-
to use different pseudo-persistent MAC address as we described in persistent MAC addresses as described in Section 4. As such,
Section 4. As such, the trust degree is Selective trust. In the degree of trust is "Selective trust". In this environment,
this environment, the network services will be slightly more the network services will be slightly more complex than in (A).
complex than (A). Network may be segmented by locations and The network may be segmented by locations and multiple SSIDs.
multiple SSID. User's devices should be able to join the network Users' devices should be able to join the network without pre-
without pre-certification and pre-approval. In most cases, users certification or pre-approval. In most cases, users only need
only need simple connectivity; thus, network support will be simple connectivity; thus, network support will be slightly (but
slightly but not significantly more complicated than (A). not significantly) more complicated than in (A).
C. Public guest networks: public hotspots in shopping malls, hotels, (C) Public guest networks: Public hotspots in shopping malls,
stores, train stations, and airports are typical examples of this hotels, stores, train stations, and airports are typical
environment. In this environment, trust is commonly not examples of this environment. In this environment, trust is
established with any element of the layer-2 broadcast domain. commonly not established with any element of the Layer 2
Users do not anticipate a public guest network using the MAC broadcast domain. Users do not anticipate a public guest
address information to identify their location and network network using the MAC address information to identify their
activity. They do not trust the network and do not want the location and network activity. They do not trust the network
network to memorize them permanently. The trust degree is Zero. and do not want the network to memorize them permanently. The
Devices in this network should avoid using long-lived MAC address degree of trust is "Zero trust". Devices in this network should
to prevent fingerprinting. For example, the device may use a avoid using a long-lived MAC address to prevent fingerprinting.
different MAC address every time it attaches to a new Wi-Fi For example, the device may use a different MAC address every
access point. Some guest network operators may legally abide to time it attaches to a new Wi-Fi access point. Some guest
identify devices. They should not use the MAC address for such network operators may legally abide to identify devices. They
function. Most users connecting to public guest network only should not use the MAC address for such a function. Most users
expect simple Internet connectivity services, so the network connecting to a public guest network only expect simple Internet
services are simple. If users have issue to connect to the connectivity services, so the network services are simple. If
network or to access the Internet, they expect limited to no users have issues connecting to the network or accessing the
technical support. Thus, the network support level is low. Internet, they expect limited to no technical support. Thus,
the network support level is low.
D. Enterprises with Bring-Your-Own-Device (BYOD): this type of (D) Enterprises with Bring-Your-Own-Device (BYOD): This type of
networks are similar to (B) except that the onboarding devices network is similar to (B) except that the onboarding devices are
are subjected to pre-approval and pre-certification. The devices subjected to pre-approval and pre-certification. The devices
are usually personal devices and are not under the control of the are usually personal devices and are not under the control of
corporate IT team. Compared to residential network, enterprise the corporate IT team. Compared to residential networks,
network usually provides more sophisticated network services enterprise networks usually provide more sophisticated network
including but not limited to application-based network policies services including, but not limited to, application-based and
and identity-based network policies. Change of MAC address may identity-based network policies. Changing the MAC address may
interrupt network services if the services are based on MAC interrupt network services if the services are based on that MAC
address. Thus, network operations will be more complex, so the address. Thus, network operations will be more complex, so the
network support level is high. network support level is high.
E. Managed enterprises: in this environment: this type of networks (E) Managed enterprises: This type of network is similar to (D).
are similar to (C). The main difference is the devices are owned The main difference is that the devices are owned and managed by
and managed by the enterprise. Given the network and the devices the enterprise. Because both the network and the devices are
are owned and managed by the enterprise, the trust degree is Full owned and managed by the enterprise, the degree of trust is
trust. Network services and network support level are same as "Full trust". Network services and the network support level
(D) are the same as in (D).
Table 1 summarizes the environment in a table format. Table 1 summarizes the environments described above.
+=======================+===========+=======+========+=============+ +=======================+===========+=======+========+=============+
| Use Cases | Trust |Network|Network | Network | | Use Cases | Degree of |Network|Network | Network |
| | Degree | Admin |Services| Support | | | Trust |Admin |Services| Support |
| | | | | Expectation | | | | | | Expectation |
+=======================+===========+=======+========+=============+ +=======================+===========+=======+========+=============+
| (A) Residential | Full | User | Simple | Low | | (A) Residential | Full |User |Simple | Low |
| settings under the | trust | | | | | settings under the | trust | | | |
| control of the user | | | | | | control of the user | | | | |
+-----------------------+-----------+-------+--------+-------------+ +-----------------------+-----------+-------+--------+-------------+
| (B) Managed | Selective | IT | Medium | Medium | | (B) Managed | Selective |IT |Medium | Medium |
| residential settings | trust | | | | | residential settings | trust | | | |
+-----------------------+-----------+-------+--------+-------------+ +-----------------------+-----------+-------+--------+-------------+
| (C) Public guest | Zero | ISP | Simple | Low | | (C) Public guest | Zero |ISP |Simple | Low |
| networks | trust | | | | | networks | trust | | | |
+-----------------------+-----------+-------+--------+-------------+ +-----------------------+-----------+-------+--------+-------------+
| (D) Enterprises with | Selective | IT |Complex | High | | (D) Enterprises with | Selective |IT |Complex | High |
| Bring-Your-Own-Device | trust | | | | | Bring-Your-Own-Device | trust | | | |
| (BYOD) | | | | | | (BYOD) | | | | |
+-----------------------+-----------+-------+--------+-------------+ +-----------------------+-----------+-------+--------+-------------+
| (E) Managed | Full | IT |Complex | High | | (E) Managed | Full |IT |Complex | High |
| enterprises | trust | | | | | enterprises | trust | | | |
+-----------------------+-----------+-------+--------+-------------+ +-----------------------+-----------+-------+--------+-------------+
Table 1: Use Cases Table 1: Use Cases
Existing technical frameworks that address some of the requirements Existing technical frameworks that address some of the requirements
of the use cases listed above in Appendix A. of the use cases listed above are discussed in Appendix A.
6. Network Services 6. Network Services
Different network environments provide different levels of network Different network environments provide different levels of network
services, from simple to complex. At its simplest level, a network services, from simple to complex. At its simplest level, a network
can provide a wireless connecting device basic IP communication can provide a wireless connecting device with basic IP communication
service (e.g., DHCPv4 [RFC2131] or SLAAC [RFC4862]) and an ability to service (e.g., DHCPv4 [RFC2131] or Stateless Address
connect to the Internet (e.g., DNS service or relay, and routing in Autoconfiguration (SLAAC) [RFC4862]) and an ability to connect to the
and out through a local gateway). The network can also offer more Internet (e.g., DNS service or relay and routing in and out through a
advanced services, such as managed instant messaging service, file local gateway). The network can also offer more advanced services,
storage, printing, and/or local web service. Larger and more complex such as managed instant messaging service, file storage, printing,
networks can also incorporate more advanced services, from AAA to AR/ and/or local web service. Larger and more complex networks can also
VR applications. To the network, its top priority is to provide the incorporate more advanced services, from AAA to Augmented Reality
best Quality of Experience to its users. Often the network contains (AR) or Virtual Reality (VR) applications. To the network, its top
policies which help to make forwarding decision based on the network priority is to provide the best quality of experience to its users.
conditions, the device, and the user identity associated to the Often the network contains policies that help to make a forwarding
device. For example, in a hospital private network, the network may decision based on the network conditions, the device, and the user
contain policy to give highest priority to doctors' Voice-Over-IP identity associated to the device. For example, in a hospital
packets. In another example, an enterprise network may contain private network, the network may contain a policy to give highest
policy to allow applications from a group of authenticated devices to priority to doctors' Voice-Over-IP packets. In another example, an
use ECN [RFC3168] for congestion and/or DSCP [RFC8837] for enterprise network may contain a policy to allow applications from a
classification to signal the network for specific network policy. In group of authenticated devices to use Explicit Congestion
this configuration, the network is required to associate the data Notification (ECN) [RFC3168] for congestion and/or Differentiated
packets to an identity to validate the legitimacy of the marking. Services Code Point (DSCP) [RFC8837] for classification to signal the
Before RCM, many network systems use MAC address as a persistent network for a specific network policy. In this configuration, the
identity to create an association between user and device. After RCM network is required to associate the data packets to an identity to
being implemented, the association is broken. validate the legitimacy of the marking. Before RCM, many network
systems used a MAC address as a persistent identity to create an
association between user and device. After implementing RCM, the
association is broken.
6.1. Device Identification and Associated Problems 6.1. Device Identification and Associated Problems
Wireless access points and controllers use the MAC address to Wireless access points and controllers use the MAC address to
validate the device connection context, including protocol validate the device connection context, including protocol
capabilities, confirmation that authentication was completed, Quality capabilities, confirmation that authentication was completed, quality
of Service or security profiles, and encryption keying material. of service or security profiles, and encryption keying material.
Some advanced access points and controllers also include upper layer Some advanced access points and controllers also include upper layer
functions whose purpose is covered below. A device changing its MAC functions whose purpose is covered below. A device changing its MAC
address, without another recorded device identity, would cause the address, without another recorded device identity, would cause the
access point and the controller to lose the relation between a access point and the controller to lose the relation between a
connection context and the corresponding device. As such, the connection context and the corresponding device. As such, the Layer
layer-2 infrastructure does not know that the device (with its new 2 infrastructure does not know that the device (with its new MAC
MAC address) is authorized to communicate through the network. The address) is authorized to communicate through the network. The
encryption keying material is not identified anymore (causing the encryption keying material is not identified anymore (causing the
access point to fail to decrypt the device packets and fail to select access point to fail to decrypt the device packets and fail to select
the right key to send encrypted packets to the device). In short, the right key to send encrypted packets to the device). In short,
the entire context needs to be rebuilt, and a new session restarted. the entire context needs to be rebuilt, and a new session restarted.
The time consumed by this procedure breaks any flow that needs The time consumed by this procedure breaks any flow that needs
continuity or short delay between packets on the device (e.g., real- continuity or short delay between packets on the device (e.g., real-
time audio, video, AR/VR, etc.). For example: [IEEE_802.11i] time audio, video, AR/VR, etc.). For example, [IEEE_802.11i]
recognizes that a device may leave and re-join the network after a recognizes that a device may leave and rejoin the network after a
short time window. As such, the standard suggests that the short time window. As such, the standard suggests that the
infrastructure should keep the context for a device for a while after infrastructure should keep the context for a device for a while after
the device was last seen. The device should maintain the same MAC the device was last seen. The device should maintain the same MAC
address in such scenario. address in such a scenario.
Some network equipment such as Multi-Layer routers and Wi-Fi Access Some network equipment such as multi-layer routers and Wi-Fi access
Points which serve both layer-2 and layer-3 in the same device rely points, which serve both Layer 2 and Layer 3 in the same device, rely
on ARP [RFC826], and NDP [RFC4861], to build the MAC-to-IP table for on ARP [RFC826] and NDP [RFC4861] to build the MAC-to-IP table for
packet forwarding. The size of the MAC address cache in the layer-2 packet forwarding. The size of the MAC address cache in the Layer 2
switch is finite. If new entries are created faster than the old switch is finite. If new entries are created faster than the old
entries flushed by the idle timer, it is possible to cause entries are flushed by the idle timer, it is possible to cause an
unintentional deny-of-service attack. For example, default timeout unintentional denial-of-service attack. For example, the default
of MAC address cache in Linux is set to 300s. Aggressive MAC timeout of the MAC address cache in Linux is set to 300 seconds.
randomization from many devices in a short time interval (e.g., less Aggressive MAC randomization from many devices in a short time
than 300s) may cause the layer-2 switch to exhaust its resources, interval (e.g., less than 300 seconds) may cause the Layer 2 switch
holding in memory traffic for a device whose entry can no longer be to exhaust its resources, holding in memory traffic for a device
found. For the RCM device, these effects translate into session whose entry can no longer be found. For the RCM device, these
discontinuity and disrupt the active sessions. The discontinuity effects translate into session discontinuity and disrupt the active
impact may vary. Real-time applications such as video conference may sessions. The discontinuity impact may vary. Real-time applications
experience short interruption while non-real-time applications such such as video conference may experience short interruption while non-
as video streaming may experience minimal or no impact. The device real-time applications such as video streaming may experience minimal
should carefully balance when to change the MAC address after or no impact. The device should carefully balance when to change the
analyzing the nature of the running applications and its privacy MAC address after analyzing the nature of the running applications
policy. and its privacy policy.
In wireless contexts, [IEEE_802.1X] authenticators rely on the device In wireless contexts, IEEE 802.1X authenticators [IEEE_802.1X] rely
and user identity validation provided by an AAA server to change the on the device and user identity validation provided by a AAA server
interface from a blocking state to a forwarding state. The MAC to change the interface from a blocking state to a forwarding state.
address is used to verify that the device is in the authorized list, The MAC address is used to verify that the device is in the
and to retrieve the associated key used to decrypt the device authorized list and to retrieve the associated key used to decrypt
traffic. A change in MAC address causes the port to be closed to the the device traffic. A change in MAC address causes the port to be
device data traffic until the AAA server confirms the validity of the closed to the device data traffic until the AAA server confirms the
new MAC address. Consequently, MAC address randomization can disrupt validity of the new MAC address. Consequently, MAC address
the device traffic and strain the AAA server. randomization can disrupt the device traffic and strain the AAA
server.
DHCPv4 servers [RFC2131], without a unique identification of the Without a unique identification of the device, DHCPv4 servers
device, lose track of which IP address is validly assigned. Unless [RFC2131] lose track of which IP address is validly assigned. Unless
the RCM device releases the IP address before changing its MAC the RCM device releases the IP address before changing its MAC
address, DHCPv4 servers are at risk of scope exhaustion, causing new address, DHCPv4 servers are at risk of scope exhaustion, causing new
devices (and RCM devices) to fail to obtain a new IP address. Even devices (and RCM devices) to fail to obtain a new IP address. Even
if the RCM device releases the IP address before changing the MAC if the RCM device releases the IP address before changing the MAC
address, the DHCPv4 server typically holds the released IP address address, the DHCPv4 server typically holds the released IP address
for a certain duration, in case the leaving MAC returns. As the for a certain duration, in case the leaving MAC returns. As the
DHCPv4 [RFC2131] server cannot know if the release is due to a DHCPv4 server [RFC2131] cannot know if the release is due to a
temporary disconnection or a MAC randomization, the risk of scope temporary disconnection or a MAC randomization, the risk of scope
address exhaustion exists even in cases where the IP address is address exhaustion exists even in cases where the IP address is
released. released.
Network devices with self-assigned IPv6 addresses (e.g., with SLAAC Network devices with self-assigned IPv6 addresses (e.g., with SLAAC
defined in [RFC4862]) and devices using static IP addresses rely on [RFC4862]) and devices using static IP addresses rely on mechanisms
mechanisms like Optimistic Duplicate Address Detection (DAD) like Optimistic Duplicate Address Detection (DAD) [RFC4429] and NDP
[RFC4429] and NDP [RFC4861] for peer devices to establish the [RFC4861] for peer devices to establish the association between the
association between the target IP address and a MAC address, and target IP address and a MAC address, and these peers may cache this
these peers may cache this association in memory. Changing the MAC association in memory. Changing the MAC address, even at the
address, even at disconnection-reconnection phase, without changing disconnection-reconnection phase, without changing the IP address may
the IP address, may disrupt the stability of these mappings for these disrupt the stability of these mappings for these peers if the change
peers, if the change occurs within the caching period. Note that occurs within the caching period. Note that this behavior is against
this behavior is against standard operation and existing privacy standard operation and existing privacy recommendations.
recommendations. Implementations must avoid changing MAC address Implementations must avoid changing the MAC address while maintaining
while maintaining previously assigned IP address without consulting the previously assigned IP address without consulting the network.
the network.
Routers keep track of which MAC address is on which interface, so Routers keep track of which MAC address is on which interface so that
they can form the proper Data Link header when forwarding a packet to they can form the proper Data Link header when forwarding a packet to
a segment where MAC addresses are used. MAC address randomization a segment where MAC addresses are used. MAC address randomization
can cause MAC address cache exhaustion, but also the need for can cause MAC address cache exhaustion but also the need for frequent
frequent Address Resolution Protocol (ARP), Reverse Address Address Resolution Protocol (ARP) [RFC826], Reverse Address
Resolution Protocol (RARP) [RFC826], Neighbor Solicitation and, Resolution Protocol (RARP) [RFC903], and Neighbor Solicitation and
Neighbor Advertisement [RFC4861] exchanges. Neighbor Advertisement [RFC4861] exchanges.
In residential settings (environment type A in Section 5), policies In residential settings (environment type A in Section 5), policies
can be in place to control the traffic of some devices (e.g., can be in place to control the traffic of some devices (e.g.,
parental control or block-list filters). These policies are often parental control or blocklist filters). These policies are often
based on the device's MAC address. MAC address randomization removes based on the device MAC address. MAC address randomization removes
the possibility for such control. the possibility for such control.
In residential settings (environment type A) and in enterprises In residential settings (environment type A) and in enterprises
(environment types D and E), device recognition and ranging may be (environment types D and E), device recognition and ranging may be
used for IoT-related functionalities (door unlock, preferred light used for IoT-related functionalities (e.g., door unlock, preferred
and temperature configuration, etc.) These functions often rely on light and temperature configuration, etc.) These functions often
the detection of the device's wireless MAC address. MAC address rely on the detection of the device wireless MAC address. MAC
randomization breaks the services based on such model. address randomization breaks the services based on such models.
In managed residential settings (environment types B) and in In managed residential settings (environment type B) and in
enterprises (environment types D and E), the network operator is enterprises (environment types D and E), the network operator is
often requested to provide IT support. With MAC address often requested to provide IT support. With MAC address
randomization, real-time support is only possible if the user can randomization, real-time support is only possible if the user can
provide the current MAC address. Service improvement support is not provide the current MAC address. Service improvement support is not
possible if the MAC address that the device had at the (past) time of possible if the MAC address that the device had at the time of the
the reported issue is not known at the time the issue is reported. reported issue (in the past) is not known at the time the issue is
reported.
In industrial environments, policies are associated with each group In managed enterprise environments, policies are associated with each
of objects, including IoT devices. MAC address randomization may group of objects, including IoT devices. MAC address randomization
prevent an IoT device from being identified properly, thus leading to may prevent an IoT device from being identified properly and thus
network quarantine and disruption of operations. lead to network quarantine and disruption of operations.
7. IANA Considerations 7. IANA Considerations
This memo includes no request to IANA. This document has no IANA actions.
8. Security Considerations 8. Security Considerations
Privacy considerations are discussed throughout this document. Privacy considerations are discussed throughout this document.
9. Informative References 9. Informative References
[DOCSIS] "DOCSIS 4.0 Physical Layer Specification Version I06, DOI [DOCSIS] CableLabs, "Cable Modem Operations Support System
CM-SP-CM-OSSIv4.0", CableLabs DOCSIS , March 2022, Interface Specification", Data-Over-Cable Service
<https://www.cablelabs.com/specifications/CM-SP-CM- Interface Specifications, DOCSIS 4.0, Version I06, March
2022, <https://www.cablelabs.com/specifications/CM-SP-CM-
OSSIv4.0?v=I06>. OSSIv4.0?v=I06>.
[I-D.ietf-radext-deprecating-radius] [IEEE_802] IEEE, "IEEE Standard for Local and Metropolitan Area
DeKok, A., "Deprecating Insecure Practices in RADIUS", Networks: Overview and Architecture", IEEE Std 802-2014,
Work in Progress, Internet-Draft, draft-ietf-radext- DOI 10.1109/IEEESTD.2014.6847097, 30 June 2014,
deprecating-radius-05, 26 November 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-radext-
deprecating-radius-05>.
[I-D.tomas-openroaming]
Tomas, B., Grayson, M., Canpolat, N., Cockrell, B., and S.
Gundavelli, "WBA OpenRoaming Wireless Federation, Work in
Progress, Internet-Draft, draft-tomas-openroaming-03", 25
July 2024, <https://datatracker.ietf.org/doc/html/draft-
tomas-openroaming-03>.
[IEEE_802] "IEEE Std 802 - IEEE Standard for Local and Metropolitan
Area Networks: Overview and Architecture, DOI 10.1109/
IEEESTD.2014.6847097", IEEE 802 , 30 June 2014,
<https://ieeexplore.ieee.org/document/6847097>. <https://ieeexplore.ieee.org/document/6847097>.
[IEEE_802.11] [IEEE_802.11]
"IEEE 802.11-2020 - Wireless LAN Medium Access Control IEEE, "IEEE Standard for Information Technology--
Telecommunications and Information Exchange between
Systems - Local and Metropolitan Area Networks--Specific
Requirements - Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications", IEEE (MAC) and Physical Layer (PHY) Specifications", IEEE
802.11 , 11 February 2021, Std 802.11-2020, DOI 10.1109/IEEESTD.2021.9363693, 26
<https://standards.ieee.org/ieee/802.11/7028/>. February 2021,
<https://ieeexplore.ieee.org/document/9363693>.
[IEEE_802.11bh] [IEEE_802.11bh]
"IEEE 802.11bh-2023 - Wireless LAN Medium Access Control IEEE, "IEEE Standard for Information Technology--
(MAC) and Physical Layer (PHY) Specifications Amendment 8 Telecommunications and Information Exchange Between
: Operation with Randomized and Changing MAC Addresses", Systems Local and Metropolitan Area Networks--Specific
IEEE 802.11bh , 19 July 2023, Requirements - Part 11: Wireless LAN Medium Access Control
<https://ieeexplore.ieee.org/document/10214483>. (MAC) and Physical Layer (PHY) Specifications Amendment 1:
Operation with Randomized and Changing MAC Addresses",
IEEE Std 802.11bh-2024, DOI 10.1109/IEEESTD.2025.11023005,
3 June 2025,
<https://ieeexplore.ieee.org/document/11023005>.
[IEEE_802.11i] [IEEE_802.11i]
"IEEE 802.11i-2004 - Wireless LAN Medium Access Control IEEE, "IEEE 802.11i-2004 - Wireless LAN Medium Access
(MAC) and Physical Layer (PHY) specifications: Amendment Control (MAC) and Physical Layer (PHY) specifications:
6: Medium Access Control (MAC) Security Enhancements, DOI Amendment 6: Medium Access Control (MAC) Security
10.1109/IEEESTD.2004.94585", IEEE 802.11i , 24 July 2004, Enhancements", IEEE Std 802.11i-2004,
DOI 10.1109/10.1109/IEEESTD.2004.94585, 24 July 2004,
<https://ieeexplore.ieee.org/document/1318903>. <https://ieeexplore.ieee.org/document/1318903>.
[IEEE_802.1X] [IEEE_802.1X]
"IEEE 802.1X-2020 - IEEE Standard for Local and IEEE, "IEEE Standard for Local and Metropolitan Area
Metropolitan Area Networks--Port-Based Network Access Networks--Port-Based Network Access Control", IEEE Std
Control, DOI 10.1109/IEEESTD.2020.9018454", IEEE 802.1X , 802.1X-2020, DOI 10.1109/IEEESTD.2020.9018454, 28 February
28 February 2020, 2020, <https://ieeexplore.ieee.org/document/9018454>.
<https://ieeexplore.ieee.org/document/9018454>.
[IEEE_802.3] [IEEE_802.3]
"IEEE 802.3-2018 - IEEE Standard for Ethernet", IEEE IEEE, "IEEE Standard for Ethernet", IEEE Std 802.3-2022,
802.3 , 31 August 2018, DOI 10.1109/IEEESTD.2022.9844436, 29 July 2022,
<https://standards.ieee.org/ieee/802.3/7071/>. <https://ieeexplore.ieee.org/document/9844436>.
[IEEE_802E] [IEEE_802E]
"IEEE 802E-2020 - IEEE Recommended Practice for Privacy IEEE, "IEEE Recommended Practice for Privacy
Considerations for IEEE 802(R) Technologies", IEEE 802E , Considerations for IEEE 802(R) Technologies", IEEE Std
13 November 2020, 802E-2020, DOI 10.1109/IEEESTD.2020.9018454, 13 November
<https://standards.ieee.org/ieee/802E/6242/>. 2020, <https://ieeexplore.ieee.org/document/9257130>.
[RADIUS] DeKok, A., "Deprecating Insecure Practices in RADIUS",
Work in Progress, Internet-Draft, draft-ietf-radext-
deprecating-radius-06, 25 May 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-radext-
deprecating-radius-06>.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", [RFC2131] Droms, R., "Dynamic Host Configuration Protocol",
RFC 2131, DOI 10.17487/RFC2131, March 1997, RFC 2131, DOI 10.17487/RFC2131, March 1997,
<https://www.rfc-editor.org/info/rfc2131>. <https://www.rfc-editor.org/info/rfc2131>.
[RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
of Explicit Congestion Notification (ECN) to IP", of Explicit Congestion Notification (ECN) to IP",
RFC 3168, DOI 10.17487/RFC3168, September 2001, RFC 3168, DOI 10.17487/RFC3168, September 2001,
<https://www.rfc-editor.org/info/rfc3168>. <https://www.rfc-editor.org/info/rfc3168>.
skipping to change at page 18, line 37 skipping to change at line 857
Converting Network Protocol Addresses to 48.bit Ethernet Converting Network Protocol Addresses to 48.bit Ethernet
Address for Transmission on Ethernet Hardware", STD 37, Address for Transmission on Ethernet Hardware", STD 37,
RFC 826, DOI 10.17487/RFC0826, November 1982, RFC 826, DOI 10.17487/RFC0826, November 1982,
<https://www.rfc-editor.org/info/rfc826>. <https://www.rfc-editor.org/info/rfc826>.
[RFC8837] Jones, P., Dhesikan, S., Jennings, C., and D. Druta, [RFC8837] Jones, P., Dhesikan, S., Jennings, C., and D. Druta,
"Differentiated Services Code Point (DSCP) Packet Markings "Differentiated Services Code Point (DSCP) Packet Markings
for WebRTC QoS", RFC 8837, DOI 10.17487/RFC8837, January for WebRTC QoS", RFC 8837, DOI 10.17487/RFC8837, January
2021, <https://www.rfc-editor.org/info/rfc8837>. 2021, <https://www.rfc-editor.org/info/rfc8837>.
[RFC903] Finlayson, R., Mann, T., Mogul, J., and M. Theimer, "A
Reverse Address Resolution Protocol", STD 38, RFC 903,
DOI 10.17487/RFC0903, June 1984,
<https://www.rfc-editor.org/info/rfc903>.
[WBA-OPENROAMING]
Tomas, B., Grayson, M., Canpolat, N., Cockrell, B. A., and
S. Gundavelli, "WBA OpenRoaming Wireless Federation", Work
in Progress, Internet-Draft, draft-tomas-openroaming-05,
15 April 2025, <https://datatracker.ietf.org/doc/html/
draft-tomas-openroaming-05>.
Appendix A. Existing Frameworks Appendix A. Existing Frameworks
A.1. 802.1X with WPA2 / WPA3 A.1. IEEE 802.1X with WPA2 / WPA3
In typical enterprise Wi-Fi environment, 802.1X authentication In a typical enterprise Wi-Fi environment, IEEE 802.1X authentication
[IEEE_802.1X] coupled with WPA2 or WPA3 [IEEE_802.11i] encryption [IEEE_802.1X] coupled with WPA2 or WPA3 [IEEE_802.11i] encryption
schemes are commonly used for onboarding a Wi-Fi device. This allows schemes are commonly used for onboarding a Wi-Fi device. This allows
the mutual identification of the client device or the user of the the mutual identification of the client device or the user of the
device and an authentication authority. The authentication exchange device and an authentication authority. The authentication exchange
does not occur in clear text, and the user or the device identity can does not occur in clear text, and the user or device identity can be
be concealed from unauthorized observers. However, the concealed from unauthorized observers. However, in most cases, the
authentication authority is in most cases under the control of the authentication authority is under the control of the same entity as
same entity as the network access provider. This may lead to expose the network access provider. This may lead to exposing the user or
the user or device identity to the network owner. device identity to the network owner.
This scheme is well-adapted to enterprise environment, where a level This scheme is well-adapted to an enterprise environment, where a
of trust is established between the user and the enterprise network level of trust is established between the user and the enterprise
operator. In this scheme, MAC address randomization can occur network operator. In this scheme, MAC address randomization can
through brief disconnections and reconnections (under the rules of occur through brief disconnections and reconnections (under the rules
[IEEE_802.11bh]). Authentication may then need to reoccur, with an of [IEEE_802.11bh]). Authentication may then need to reoccur, with
associated cost of service disruption and additional load on the an associated cost of service disruption, an additional load on the
enterprise infrastructure, and an associated benefit of limiting the enterprise infrastructure, and an associated benefit of limiting the
exposure of a continuous MAC address to external observers. The exposure of a continuous MAC address to external observers. The
adoption of this scheme is limited outside of the enterprise adoption of this scheme is limited outside of the enterprise
environment by the requirement to install an authentication profile environment by the requirement to install an authentication profile
on the end device, which would be recognized and accepted by a local on the end device, which would be recognized and accepted by a local
authentication authority and its authentication server. Such a authentication authority and its authentication server. Such a
server is uncommon in a home environment, and the procedure to server is uncommon in a home environment, and the procedure to
install a profile is cumbersome for most untrained users. The install a profile is cumbersome for most untrained users. The
likelihood that a user or device profile would match a profile likelihood that a user or device profile would match a profile
recognized by a public Wi-Fi authentication authority is also fairly recognized by a public Wi-Fi authentication authority is also fairly
limited. This may restrict the adoption of this scheme for public limited. This may restrict the adoption of this scheme for public
Wi-Fi as well. Similar limitations are found in hospitality Wi-Fi as well. Similar limitations are found in the hospitality
environment. Hospitality environment refers to space provided by environment. The hospitality environment refers to space provided by
hospitality industry, which includes but not limited to hotels, the hospitality industry, which includes but is not limited to
stadiums, restaurants, concert halls and hospitals. hotels, stadiums, restaurants, concert halls, and hospitals.
A.2. OpenRoaming A.2. OpenRoaming
In order to alleviate some of the limitations listed above, the In order to alleviate some of the limitations listed above, the
Wireless Broadband Alliance (WBA) OpenRoaming Standard introduces an Wireless Broadband Alliance (WBA) OpenRoaming standard introduces an
intermediate trusted relay between local venues (places where some intermediate trusted relay between local venues (places where some
public Wi-Fi is available) and sources of identity public Wi-Fi is available) and sources of identity [WBA-OPENROAMING].
[I-D.tomas-openroaming]. The federation structure extends the type The federation structure extends the type of authorities that can be
of authorities that can be used as identity sources (compared to used as identity sources (compared to the typical enterprise-based
traditional enterprise-based 802.1X [IEEE_802.1X] scheme for Wi-Fi), IEEE 802.1X scheme for Wi-Fi [IEEE_802.1X]) and facilitates the
and facilitates the establishment of trust between local networks and establishment of trust between local networks and an identity
an identity provider. Such a procedure increases the likelihood that provider. Such a procedure increases the likelihood that one or more
one or more identity profiles for the user or the device will be identity profiles for the user or the device will be recognized by a
recognized by a local network. At the same time, authentication does local network. At the same time, authentication does not occur to
not occur to the local network. This may offer the possibility for the local network. This may offer the possibility for the user or
the user or the device to keep their identity obfuscated from the the device to keep their identity obfuscated from the local network
local network operator, unless that operator specifically expresses operator, unless that operator specifically expresses the requirement
the requirement to disclose such identity (in which case the user has to disclose such identity (in which case the user has the option to
the option to accept or decline the connection and associated accept or decline the connection and associated identity exposure).
identity exposure).
The OpenRoaming scheme seems well-adapted to public Wi-Fi and The OpenRoaming scheme seems well-adapted to public Wi-Fi and
hospitality environment. It defines a framework to protect the hospitality environments. It defines a framework to protect the
identity from unauthorized entities while to permit mutual identity from unauthorized entities while permitting mutual
authentication between the device or the user and a trusted identity authentication between the device or the user and a trusted identity
provider. Just like with standard 802.1X [IEEE_802.1X] scheme for provider. Just like the standard IEEE 802.1X scheme for Wi-Fi
Wi-Fi, authentication allows for the establishment of WPA2 or WPA3 [IEEE_802.1X], authentication allows for the establishment of WPA2 or
keys [IEEE_802.11i] that can then be used to encrypt the WPA3 keys [IEEE_802.11i] that can then be used to encrypt the
communication between the device and the access point. The communication between the device and the access point. The
encryption adds extra protection to prevent the network traffic from encryption adds extra protection to prevent the network traffic from
being eavesdropped. being eavesdropped.
MAC address randomization can occur through brief disconnections and MAC address randomization can occur through brief disconnections and
reconnections (under the rules of [IEEE_802.11bh]). Authentication reconnections (under the rules of [IEEE_802.11bh]). Authentication
may then need to reoccur, with an associated cost of service may then need to reoccur, with an associated cost of service
disruption and additional load on the venue and identity provider disruption, an additional load on the venue and identity provider
infrastructure, and an associated benefit of limiting the exposure of infrastructure, and an associated benefit of limiting the exposure of
a continuous MAC address to external observers. Limitations of this a continuous MAC address to external observers. Limitations of this
scheme include the requirement to first install one or more profiles scheme include the requirement to first install one or more profiles
on the client device. This scheme also requires the local network to on the client device. This scheme also requires the local network to
support RADSEC [RFC6614] and the relay function, which may not be support RADSEC [RFC6614] and the relay function, which may not be
common in small hotspot networks and home environment. common in small hotspot networks and home environments.
It is worth noting that, as part of collaborations between IETF It is worth noting that, as part of collaborations between the IETF
MADINAS and WBA around OpenRoaming, some RADIUS privacy enhancements MADINAS Working Group and WBA around OpenRoaming, some RADIUS privacy
have been proposed in the IETF RADEXT group. For instance, enhancements have been proposed in the IETF RADEXT Working Group.
[I-D.ietf-radext-deprecating-radius] describes good practices in the For instance, [RADIUS] describes good practices in the use of
use of Chargeable-User-Identity (CUI) between different visited Chargeable-User-Identity (CUI) between different visited networks,
networks, making it better suited for Public Wi-Fi and Hospitality making it better suited for public Wi-Fi and hospitality use cases.
use cases.
A.3. Proprietary RCM schemes A.3. Proprietary RCM Schemes
Most client device operating system vendors offer RCM schemes, Most client OS vendors offer RCM schemes that are enabled by default
enabled by default (or easy to enable) on client devices. With these (or easy to enable) on client devices. With these schemes, the
schemes, the device changes its MAC address, when not associated, device changes its MAC address, when not associated, after having
after having used a given MAC address for a semi-random duration used a given MAC address for a semi-random duration window. These
window. These schemes also allow for the device to manifest a schemes also allow for the device to manifest a different MAC address
different MAC address in different SSIDs. in different SSIDs.
Such a randomization scheme enables the device to limit the duration Such a randomization scheme enables the device to limit the duration
of exposure of a single MAC address to observers. In of exposure of a single MAC address to observers. In
[IEEE_802.11bh], MAC address randomization is not allowed during a [IEEE_802.11bh], MAC address randomization is not allowed during a
given association session, and MAC address randomization can only given association session, and MAC address randomization can only
occur through disconnection and reconnection. Authentication may occur through disconnection and reconnection. Authentication may
then need to reoccur, with an associated cost of service disruption then need to reoccur, with an associated cost of service disruption
and additional load on the venue and identity provider and additional load on the venue and identity provider
infrastructure, directly proportional to the frequency of the infrastructure, directly proportional to the frequency of the
randomization. The scheme is also not intended to protect from the randomization. The scheme is also not intended to protect from the
 End of changes. 120 change blocks. 
555 lines changed or deleted 579 lines changed or added

This html diff was produced by rfcdiff 1.48.