►
From YouTube: IETF109-MADINAS-20201118-0500
Description
MADINAS meeting session at IETF109
2020/11/18 0500
https://datatracker.ietf.org/meeting/109/proceedings/
A
Okay,
so
here
I
have
the
the
hour
starting
so
welcome
everyone
to
the
madinas
buff
madina
stands
for
mac
address
device,
identification
for
network
and
application
services,
and
this
is
a
non
working
group
forming
buff
we're
going
to
be
chairing
juan
carlos
suniga
myself
and
carlos
bernardo's
next
slide.
Please.
A
So
a
few
points
here
about
the
tips
and
an
etiquette
for
this
meeting.
So
please,
if
you
want
to
join
or
raise
your
hand
if
you
want
to
say
something,
join
the
queue
by
raising
your
hand
in
the
middle
the
little
hand
on
the
top
left
that
you
see
there.
A
A
The
node
well
as
usual,
this
is
a
an
official
atf
meeting.
So
please
make
sure
that
you
understand
that
participating
and
this
meeting
you
agree
to
the
processes
and
policies
of
ieee
itf.
Sorry,
if
you're
aware
that
ietf
contribution
is
covered
by
patents
or
patent
applications,
please
let
us
know
as
participant
or
attendee.
You
acknowledge
also
that
you
are
going
to
be
recorded.
A
So
as
a
reminder,
minutes
are
going
to
be
taken,
so
we
have
minutes
taker
minute
takers
already
assigned
this
meeting
is
being
recorded.
Your
presence
is
locked.
There
were
some
questions
there.
So,
yes,
your
presence
is
already
locked
by
logging
into
data
tracker
describes.
Please
contribute
the
minutes
to
the
code
dmd,
you
have
the
link
there
and
you
also
have
a
link
on
top
of
the
of
the
mythical
meeting.
A
Okay,
so
moving
on
to
the
to
the
agenda,
we're
going
to
have
a
a
couple
of
minutes
here
discussing
the
agenda
and
the
way
we
want
to
work
this
off.
A
For
this
we're
going
to
have
a
amelia
understood,
presenting
the
background
and
status
about
mac,
address
randomization
activities
in
ieee,
802
and
wba,
followed
by
dave
teller
talking
about
mac,
address
randomization
in
windows.
10,
then
we're
going
to
have
some
minutes
for
clarification.
Q.
A
only
on
this
background
part
so
that
you
can
get
those
out
of
the
way
as
we
move
on
to
the
next
section,
which
is
going
to
be
the
use
cases
for
this.
A
We're
going
to
talk
about
home
network
community,
wi-fi
hospitality
cloud
management
use
cases
that
are
potentially
impacted
by
the
mac
address
randomization,
and
for
this
we're
going
to
have
jason
malay
and
chris
presenting
then
we're
going
to
start
I'm
going
to
have
enough
minutes
for
you
to
have
clarifications
about
the
details
of
this
use.
Cases
before
moving
on
to
the
open
discussion
for
this
topic,
then
we're
gonna
talk
about
what
is
the
interest
of
the
group
and
what
potential
next
steps
we
may
or
may
not
want
to
take.
A
So
the
purpose
of
the
buff
first
of
all
is
to
inform
the
ietf
community
about
the
latest
mac
address
randomization
activities
and
purposes
so
mac
address
randomization.
As
you
may
know,
it's
not
necessarily
something
that
happens
inside
iets
because
it's
in
lower
layers,
but
of
course,
as
part
of
the
stack
it
affects
some
of
the
services
that
are
provided
by
protocols
defined
in
ietf.
A
So
then
we're
going
to
present
the
network
and
application
service
related
issues
that
are
related
to
this
mac
address
randomization
activities,
and
we
want
to
finalize
identify
whether
any
actions
are
required
at
the
ietf.
A
A
So
if
that
is
the
case,
then
moving
to
the
next
point
in
the
agenda,
we're
gonna
have
amelia
presenting.
C
Yes,
thank
you
gc
for
the
introduction
for
this
buff.
I
will
be
the
responsible
ad.
We
will
wait
and
see
what's
happening
with
the
buffer
later.
I
would
specifically
like
to
thank
the
initiator
of
this
buff,
so
it's
you
jason
and
jason,
as
well
as
yari
and
stephen
that
helped
to
scope
a
little
bit
better.
C
This
buff
and,
of
course
everything
here
is
done
with
the
ieee
coordination
and
I've
seen
a
couple
of
people
that
are
also
representing
the
ieee
here,
including
ujc,
so,
and
thank
you
for
the
two
chairs
for
accepting
to
take
this
buff
sharing.
So
thank
you,
carlos
and
thank
you
gc.
That's
all
for
me.
A
Thanks
eric
for
that
clarification,
yes,
so
perfect.
Moving
into
the
the
next
topic,
which
is
amelia
that
is
going
to
talk
about
what
has
been
done
at
ieee
and
elsewhere
regarding
mac
address,
randomization.
A
Okay,
so
eric
do
you
want
to
say
something.
Otherwise,
we
can
probably
present
the
slides
on
her
behalf.
C
Yeah,
I
was
about
to
say
that
indeed
the
best
thing
to
go
forward
is
to
go
through
the
slide,
hoping
that
she
will
be
joining
gcf.
As
far
as
I
know
you
are
also
quite
this
is
your
draft
first
and
it's
also
quite
acupully
focused
and
you
wear
as
well
part
of
the
activity
effort.
So
maybe
you
are
the
best
person
to
take
the
role
over
all
right,
that's
important.
It
needs
to
be
done
before
the
use
case,
so
better
do
it
yeah
definitely
definitely.
A
So
then,
starting
with
some
history
here,
the
the
whole
work
on
on
privacy
and
mac
address
randomization
started
after,
if
you
remember
the
strength
workshop
that
took
place
a
long
time
back
in
the
ietf,
iab
and
w3c,
and
from
there
we
there
was
some
follow-up
work
that
where
we
realized
that
layer,
two
identifiers
that
were
assigned
uniquely
to
devices
were
posing
a
privacy
threat
and
then
the
work
was
moved,
of
course
to
ieee
802,
where
this
they
actually
are
the
ones
defining
mac
addresses
the
the
at
the
rack
in
I
ieee
and
of
course,
then,
since
then,
several
projects
have
started
working
on
on
how
to
solve
the
issue
of
mac
address
randomization.
A
We
had
different
issues
where
the
mac
address.
Randomization
was
something
clear
in
plain
text,
for
instance
when,
when
searching
for
an
ssid
after
some
period
of
time
actively,
then
possibly
during
the
communications
and
so
on,
there's
extensive
research
and
then
in
the
draft.
We
have
plenty
of
references
that
show
all
the
different
issues
that
are
show
from
this
mac
address.
Randomization.
A
Then
well,
I've
already
mentioned
this
w3c
iab
privacy
tutorial
that
was
given
at
the
ieee
802
plenary
it's
thoroughly
documented
and
then
that
led
to
a
number
of
initiatives
which
are
also
mentioned
in
the
draft.
A
If
you
remember
around
2014,
and
so
we
we
had
some
experiments
at
ieee
and
802
meetings
where
we
were
randomizing
mac
addresses
and
trying
to
see
the
effects
on
different
services
and
since
then,
now
mac
address
randomization
is
a
default
privacy
feature
in
major
major
mobile
operation
operating
services
systems
can
can
we
move
to
the
next
slide?
Please,
then
they
work
in
ietf
inspired
on
research
project,
which
is
a
project
802
e.
This
is
the
study
group
in
this
work
map
the
privacy
features.
A
So
basically
it
was
privacy
recommendations
for
all
ieee
802
protocols
recommended
practices
and
considerations
that
can
be
used
when
defining
ieee
protocols.
Afterwards,
there
was
also
the
the
802
c
slot
that
assigns
dynamic
addresses
to
devices
upon
need,
and
this
is
made
for
industrial
sensors
and
so
on
next
slide.
Please.
A
There
was
also
the
ieee
2
11aq
amendment,
which
introduced
robust
recommendations
for
mac
address,
randomization
and
now
just
this
at
this
time,
it's
happening
in
ieee,
802
11.
There
are
two
pars
project:
authorization
requests,
8011,
bh
and
bi
that
are
going
to
look
at
privacy
features
and
network
operation,
in
absence
of
a
clear
test,
permanent
layer,
2
identifiers,
so
very
relevant
to
to
this
work.
A
This
these
two
are
just
starting
now.
So
is
a
perfect
time
basically
to
start
talking
about
this
topics
in
in
like
ietf
as
well,
can
we
move
to
the
next
slide?
Please,
then
we
have
a
wba
that
is
also
relying
on
a
higher
layer,
identity
management
which
is
kind
of
an
extension
of
the
past
point
in
wi-fi
alliance
and
that
they
ring
the
bell
for
people
that
are
familiar
with
that
rom
architecture.
A
This
table
shows
just
a
summary
of
some
operating
systems
and
some
of
the
features
that
already
use
mac
address
randomization.
A
A
There's
different
ways
to
to
do
it
depending
on
the
operating
system,
and
I'm
not
going
to
talk
about
the
details,
because
then
we're
going
to
have
more
later
on
by
dave
taylor,
who's
going
to
explain
how
this
works
in
windows
and-
and
we
are
going
to
hear
in
the
use
cases.
A
Next
slide
so
comments
and
questions,
as
I
mentioned,
what
we
would
like
to
take
after
we
finish
with
the
presentation
of
this
mac,
address,
randomization,
background
history
and
the
presentation
from
dave.
So
if
you
don't
mind,
let's
move
now
to
dave's
presentation
and
we
will
take
comments
and
questions
for
both
right
after.
E
Okay,
great
just
thanks
for
racking
all
right.
So
as
juan
carlos
mentioned,
I'm
going
to
talk
about
what
we
did
in
windows
10,
at
least
I
don't
know
five
years
ago
or
so
and
you'll
see
a
lot
of
it-
overlaps
with
what
one
carlos
showed
for
ios
and
android,
but
I
guess
we
wanted
to
have
at
least
one
drill
down
into
examples,
and
a
lot
of
these
will
be
common
across
operating
systems.
Next
slide,
please.
E
All
right,
so
I'm
not
going
to
talk
much
about
this
one
other
than
things
are
configurable
which
I'll
get
into
in
a
moment
here
it
does
depend
on
support
being
in
hardware
and
drivers,
and
so
it's
almost
always
present.
But
if
you
have
an
odd
hardware
or
old
driver
or
something
like
that,
you
might
not
see
it,
but
otherwise
there's
configurations
on
a
global
base,
in
other
words
on
a
per
wi-fi
interface
basis
and
per
network.
So
next
slide
I'll
get
into
the
details
here.
E
Okay,
so
there's
two
types
of
settings
like
global:
we
mean
no
matter
where
you
are
on
your
wi-fi
interface,
as
your
roam
around
global
just
means,
as
I
roam
around
anywhere
on
the
globe,
that's
what
the
global
setting
is,
and
so
there's
a
setting
that
applies
to
scans
for
nearby
networks
right
and
so
in
case
you're
new
to
the
problem
space.
E
One
of
the
problems
is
this:
just
when
you
scan
for
wi-fi
networks,
the
probes
go
out
and
the
probes
come
from
a
mac
address
that
is
like
an
identifier
and
so
in
various
public
locations.
They
monitor
the
mac
addresses
of
the
probe.
So
even
though
you're
not
connected
to
any
ssid
you're,
still
broadcasting
a
unique
identifier,
and
so
what
the
global
setting
does
is.
It
applies
first
of
all
to
these
probes
that
say
when
I'm
not
connected
to
any
ssid
right.
E
All
the
probes
are
coming
from
a
random
mac
address
and
every
time
you
connect
or
disconnect
from
any
network
or
you
restart
the
device
that
random
thing
changes.
Okay,
so
this
is
the
main
tracking
danger.
Now,
of
course,
this
is
only
one
of
the
pieces
of
it,
but
this
is
probably
the
most
popular
way
of
tracking
people,
because
you
can
track
that
even
when
they're
not
connected
to
your
network.
E
E
You'll
get
the
same
mac
address
right.
This
is
the
default
and,
of
course,
you
can
forget
the
network
and
sort
of
clear
that
state,
but
once
you
connect
to
something
it
creates
a
piece
of
state
that
says
what
mac
address,
I'm
going
for
that
network.
Okay.
Now
the
reason
for
this
is
keep
keeping
use
the
same
one
over
time
and
as
you'll
see
on
the
very
bottom
here,
there's
three
different
behaviors
I've
been
default
one,
and
so
the
the
main
reason
for
this
is
a
trade-off
between
privacy
and
usability.
E
So
that's
kind
of
the
middle
ground
category.
Okay,
now
any
existing
connection.
So
if
you
change
the
behavior
which
you've
already
connected
to
you
know
at
office
or
at
home
or
whatever
it
will
continue
using
the
one.
In
other
words,
once
you
join
an
ssid,
it's
remembered,
even
if
it
was
the
physical
one.
It's
remember
that
with
that
ssid,
until
you
change
until
you
forget
that
ssid
okay,
so
that's
the
global
setting
by
by
global,
I
mean
again
not
ssid
specific.
E
I
mentioned
that
once
you
connect
to
an
ssid
right,
it
remembers
the
state
for
that
ssid
right.
What's
the
mac
address
that
I'm
going
to
use
that
ssid
says
settings
that
you
can
store
in
that
ssid
specific
state?
Okay,
there's
actually
three
different
settings
that
can
be
used,
and
this
is
configurable
by
users
or
admins.
E
The
first
one
is
to
say
off,
which
says:
use
the
permanent
hardware
mac
address.
Okay
means,
don't
use
mac,
randomization
and
an
example
of
networks.
Where
that's
important
is,
let's
say
you
have
a
corporate
network,
that's
using
the
physical
mac
address
for
inventory
tracking
right,
and
so
they
won't.
Let
you
on
the
network
unless
you're
letting
your
network
getting
on
the
network
with
the
hardware
mac
address
that
they've
inventoried.
Okay.
That
would
be
an
example
of
where
that's
kind
of
necessary
on
such
networks.
E
The
second
option
is
equivalent
to
the
default,
one
which
is
use.
The
random
mac
address
the
first
time
that
you
connect.
I've
noticed
use
the
same
one
and
it's
random
when
I
first
connect
and
then
you
store
it
there
and
you
reconnect
with
the
same
one
right.
That's
the
default
option
when
you're
using
mac
address
randomization.
E
But
then,
if
you
have
a
case,
let's
say
you
go
to
a
internet
cafe
or
a
coffee
house
or
something
every
day
right
you
might
say.
Well,
maybe
I
don't
like
the
fact
that
they
can
tell
that.
It's
me
every
single
time.
I
appear
there
on
this
public
network.
That's
what
the
change
daily
is
for.
It
says
every
time
that
I
connect,
if
I'm
connecting
on
the
same
day
as
I
last
stored
as
I
stored.
E
Next
slide
last
slide.
Okay,
now
specifics,
the
mac
address
is
a
hash
of
a
secret.
The
ssid
right.
You
saw
in
that
table
that
juan
carlos
showed
that
android
and
ios
differ
by
whether
it
changes
by
ssid
or
bssid
right
windows
is
the
ssid
and
the
mac
address
uses
a
cryptographically
random
api,
and
so
it
really
is
cryptographically
random.
E
But
of
course,
since
it's
generating
mac
addresses,
it
makes
sure
that
the
bits
are
set
in
the
high
bit
to
say
that
it's
locally
administered
and
it's
a
unicast
address
so
far,
even
though
it
was
in
there
since
at
least
five
years
ago,
it's
not
enabled
by
default,
and
that's
because
there's
still
reports
that
there
are
some
networks
and
no,
I
don't
have
numbers
I
wish
I
did.
Maybe
somebody
does,
but
I
don't
have
numbers
on
there's
still
some
networks
that
have
problems
when
you
have
randomization.
E
If
you
try
to
turn
it
on
some
networks
with
mac
address,
filtering
or
hotspots
may
have
problems,
and
so
that's
why
it's
not
on
by
default.
We
would
love
to
turn
it
on
by
default.
We're
just
not
there
yet,
but
we
hope
to
get
there
once
the
numbers
allow.
E
So
the
times
that
it's
most
likely
on
is
where
there's
clueful
users
like
people
sitting
in
this
audience
that
turn
it
on
or
more
likely
when
there's
an
it
manager
that
turns
it
on
for
all
devices.
So
if
you
have
corporate
laptops
and
things
that
get
the
roam
around,
those
are
the
ones
that
most
likely
have
it
on,
because
the
it
managers
will
turn
it
on
with
any
of
those
settings.
E
And
so
that's
the
brief
overview
happy
to
take
questions
christian
wiedema
five
years
ago,
when
we
first
did
it
or
shortly
after
it
was
done,
wrote
this
blog
article.
That
has
a
slightly
longer
explanation,
but
I've
now
pretty
much
told
you
all
the
highlights.
That's
in
that
article
so
and
the
slides
here
is
still
accurate
to
what's
shipping
in
windows
10
right
now,
so
there
you
go.
That's
my
last
slide
happy
to
take
questions,
but
otherwise
back
to
you
carlos
and
covers.
A
G
Hi
there
thanks
for
this
presentation
in
the
the
list
of
specifics
here,
you
mentioned
the
the
address.
Calculation
is
a
hash
of
secret,
ssid
and
connection
id,
and
I'm
sorry,
if
I
missed
this,
it's
pretty
early
for
me
is
that
a
stable
secret
across
the
lifetime
of
the
machine
or
a
new
secret
every
time.
E
I
am
not
the
best
person
to
ask
that
question,
but
my
understanding
is
every
time
that
it
generates
a
new
mac
address.
It
uses
all
the
entropy
provided
by
the
crypto
api,
and
so,
in
other
words,
my
belief
is
that
the
entropy
isn't
a
one-time
entropy
that
it's
each
time,
but
I
don't
know
that
for
sure
I
can
follow
up
and
get
you
an
answer.
If
you
need
it.
G
E
H
Thanks,
can
you
hear
me?
Okay,
yep,
yes,
yeah!
This
is
a
glenn
parsons
from
erickson,
so
I
just
had
a
comment
on
the
802
aspects.
I
just
wanted
to
mention
one
particular
ongoing
activity
that
wasn't
mentioned,
which
is
called
the
802.1
aedk
activity.
This
the
title
of
this
is
mac
privacy
protection.
H
So
this
is
an
amendment
to
the
max
security
standard
in
802.1
and
it's
specifically
defining
an
encapsulation
format
that
can
carry
confidential
protected
data
within
a
frame,
and
so
it
would
hide
the
the
original
user's
mac
address,
as
well
as
the
frame
sizes,
and
so
the
frames
would
be
padded
to
some
consistent
or
random
size
as
well
to
protect
the
privacy.
So
this
is
a
project
mac
privacy
protection,
that's
currently
underway
as
well.
I
just
wanted
to
note
that.
I
Stephen
hi
dave
just
a
question
about
the
default
on.
Can
you
say
anything
about
the
kind
of
factors
you
would
consider
before
going
to
defaults
on
for
this?
I
I
guess
you
can't
commit
to
anything
or
give
specifics,
but
just
a
guidance.
What
kind
of
things
would
you
be
expecting
before
turning
it
on
as
a
default.
E
Okay,
so
I'm
gonna
look
at
if
you
look
at
like
the
three
options
down
at
the
bottom,
I
said
each
of
these
would
be
applicable
to
a
different
type
of
network
right.
So
the
first
one
was
an
example
of
that
would
be
a
corporate
network
that
uses
mac
addresses
for
inventory
management
right,
and
so
you
could
say
well
on
would
break
that.
E
But
you
can
also
say,
if
I'm
using
it
for
inventory
management,
then
maybe
that's
a
case
where
it's
it
managed
anyway,
and
so
this
that
you
could
have
a
the
it
administrator
would
send
out
off
in
that
particular
case
and
say
so
that
one
is
not
that
big
of
a
deal
unless
you
start
having
things
like
inventory
management
on
things
that
are
not
managed,
and
so,
if
you
have
a
byod
device,
meaning
you
have
your
own
laptop
and
you
bring
it
in
to
work
or
whatever,
and
it
only
works.
E
If
you've
registered
the
hardware
mac
address
ahead
of
time,
then
that
would
have
problems
there,
and
so
I'm
just
saying
what
are
the
gaps
or
things
that
you
need
solutions
to
address,
even
if
they're,
social,
workarounds
or
tooling
workarounds
right
second
type
of
network
is
the
ones
for
on
would
be
there
right,
which
is
kind
of
where
we
want
to
get
to
was
the
default
right
and
so
they're.
E
The
only
issues
that
I
know
of
are
the
ones
that
were
hinted
at
on
the
next
slide,
which
is,
if
you
have
some
public
hotspot
or
things
so
an
example
would
be
if
there
exists
hardware
out
there
that
doesn't
work
right.
If
the
mac
address
that
you
use
in
the
probe
is
different
from
the
mac
address
that
you
use
after
connecting
right.
E
So
if,
for
some
reason,
they've
made,
it
only
work
when
those
two
things
are
equal,
then
of
course
on
would
have
a
problem
and
once
that
set
of
hardware,
if
the
problems
like
that,
once
they
go
away
because
what
happens
when
you
say
if
you
change
the
default
or
if
you
upgrade
you
buy,
you
upgrade
an
operating
system
to
a
newer
version.
It
has
a
different
behavior.
E
If
you
change
that
behavior
people
think
that
the
operating
system
must
be
broken
because
it
no
longer
connection
it
used
to
right,
and
so
how
do
you
prevent
those
regressions
for
cases
that
it
was
working
before
now,
at
least
once
you've
connected
to
something
we
store?
E
The
mac
address
that
you're
using
right
so
hopefully
on
an
upgrade
that
you've
remembered
the
fact
that
you're
using
the
physical
one
which
it
does,
and
so,
if
you
were
using
the
physical
one
before
then
you'll
continue
using
the
physical
one
until
you
change
the
network
setting
or
until
you
forget
the
network
and
then
lastly
change
daily.
If
you're
thinking
about
you
know
the
you
know
the
starbucks
style
networks,
you
might
be
worried
about
people
tracking
you.
E
I
think
it's
really
the
same
thing,
and
so
I
guess
that's
my
long
answer,
but
hopefully
that's
enough
to
answer
your
questions
here.
E
E
You
know,
and
the
the
statistics
might
be
different
for
something
like
mobile
os's
only
because
the
types
of
networks
that
you
connect
to
might
be
skewed
compared
to
what
say,
you
know
a
laptop
connects
to
you
right,
they'd
be
close,
but
they
wouldn't
be
exactly
the
same
sample
set.
E
A
Okay,
thank
you
very
much.
Are
there
any
more
clarification
questions
for
this
first
part?
Oh
yeah,
see
then
yep
done.
J
Would
you
like
to
okay,
yeah,
okay,
great,
thank
you.
Thanks
for
the
presentation
dave
so
does
windows
10
do
the
other
things
that
were
specified
in
8211
aq
when
you
randomize
a
mac
address,
namely
reset
the
the
sequence,
not
the
packet
sequence,
number
and
and
reseed
the
ofdm
scrambler.
E
I
don't
know
the
answer
to
that
offhand.
My
belief
is
that
we
change
all
the
things
that
you'd
want
to
change
at
the
same
time.
Right
now,
you
actually
about
very
specifics
that
I
don't
know
the
answer
to
since
I'm
not
one
of
the
lenders
on
this
particular
team,
but
I
work
with
them.
So
I
don't
know
the
answer
offhand,
but
I
know
we
do
things
like
when
you
change
the
mac
address.
J
E
Those
are
all
great
questions.
I
don't
know
the
answer
offhand,
but
my
since
christian
used
to
be
the
person
that
was
driving
this
and
which
is
why
he
wrote
the
blog
on
five
years
ago.
He
could
probably
tell
you
off
the
top
of
his
head.
My
belief
is
that
windows
has
spent
a
lot
of
time
on
the
privacy
aspects
over
the
last
five
years
and
knowing
what
to
change
that
when
you
turn
it
on
that
is
trying
to
do
the
right
thing
with
all
the
different
identifiers
so
gosh,
I
hope
so.
A
I
then
we're
going
to
move
to
the
next
on
the
queue
and
we're
going
to
cut
the
queue
with
michael,
so.
K
K
Hey:
hey,
hey
dave!
Thanks
for
the
presentation
I
mean
I
had
a
few
clarifications.
How
do
you
make
it
easy
for
an
user
to,
for
example,
enable
this
randomization
in
untrusted
networks
like
coffee
shops,
airports
and
then
enable
this
interested
networks?
For
example,
I
have
I
enable
home
network
security,
and
I
want
my
home
network
security
service
to
enforce
policies
per
device
just
to
identify
anomalous,
behavior
and
various
such
activities
right.
So
how
does
the?
K
How
does
the
nav
user
right
I
mean,
would
enable
these
options
or
disable
these
options
on
a
per
network
basis?.
E
Yeah,
that's
a
good
question
if
you
were
to
go
into
christian's
blog,
which
is
linked
on
the
last
one
that
actually
walks
through
the
specific
ui
where
you
can
find
it
yeah,
if
you
would
look
in
there
because
there's
screens,
screenshots
and
stuff
in
there,
so
that
will
answer
your
question.
But
is
it
easy?
Well,
it's
more
for
an
advanced
user.
E
If
you
because
it
doesn't
say
hey,
would
you
like
to
be
private
on
this
particular
network
right,
there's
a
button
you
can
connect,
you
can
click
on
that
will
actually
take
you
to
the
settings
that
that
you
can
change
it,
and
so
is
it?
Is
it
easily
discoverable?
Well,
it's
not
hidden,
but
it's
not
in
your
face
right,
and
so
it
could
be
better,
but
it
is
there
when
you
connect
or
when
you
look
at
the
settings
for
any
particular
ssid.
E
You
can
find
those
three
settings
in
the
you
know
wi-fi
settings
for
that
ssid,
so
it's
not
hidden,
but
it's
not
great
could
be,
could
be
more
discoverable.
But
it's
not
you
know,
there's
a
natural
path
to
click
on
to
get
there
and
again
you'll
find
the
details.
You'll
find
the
walk
through
in
the
actual
blog
there.
J
L
Dave
when
you're
windows
10
doing
wpa
enterprise
or
802.1x
or
whatever
you
want
to
call
it,
are
you
using
the
same
mac
address
as
you
would
to
connect,
and
how
do
you
know
what
network
you're
really
connecting
it
to
at
that
point,.
E
I'm
not
going
to
be
able
to
answer
your
question
authoritatively
again
because
now
you're
asking
a
very
detailed
question
and
not
being
the
implementer,
I
don't
know
for
sure,
and
I
can
tell
you
you're
not
going
to
find
that
particular
answer
in
the
ones
that
I
don't
know.
The
answers
are
also
not
in
christian's
blog
either,
which
means
I
actually
have
to
ask
the
the
devs
who
couldn't
make
this
particular
meeting,
so
I'm
presenting
their
slides
on
our
behalf.
But
thank
you
so
I
don't
know.
A
Okay,
well,
thank
you
very
much
for
that
dave.
So
we're
gonna
stop
here
for
the
first
part
of
the
buff
and
we're
gonna
move
to
the
to
the
next
one,
which
is
the
the
use
cases
and
just
as
a
reminder
again
we're
going
to
go
through
the
use
cases.
Then
we're
going
to
take
clarification,
questions
on
the
use
cases
before
moving
on
to
the
open
discussion.
F
All
right
great,
so
this
my
name
is
jason
weil
with
charter
communications.
What
we
did
is
we
took.
We
started
this
project.
We
got
together
a
number
of
isps
to
come
up
with
use
cases.
F
We
actually
ended
up
with,
like
a
dozen
or
so
that
we
tried
to
win
you
down
to
a
few
high-level
ones
so
that
it
wouldn't.
We
wouldn't
spend
the
whole
time
talking
about
use
cases
on
this
off.
F
So
I'm
gonna
cover
some
of
the
isp
use
cases
and
then
hand
it
off
to
malay
and
then
we'll
follow
up
with,
but
chris
at
the
end,
to
get
an
overview.
Okay,
first
one.
Our
second
slide.
F
All
right
so
yeah,
so
the
first
use
case
is
access
control
based
on
mac
address.
This
is
pretty
common
across
most
isps,
I
know
charter.
Does
it
and
many
other
isps
that
do
it
as
well?
So
for
this
use
case
you
know,
cpus
are
or
we
we
create.
F
We
use
the
mac
address
as
a
as
an
identifier
for
devices
on
the
network,
and
then
we
use
that
as
a
access
control
for
that
network,
offering
things
such
as
you
know,
pause
given
device
nicknames
things
like
that,
and
then
we
also
do
it's
also
used
for
dos
mitigations
and
some
networks
for
filters,
putting
filters
onto
cpu
devices
and
and
obviously
what
I'm
talking
when
I
talk
about
cp
devices,
I'm
talking
about
the
home
gateway,
routers
that
we
deploy
in
home
networks
and
then
part
a
lot
of
this
falls
underneath
the
frontal
control
as
a
service.
F
Okay
next
slide.
Another
use
case
is
setting
up
a
using
dhcp
to
set
up
a
sticky
ip
address
for
services
such
as
a
static
port
forwarding
or
setting
up
the
dmz.
A
lot
of
this
ties
to
ipv4
addresses
more
so
than
ipv6
addresses,
but
it's
common
for
you
know
if
you
want
to
rdp
into
a
device
in
your
home
or
if
you
want
to,
if
you
have
a
child,
that
hosts
a
minecraft
server.
This
is
a
good
example
of
doing
that.
F
F
So
this
is
more
of
a
use
case
of
of
a
impact
to
to
mac,
address
rotation,
and
a
lot
of
it
depends
on
how
often
the
the
mac
address
is
rotated.
F
But
some
some
dhcp
pools
are
fairly
small
on
some
devices,
and
so,
if
the,
if
every
time
you
change
the
mac
address,
if
it
results
in
a
new
ip
address
and
then
the
old
ip
address
is
still
stuck
in
the
dhp
pool,
depending
how
many
devices
you
have
on
the
network
over
time,
you
could
run
out
the
the
ip
address
pool
and
the
new
devices
would
not
be
able
to
come
onto
the
network.
F
F
So
this
is
how
isps
help
troubleshoot
customer
connections
a
lot
of
times
you'll
you
will
use
the
the
the
mac
address
is
an
identifier
for
a
device
to
help
either
try
to
figure
out
how
much
usage
it's
doing
or
if
it's
causing
problems
you
know
it
possibly
has
malware.
How
do
we
track
that
coming
from
that
device?
F
So
there's
definitely
a
need
here.
Well,
there's
argument
for
a
need
here
for
a
persistent
identifier
to
help
help
with
doing
this.
F
There's
also
so
typically,
the
the
mac
addresses
per
ssid
is
is
fine
in
this
case,
but
there
is
a
use
case
where,
if
you
move
the
device
say
if
it's
on
wi-fi,
as
well
as
a
mobile
device
on
the
same
network,
trying
to
track
that
device
across
multiple
networks,
there
is
an
argument,
or
there
is
a
use
case
there,
where
you
need
to
go
beyond
just
the
per
ssid.
If
you
want
to
make
that
that
use
case,
valid
performance.
F
Yeah,
that's
good!
Look
at
the
next
slide.
I
can
ask
I'm
sure,
there's
lots
of
questions
that
might
come
out
of
this,
so
feel
free
to
ask
away.
F
All
right,
so
this
is
the
it's
kind
of
like
a
follow-up
to
the
printer
control,
slash
using
the
mac
address
as
an
identifier
for
advanced
in-home
features
like
we
use
this
today,
for,
like
I
was
saying
before,
like
pausing
networks,
schedule
pause,
grouping,
the
grouping
devices
say
all
the
kids,
all
the
devices
that
belong
to
a
one
of
your
children,
you
might
want
to
put
in
a
group
and
disable
those
at
a
certain
time.
F
Each
day,
when
it's
time
to
go
to
sleep,
there's
more
advanced
things
you
could
do
as
well
things
like
speed
boost
for
certain
devices
they're.
You
know
that
you
need
to
know
the
device's
id
and
then
we
call
printo
controls
like
I
discussed
as
well.
So
if
you,
if
you
want
to
block
content,
you
can
a
lot
of
some
systems.
F
Use
that
are
deployed
today,
use
the
mac
address
as
the
identifier
and
then
more
advanced
terminal,
well,
more
advanced
features
to
figure
out
where
that
that
device
is
going
and
then
create
like
a
white
list
or
blacklist
to
block
that
type
of
content.
F
N
Malay
from
bloom,
so
a
lot
of
home
network
management
use
cases
are
also
go
in
line
with
the
isp
use
cases.
Like
the
previous
slide,
which
was
mentioned,
and
while
doing
the
while
you
know
providing
such
features,
you
know
we
managed
devices
from
the
cloud.
So
that
means
that.
N
N
And
we
we
can't
really.
We
can't
really
discard
the
devices
which
have
randomized
mac
addresses,
because
you
know
there
is
a
chance
that
user
would
like
to
add
them
to
a
particular
person
profile.
Like
you
know,
if
the
mac
address
is
fixed
by
when
associating
to
the
ssid.
N
So
that
means
that
if
the
mac
address
was
changing
after
associating,
then
the
database
across
the
entire
network
increases
rapidly
and
that
would
have
detrimental
effect
on
the
management
of
the
database
and
then
also
you
know
the
the
clustering
of
the
cloud
devices
which
are
referring
to
that
device.
That
database
will
also
be
affected.
So
all
of
the
management
complexity
increases
by
then
next.
N
N
So
mac
randomizing
mac
address
would
you
know,
lead
to
the
sign
in
to
that
public
wi-fi
each
time,
even
if
the
device
is
in
the
same
area
next
slide.
Please.
N
This
this
goes
about.
This
specific
feature
is
about
the
roaming
of
the
device
across
the
public.
Wi-Fi
networks
say
I
have
a
specific
network
cell
phone
plan,
which
you
know
lets
me
auto
roam
to
that
cell
phone
network
providers,
wi-fi
networks,
then,
if
I'm
walking
around
in
a
community,
then
my
mac
address
would
be
used
to
efficiently
roam
between
the
networks.
N
But
if
my
mac
address
is
randomized
per
bssid,
then
each
time
I
am
walking
to
the
next
home,
which
is
providing
the
community
wi-fi,
then
I
would
have
to
go
through
the
process.
N
The
network
would
have
to
go
through
the
process
of
creating
a
new
tunnel,
and
that
would
be
also
be
detrimental
to
the
experience
which
I
would
be
having
see.
If
I'm
doing
streaming,
then
I
would,
I
would
see,
effects
on
on
the
internet
experience
on
just
by
roaming
around
walking
around
a
particular
location.
Next
slide.
Please.
N
Okay,
I
think
chris
can
take
over
now.
Thank
you.
O
Yeah,
hopefully
you
can
hear
me
so
when
you
have
an
access
point
with
multiple
frequency
bands
currently
well,
the
the
old
way
of
doing
things
is
the
client
always
chooses
which
brand
to
connect
to
and
which
access
point
to
connect
you,
which
means
you
can
end
up
with
crowding
of
multiple
devices
on
one
band,
but
the
other
not
really
being
used.
O
So
in
order
to
remedy
that
situation,
there's
something
called
client
steering
now
the
new
wi-fi
standard
has
something
called
multiband
steering
which
does
this
in
a
fairly
decent
way.
So
it's
it's.
Take
it's
asking
clients
for
measurements
of
the
signal,
strength
of
the
different
bands
and
then
advising
them
yeah,
which
is
the
best
for
them
to
use,
but
for
all
the
devices
you
know
there
has
been
a
legacy
mechanism.
That's
used,
which
is.
This
is
something
that's
only
implemented
at
the
access
point
end.
O
O
The
other
complication
here
is
the
access
points
also
need
to
record
which
clients
do
not
respond
well
to
the
legacy,
steering
attempts,
because
essentially,
if,
if
you're
just
saying
go
away,
go
away,
you
know
some
clients
will
will
take
the
hint
and
will
will
reconnect
elsewhere,
but
others
will
not
they'll
just
keep
trying,
and
so
the
extra
point
need
to
track,
which
clients
do
that
and
essentially
stop
saying,
go
away.
So
this
requires
an
identifier
that
is
reasonably
persistent,
so
you
can
identify.
O
Pre-Association
steering
may
also
be
affected
because,
if
client
devices
use
a
different
mac
address
for
the
probe
to
the
association,
then
again
you
can't
use
that
in
order
to
influence
where
they
connect
to
next
slide,
please.
O
So
that
was
all
the
use
cases
that
we
have
in
here
so
in.
In
summary,
when
you
look
across
those
today,
many
services
rely
on
that
on
the
device
mac
address
being
that
persistent
identifier.
So
the
consequence
of
the
introduction
of
mac
randomization
is
that
these
services
will
stop
working.
A
Privacy:
okay,
thank
you
very
much
chris.
So
we're
gonna
talk
to
you
for
for
a
second.
So
what
we're
hearing
is
that
these
use
cases
are
highlighting
issues
that
people
have
seen
on
the
network
and
just
as
a
clarification.
A
The
idea
here
is
not
to
claim
back
to
fix
mac
addresses
again,
think
people
understand
and
acknowledge
that
the
new
normal
is
back,
address,
randomization,
trying
not
to
abuse
the
term,
but
but
still
they
are
highlighting
problems
that
they
have
seen
on.
The
network
related
to
mac
address,
randomization
that
they
wanted
to
bring
forward.
A
So
before
moving
on
to
specific
ways
to
probably
solve
these
problems
or
solutions
that
may
exist
there.
We
would
like
to
stop
here
and
take
just
clarification.
Questions
regarding
the
use
cases
that
you
have
been
presented
here.
I
N
Regular
case
we
are,
we
are
basically
providing
the
features
right
like
device
policy,
service
policies
and
we
are
having.
We
are
having
a
database
right
off.
All
the
you
know,
device
reports
by.
I
N
N
B
K
Hello,
hey.
I
have
a
question
on
same
question
on
the
cloud
resource
management
so,
for
example,
assume
that
there
is
no
mac
address
randomization
by
the
operating
system,
but
still
an
attacker
could
easily
spoof
mac
addresses
an.
K
Could
spoof
the
mac
address
of
the
parent?
It
could
just
simply
pick
a
random
mac
address
and,
and
then
this
this
entire
database
that
you're
maintaining
could
be
dosed
with
several
random
mac
addresses
an
attacker
could
just
fight
you
with
that
right.
So
how
do.
K
N
Have
the
ssid
and
password
information
correct
for
the
home
and
then
attacker
is
meaning
by
spoofing
mac
address
is
attacker
gaining
the
profile.
Information
is
and
then
gaining
access
to
that
particular
network
right.
There's,
there's
no
additional
gain
here
for,
for
that
particular
home.
K
Device
a
device
which
is
in
the
home
that's
a
child's
device
which
gets
infected
and
it
spoofs
the
mac
address
of
the
parent
to
bypass
the
parental
control
right
or
to
bypass
some
other
policies
that
you
have
right
max
seems
to
be
a
very
weak
identity
for
enforcing
any
such
policies.
Right,
I
mean
it's
quite
easy.
You
just
have.
There
are
several
tools
to
spoof
the
mac
address,
and
you
just
pick
your
parents,
mac
address
and
hey.
K
A
Yeah:
okay,
thanks
victor.
Q
Hi,
hopefully
you
can
hear
me
just
commenting
on
the
last
item
that
was
asked
probably
perspective.
Typically,
those
use
cases
are
pretty
easily
found
because
they
manifest
as
out
of
profile
behaviors,
so
those
types
of
devices
can
typically
be
found
quite
pretty
quickly,
based
on
simple
policies
enabled
in
the
cloud
and
therefore
isolated
as
necessary.
Q
So,
although
that
use
case
does
exist,
they
they
show
us
a
significant
pattern
which
can
be
isolated.
R
Yeah
thanks
juan
carlos
at
the
top.
You
mentioned
open
roaming
and
I
was
just
curious
if
you
or
anybody
can
speak
to
the
implications
of
this
for
open
roaming
like
whether
this
creates
difficulties
or
if
there's
a
more
robust
device
identity.
That's
used.
A
Well,
yeah,
I
was
using
the
slides
from
emilia.
I
know
I
know
she.
She
had
some
more
information,
but
unfortunately
I
cannot
speak
for
that.
We
would
like
to
answer
that,
but
maybe
we'll
have
to
take
it
on
the
on
the
list
and
ask
amelia
or
someone.
D
A
A
Okay,
okay,
so
if
we
have
no
more
clarification
questions,
maybe
we
can
move
to
the
to
the
next
slide.
Chris,
would
you
like
to
take
us,
through
the
use
case,
the
right
requirements,
and
then
we
can
move
on
to
the
to
the
open
discussion.
O
Sure,
okay,
so
looking
at
that
set
of
use
cases,
it's
clear,
they
do
have
different
requirements
on
the
identity,
which
of
course
implies
a
number
of
different
solutions
may
be
required.
O
So
in
the
blue
table,
we've
identified
some
key
features
to
consider
for
each
use
case,
we're
not
necessarily
saying
what
the
answers
are,
but
here
are
some
things
to
think
about,
so
the
first
one
is:
how
long,
of
course
must
the
identifier
persist
and
for
some
of
them
that
could
be
pretty
short
for
others
longer
also,
what
level
of
trust
is
required
between
the
client
and
the
network?
And
how
confident
must
the
network
be
that
the
client
is
the
true
owner
of
the
identity
that
will
vary
between
the
cases?
O
O
A
A
Right
so
this
is
basically
food
for
thought
and
I
guess
well
I
see
you
do
you
want
to
say
something.
O
So,
who
knows
what
the
right
solution
is,
I
mean
essentially,
what
we're
trying
to
do
here
is
preserve
makadesh
address
randomization,
but
I
I
suspect
we
tru.
In
order
to
meet
these
use
cases,
we
will
need
some
other
form
of
identifier,
maybe
multiple
other
forms
of
identifiers,
and
it
is
the
question
I
some
of
those
could
be
at
different
layers.
O
So
it's
not
trying
to
predict
what
the
solution
is,
but
just
to
say,
yeah
some
identifiers
are
needed.
They
will
appear
at
different
layers,
let's
figure
out
what
is
the
right
layer
for
them.
B
Okay,
color.
T
So
I
wish
I
sent
this
to
the
list
ahead
of
time,
but
I'm
wondering
if
we
have
a
requirement
around
user
input
as
well.
So,
for
example,
when
using
802.1x
and
some
of
the
various
forms
of
that
one
of
the
problems
we
have
for
iot
devices
and
phones,
which
are
basically
look
like
phones
like
a
traditional
looking
voice
phone,
is
that
there
may
not
be
a
way
to
enter
credentials
on
those
devices
and,
and
that
becomes
a
problem.
T
So
I
think
that,
like
solving
this,
you
know
trying
to
figure
out
from
a
requirement
point
of
view
whether
end
user
input
on
the
device
was
part
of
this
or
not
is
used
to
be
one
of
the
things
that
constrains
the
solution.
Space
a
little
bit.
O
O
V
Go
ahead
best
point
in
the
table.
Provisioning,
the
provisioning
of
any
new
identifier
must
be
low.
Friction
for
the
user.
I'd
actually
like
to
question
that
I
think
there
are
use
cases
in
which
the
provisioning
of
a
new
identifier
should
be
intentionally
costly
for
the
user,
so
that
it
is
not
trivial
for
users
to
create
arbitrary
numbers
of
identifiers
that
not
only
potentially
impose
a
cost
upon
the
network,
but
also
facilitate
their,
for
instance,
constantly
having
a
new
identity
from
which
to
to
spam
or
or
whatever.
O
Yes,
yeah.
I
can
see
that
that
that
could
be
an
issue.
Yes,
so
maybe
it's
better
phrased
as
how
consideration
of
how
the
new
identity
ought
to
be
achieved.
R
R
You
talk
about
multiple
different
identifiers,
but
I
think
there's
also
some
places
where
you
just
talk
about
the
identifier
and
I
think
it's
pretty
clear
from
the
discussion
thus
far
that
there's
like
a
great
variety
of
of
uses
of,
I
will
say
like
this
information
and
in
some
cases
it
sounds
like
what
is
needed
is
a
device
identifier
and
that
is
historically
what
was
had.
R
But
but
for
some
of
these
cases,
that's
really
not
what's
needed
right
or
you're
just
trying
to
prove
that
you're
part
of
a
group-
or
you
know
this
is
the
same
entity.
That's
that
was
presented
at
a
previous
time
and
these
kinds
of
things.
So
I
think
some
of
the
considerations
on
the
right
hand.
R
Side
of
the
chart
here
are
are
good,
but
I
I
I
don't
think
anyone
should
assume
that,
like
a
single
identifier
is,
this
is
like
even
the
proper
place
to
start
for
the
the
solution
discussion,
because
it
sounds
like
there's
a
sort
of
a
whole
api
surface.
Almost
that
that
you
could
imagine
having
that
would
serve
lots
of
these
different
use
cases,
but
likely
reveal
different
information
to
different
parties,
depending
on
the
use.
O
The
aim
here
is
not
to
say
that
there
should
be
a
single
identifier
that
replaces
the
mac
address.
The
intention
of
this
table
is
to
say
that
for
each
of
the
use
cases
in
the
bottom
left,
we
may
need
a
different
identifier
and
those
identifiers
will
have
different
applicability
and
different
properties.
O
W
Can
you
hear
me?
Yes,
okay,
I
just
wanted
to
respond
to
the
friction
piece
right.
I
think
I
fundamentally
disagree
with
that.
The
number
one
problem
today
is
that
there
is
too
much
friction
and
there's
no
consistency
on
how
you
get
a
secure
identity
onto
a
device,
specifically
a
a
modern
operating
system,
right,
something
what
I
would
call
a
human-centric
device
like
a
laptop
tablet
or
phone.
That
is
the.
W
That
is
why
we
could
never
even
think
about
introducing
any
of
these
secure
authentication
methods
into
a
home,
because
we
can't
even
get
users
in
an
enterprise
to
do
it
right.
If
you,
the
the
shortest
path
to
enroll
as
a
user
with
a
secure
credential
is
10
taps
and
the
longest
path
on
other
operating
systems
is
up
to
27.
W
There
will
never
be
success
in
getting
a
secure
identity
onto
these
devices.
If
that
continues,
and
so
I
fundamentally
disagree
with
that.
There's
there
needs
to
be
more.
Friction
like
there
needs
to
be
way
less
friction,
because
at
the
end
of
the
day,
you
have
to
separate
out
the
device
identity
and
who
you
know
what
what
you
know
directory
or
what
user
account
that's
bound
to.
Ultimately
that
that
ends
up
being
really
more
of
an
authorization
decision
right.
W
A
I
Stephen
just
wanted
to
know
what
the
like
this
slide
is
presenting
a
set
of
requirements
derived
from
use
cases
for
people
who
have
who
for
whom
mac
address.
Randomization
causes
some
issues,
so
it's
inherently
incomplete
in
that
it
doesn't
kind
of
include
the
use
cases
for
which
mac
address
randomization
was
kind
of
designed.
I
So
you
know
if,
if
there's
something
going
forward,
we
need
to
kind
of
try
and
figure
out
what
is
a
more
complete
set
of
requirements,
including
things
like
you
know,
better
privacy,
and
I'm
not
saying
people
are
ignoring
that.
I'm
just
saying
that
there's
a
there's
a
possible
danger
in
saying
that
the
set
of
use
cases
being
considered.
I
O
So
on
that
I
was
kind
of
assuming
that
yeah
we
all
we
all
agree
that
yeah
privacy
is,
is
the
aim
in
terms
of
randomization
and
that
that
is
a
given.
It
needs
to
be
achieved.
So
that's
the
reason
why
it's
not
really
listed
on
this
slide.
But
yes,
in
order
to
do
a
proper
consideration,
I
can
think
yes,
it
probably
should
be
listed
as
I
guess.
A
kind
of
it
is
a
requirement
in
there
that
needs.
O
I
Sure
I
understand
that
I
guess
you
know
it
seems
to
me
that
to
do
a
good
job
on
this,
one
would
also
have
to
kind
of
consider
what
you
might
call
abuse
cases,
so
the
kind
of
in-store
tracking
that
apparently
some
devices
do
and
for
advertising
purposes
and
then,
because,
if
you're
going
to
propose
some
kind
of
change,
you
also
want
to
check.
Does
that
change,
work
well
or
badly
for
the
things
you
don't
want
to
happen
as
well
as
the
things
you
do
want
to
happen,.
A
Thanks
tell
me.
X
All
right,
hello,
yeah,
so
oh
can
we
actually
go
back
to
the
table
slide
if
that's,
okay,
yeah!
Thank
you
so
yeah,
following
up
to
steven's
point,
I
do
think
it
would
be
useful
to
add
more
of
the
client
privacy
needs
into
this
list
as
we're
thinking
about
this
as
a
whole,
and
specifically
so,
I'm
speaking
from
the
apple
client
side,
right
and
what's
important
for
me-
is
that,
like
any
identifier
metadata,
that's
going
to
be
shared
by
the
client
that
would
be
consistent
across
networks
or
across
different
associations
going
forward.
X
It
needs
to
be
based
on
trusting
the
identity
of
the
network
and
trusting
the
identity
of
the
particular
entity
in
the
network.
That's
going
to
receive
that
metadata
so
like
here
we
you're
listing
security
and
trust,
and
it's
saying
you
know:
how
confident
must
the
network
be
that
the
client
is
the
true
owner
of
the
identity
and,
I
think
reflexively
we
need
to
talk
about.
How
is
the
client
confident
about
the
network
or
the
particular
entity
on
the
network?
X
That's
receiving
this
metadata
or
this
identity
I
mean
sharing
metadata,
needs
to
be
done
always
with
explicit
client
intent
going
forward.
I
think,
and
it
needs
to
be
sent
in
a
secure
way
to
a
specific
entity
and
not
just
blasted
onto
the
network
like
the
mac
address
is
so.
X
I
think
we
could
also
put
on
this
table
that
we
need
to
specify
for
any
given
piece
of
metadata
or
any
identity
that
the
client
shares
like
exactly
what
entity
on
the
network
really
needs
to
see
that
to
operate
on
it
and
what
are
the
transport
and
security
properties
that
we're
using
to
communicate
that
metadata.
O
A
U
Yes
thanks,
so
this
is
interesting,
I
think
I'm
still
like.
I
agree
with
what
thomas
has
said,
but
I
I
think
we
also
went
down
to
this
this
level
quite
quickly.
We
started
designing
like
what
you
know,
what
are
the
requirements
and
and
this
new
identifier
system
and
so
on,
and
I
was
still
struggling
to
make
a
decision
at
the
higher
level
which
is
like
what
do
we
actually
need
in
this
this
situation,
because
it
seems
to
me
that
we
have
a
lot
of
technology.
U
We
have
randomization,
we
have
non-randomization,
we
have
lots
of
sort
of
user
or
network
acceptable
configurations
and
defaults.
U
We
have
identifiers
at
many
levels
like
the
mac,
and
you
know
the
login
id
at
the
web,
page
iap,
eap,
identifiers
and
so
on.
So
so
I'm
still
struggling
to
figure
out
like
exactly
what
do
we
need
in
this
space?
So
it
isn't
entirely
clear
to
me
that
the
solution
obviously
is
a
new
identifier
system.
So
it
is,
of
course,
true
that
people
have
different
needs
like
you
have.
U
You
have
to
behave
in
a
particular
way,
but
you
know
why
wouldn't,
for
instance,
that
the
various
defaults
and
settings
be
the
right
answer
here
or
or
perhaps
some
more
information
advertised
by
the
networks
that
I
I
do
or
I
don't
do
these
kinds
of
tricks
and
and
therefore
the
clients
could
make
a
better
decision
instead
of
introducing
a
new
identifier
system,
and
I
have
to
say
that
I'm
also
always
a
little
bit
scared
about
this
new
identifiers.
I
I'm
already
identified
by
too
many
parties.
O
So
I'm
wondering
whether
any
of
the
other
contributors
want
to
respond
to
that.
S
Yes,
you're
here
can
I
can
I
can
I
come
in
please,
okay,
yes,
I
think
jerry.
I
think
what
we
try
to
say
here
is
not
about
creating
a
new
identifier
sort
of
speech.
I
think
if
there
is
any
existing
technology
that
we
can
leverage
here,
we're
happy
to
use
it.
I
think
we
are
more
like
looking
for
guidance
or
looking
for
inputs
to
see
what,
based
on
the
use
cases
now
we
have
and
based
on
some
of
the
use
cases
is
broken.
What
we
need
to
do.
S
I
think
I
need
to
echo
what
tommy
said.
We
often
saying
that
hey
the
network
trusting
the
device,
but
we
also
want
to
see
how
the
device
can
trust
the
network
so
that
then
they
can,
and
in
exchange
they
can
offer
something
for
the
network
to
say
hey.
S
If
I
know
who
you
are
meaning
that
if
I
know
this
is
not
what
I'm
going
to
join
meaning,
for
example,
I
go
into
the
hotel,
I
pay
for
it,
and
then
I
have
I
want
to
join
the
I
want
to
join
the
hotel
network
and
then
the
network
may
be
able
to
say
hey
in
exchange
like
let's
say
in
that
period
of
time,
you
can
give
me
some
persistent
data
and
I'll.
Just
let
me
rephrase
it
I'll,
send
a
respectable
system,
some
of
the
data
that
we
can
use
for
that
particular
time
frame.
S
That
is
the
service
that
I
can
offer
you
and
based
on
that
contract,
which,
if
that
contract
expired
by
time
or
the
user
can
revoke
that
contract
or
even
the
the
network
can
also
revoke
that
contract,
then
that
that
that
that
contract
goes
away.
So
I
think
that
is
something
that
I
mean,
especially
for
the
home
of
the
home
user.
They
don't
have
likes,
they
don't
have
a
lot
of
technical
backgrounds.
S
They
don't
want
us,
they
don't
understand
when
they
have
a
problem,
say
connecting
a
printer
to
the
network
or
the
printer
change,
the
identity
and
and
then
now
suddenly
it
doesn't
know
that
hey.
This
is
a
printer
or
this
is
something
else.
So
those
are
the
friction
that
we've
tried
to
see.
I
try
to
try
to
help
the
users
to
see
if
there's
any
better
way,
to
help
them
we're
not
like
try
to
reinvent
the
wheel.
S
If
there
is
any
existing
technology
that
we
can
use,
and
I
think
what
the
chairs
already
begin,
I
mean
in
the
beginning,
when
they,
when
I
mentioned
the
buff,
we
are
not.
It's
not
working
group
form
involved,
we're
more
like
gathering
information
and
want
to
hear
the
community
well
how
they
feel
about
like.
D
A
If
you
have
in
your
play
yadi
or
should
we
move
to
target.
U
Yeah,
I
guess
yeah
much
of
that
reply
was
about
the
details
of
the
what
the
requirements
are
and,
of
course,
you're
not
necessarily
deciding
a
new
thing,
but
but
maybe
also
think
about
pcps.
But
I
I
guess
I'm
asking
like
why.
Why
isn't
the
you
know,
defaults
and
settings
enough
of
a
response
for
the
market
need
that
we
have
because
we
we
have
the
people
who
want
this
home
to
be
totally
privacy
sensitive
and,
and
they
know
what
setting
to
use.
U
We
have
the
people
who
need
to
do
their
corporate
network
thing
and
they
have
the
setting
to
use
already
and
then
there's,
like
you
know,
maybe
some
people
in
between
a
smaller
fraction
of
of
the
market,
and
it
isn't
clear
to
me
like
why
would
those
people
need
some
new
technology
or
new
identifiers,
then
perhaps
versus
you
know?
Why?
Wouldn't
it
be?
You
know
enough
for
them
to.
You
know,
set
just
set
things
correctly
or
improve
the
settings
or
defaults.
A
Thanks
and
by
the
way,
just
as
a
reminder,
we
have
a
mailing
list
assigned
for
this
medina's
discussion,
so
please
feel
free
to
ask
more
questions
later
on
or
during
the
time
on
the
mailing
list
thanks,
so
we
can
move
on.
Y
Yeah,
so
one
tactical
remark
about
the
friction
right,
so
reducing
the
friction
doesn't
necessarily
mean
that
you
immediately
open
yourself
up
to
denial
of
service
attack,
because
I
don't
necessarily
need
to
have
arbitrary,
many
and
arbitrary,
fast,
changing
identities.
Right
I
just
want
to
have
you
know,
frictionless
identities,
and
you
know
I
probably
prefer
to
have
a
lot
more
insight
into
you
know.
What
is
my
user
experience
right
now?
This
may
be
the
generic
suggestion.
Y
Y
What
is
basically,
you
know
the
privacy
that
I
have
right.
Whom
do?
I
need
to
trust
to
keep
that
privacy
right?
What
are
my
processes
to
create
the
identity?
Y
You
know
what
are
the
options
for
this
identity
to
be
broken
in
terms
of
to
somebody
mapping
that
identity
back
to
me
right
so
that
user
experience
view
you
know
would
help
a
lot
to
put
together.
You
know
exactly
these
user
experience
aspects
and
then
basically
map
between
what
the
proposed
solutions
are
and
what
the
user
experience
is,
and
that's
kind
of
you
know
competing
to
what
what
the
provider
of
of
of
the
use
case,
of
course,
wants
to
get.
Z
Yeah
hi,
I
I
think
there's
a
lot
of
support
for
for
to
be
mindful
of
the
user
experience
and
less
friction,
but
really
all
I
wanted
to
say
just
having
been
encouraged
to
echo.
Z
A
point
I
made
on
the
list
is
seems
to
me
that
this
discussion
is
another
example
of
where
currently,
it's
clear,
that
developers,
network
operators
don't
really
understand
each
other's
needs
and
ways
of
working,
particularly
well,
and
one
observation
for
the
this
discussion
is
achieving
is
at
least
helping
bridge
that
gap
a
little
so
that
rather
than
saying
how
people
shouldn't
do
things
understand
what
the
actual
reality
is
and
then
see
if
there's
a
better
way
of
doing
things
rather
than
ignoring
the
reality,
that's
that's
there.
Z
A
Okay,
thanks
for
that,
jerome.
AA
Follows
I
also
think
it
could
be
interesting
to
look
at
these
use
cases
from
a
layer
standpoint,
and
you
know
I
may
be
biased
by
by
the
fact
that
this
slide
comes
in
the
context
of
us
looking
at
multiple
operating
systems
behavior
before
and
how
you
know,
there
seems
to
be
no
consistency
between
different
operating
systems
on
how
they
generate
random
mac
addresses
and
by
the
way,
there's
an
typo
in
ios
in
the
ios
table.
Ios
does
not
rotate
in
the
final
version.
AA
It's
it's
more
like
android,
q
and
r,
it's
sticky
to
the
ssid,
but
with
a
you,
know,
slight
slight
differences,
but
then
you
know
we
talked
about
mbo
and
it
seems
to
be
an
ieee
problem.
More
than
itf
problem.
I
see
here
association
and
post
association
that
smells
a
lot
like
80.11
as
well.
AA
The
mac
rotation
scheme
for
the
client,
also
to
me,
is
something
that
the
is
probably
very
interested
in
looking
into,
at
least
in
the
802.11
context,
so
it
might
be
interesting
for
us
also
to
triage
a
little
bit.
Those
layers
to
you
know
to
see
what
is
probably
taken
care
of
at
the
ieee
and
what
the
itf
could
do.
A
Yes,
thanks
jerome,
indeed,
that
that's
part
of
the
questions
that
we
would
like
to
to
to
answer
and
therefore
we
were
very
keen
on
highlighting
the
the
work
that
is
that
has
happened
at
I
triple
the
802
and
that
is
going
on
right
now,
but
please
feel
free.
If
you
have
more
details
to
to
let
people
know
on
the
mailing
list.
A
W
Hey
so
tommy
tommy,
maybe
kind
of
start
turning
this
in
my
head
a
little
bit,
I
think
you
know
I.
I
will
be
fully
blunt
here
that
I
don't.
I
do
not
think
ietf
is
the
right
place
to
address
this,
which
I
said
in
the
chat,
but
if
it
does
continue,
I
think
we
have
to
step
further
back
and
look
at
right.
One
thing
that's
concerning
to
me
is
you
know,
and
this
is
the
problem
you
know,
while
I
do
believe
something
like
passpoint
and
secure
wi-fi
roaming
is
the
go
forward
option.
W
It
does
not
eliminate
the
fact
that
the
local
network
operator
can
see
the
traffic
right.
It
protects
the
identity,
but
it
doesn't
stop
the
fact
that
a
local
network
operator
can
see
the
traffic
traversing
their
network
and
users.
Don't
know
that
users
do
not
understand
when
they
go
to
mcdonald's
or
the
home
depot
and
their
phone
automatically
connects
to
a
network
that
that
venue
can
see
all
of
their
traffic
and
sure
many
will
argue
there
are
technologies
coming
tls,
1.3,
etc.
W
That
would
make
that
harder,
but
think
about
how
many
devices
spew
out
device
names
at
l2.
That
are
unencrypted
right,
it'll,
be
very
easy
for
me
to
figure
out,
even
without
passing
a
device
identity
you
know
at
a
and
for
any
form
of
authentication
or
authorization
that
this
is
john's
iphone
right.
It
literally
yells
it
to
the
network.
So
I
think
we
have
to
step
back
and
look
at.
W
There's
no,
I
mean
it's
the
age-old
problem
of
you
know
you
can't
you
can't
really
put
an
ssid
into
a
cert
right
and
passpoint
and
hot
spot
too,
and
all
these
things
have
ways
to
potentially
address
them,
but
they're,
not
perfect,
right
and-
and
you
know
it
kind
of-
brings
back
the
you
know
the
thought
of
like.
Could
you
bind
a
domain
name
to
an
ssid
right?
A
Happening
yeah,
I
think
that
those
are
good
points
and
just
to
to
step
in
here
quickly,
the
we
are
making
sure
that
we
don't
step
onto
other
organizations
grounds,
as
mentioned
before
by
by
eric.
We
are
making
sure
that
we
coordinate
as
much
as
possible,
if
need
be,
with
ieee
802,
for
instance,
if
it's
about
mic
addresses
or
procedures
on
how
to
associate
authenticate
or
and
so
on,
for
a
wi-fi
or
the
the
usage
of
an
ssid.
A
AB
O
AB
With
okay,
thank
you,
even
though
I
agree
with
team,
I
think
that
the
lack
of
end
user
knowledge
shouldn't
really
prevent
us
from
working
on
at
least
informational
documents
or
additional
options
that
can
that
can
be
used
for
at
least
some
of
these
use
cases.
AB
The
purpose
of
the
buff
seems
to
me
that
it's
eventually
to
come
up
with
new
identifiers,
like
chris
said.
I
think
that
for
the
use
cases
where,
where
the
end
user
can
simply
not
use
mac
address
randomization,
I
think
at
least
for
those.
AB
A
Tracking,
yes,
I'm
just
going
to
to
reply
to
the
comment
about
the
purpose
of
the
buff
is
to
come
up
with
new
identifiers
just
to
want
to
clarify
that.
A
That's
not
the
purpose
of
the
buff,
because
we,
in
fact
what
we
want
to
make
sure
is
that
we
first
of
all
understand
the
work
that
is
happening
elsewhere,
so
that
we
don't
duplicate
if
ever,
there's
work
happening
and
as
as
mentioned
earlier
on
already
there's
work
about
privacy
and
how
to
deal
with
my
contrast,
randomization
that
I
triple
eight
or
two
specifically
in
eleven
there's
two
new
parts.
A
Also,
the
purpose
of
the
buff
is
basically
to
to
first
of
all
inform
of
these
new
activities
and
then
inform
about
the
the
issues
that
are
happening,
and
it's
true
that,
right
now
the
discussion
is
moving
very
much
around
around
the
identifiers,
but
rather
than
saying
that
the
purpose
of
the
buff
is
to
define
new
identifiers.
I
think
we
want
to
understand,
as,
for
instance,
yari
said,
do
we
need
identifiers?
A
I
think
what
we
want
to
finally
finalize
achieve
means
to
to
provide
services,
and
we
have
heard
both
views
so
far.
There's
a
device
view,
there's
a
network
view
and
there
I
would
actually
add
the
the
user
view.
A
So
right
now,
we
are
just
having
an
open
discussion
trying
to
understand
what
exactly
is
out
there
and
both
in
terms
of
solutions
and
in
terms
of
issues,
so
that
we
we
can
then
take
a
decision
on
how
to
move
forward
specifically
on
the
ietf,
but
also
perhaps
just
informing
other
sdos
about
things
that
they
want.
They
may
want
to.
AB
A
Okay,
thanks
thanks
jerry,
we,
we
will
actually
try
to
to
get
into
those
type
of
questions,
but
that's
useful
feedback
thanks.
So
moving
on
chosen.
AC
I
think
the
mac
address
net
iph
is
mostly
widely
used
in
the
consumer
device
or
in
business
daily
business
or
in
the
evening
in
industry.
Isn't
that
used
in
mac
address?
So
there's
a
so
if
we
make
some
changes,
I
think
where
a
lot
of
changes
to
the
the
based
on
this
mechanism,
like
we
change
ipv4
to
ipv6,
it
takes
a
very
long
long
time
also
also.
We
also
need
a
consideration
from
the
same
story
from
ipv4
to
ipv56.
AC
AC
So
inside
the
case,
we
need
to
also
consider
the
user
experience
and
keep
the
safety
and
keep
service
continuity.
Also,
I
said
that
the
mac
address
is
widely
used
in
a
lot
of
standards.
I
think,
even
in
inferiority
in
cvp
standard,
they
they
use.
The
faculty
in
immunity
is
a
network.
They
use
the
ue
mac
us
to
add
to
the
authentication,
identification
or
the
packaging
and
the
routing.
So
I
think
just
said
before
previous
people
that
ietf
maybe
is
not
the
only
standard
organization
to
do
this
job.
AD
A
P
Hi
yeah
a
couple
of
thoughts,
so
I'm
not
really
sure
exactly
that.
This
is
something
the
itf
should
do
or
exactly
what
it
should
do.
It
seems
like
in
the
examples
on
this
slide.
P
Now
you
know
we
always
had
the
notion
of
there
being
multiple
ip
addresses
and
devices
could
have
many,
and
you
could
change
your
interface
identifier,
but
some
of
these
same
issues
about
identity
and
so
forth
apply
at
the
ip
layer
too.
It's
not
just
use,
you
know,
mac
addresses,
and
so
I
think
this
needs
to
be
thought
about.
You
know
broader
than
just
you
know
at
the
link
what
happens
at
the
link
layer,
and
so
I
I
think
you
know,
there's
a
lot
of
work
here
to
do
to
sort
of
scope.
P
Well,
first
of
all,
is
there
a
problem
the
itaf
can
solve,
because
this
is
sort
of
the
boundary
between
what
the
itef
it's
sort
of
it's
not
exactly
itaf,
it's
not
exactly
ieee,
I'm
not
sure,
there's
a
good
fit
somewhere.
So
we
need
to
be
very
careful
to
just
if
we're
going
to
do
work
that
it's
something
we
can
actually
do
and
make
successful,
as
opposed
to
just
writing
a
bunch
of
drafts
that
don't
have
any
effect
on
the
industry.
A
A
M
And
here
I
tend
to
agree
that
look
at
the
other
features
and
the
example
use
cases.
It
could
be
possibly
related
to
a
bunch
of
standardization
standardized
organizations.
So
if
we
want
to
focus
on
the
ietf
work,
probably
we
can
look.
We
can
start
from
looking
at
how
it
is
related
to
the
dhcp,
because
in
the
especially
in
the
fixed
network
access
there
there
are
a
lot
of
implementations
like
dhcp
snooping
and
the
proxy.
M
A
A
A
So
the
questions
are:
is
there
community
interest
on
this
topic,
and
here
we
just
ask
openly
for
the
whole
community,
meaning
people
attending
here
then.
The
second
question.
A
Are
there
any
actions
required
at
the
ietf?
We
don't
know
actions
so
don't
read
beyond
those
actions,
it
could
be
information
interactions
with
other
seos,
informational,
graphs,
pcps
or
so
on,
and
finally
people
will
be
interested
to
work
on
this
topic.
A
A
You
will
see
there,
people
are
already
clicking.
G
A
A
A
We
close
it
now,
and
so
we
have
53
people
raising
hand.
Five
people
not
raising
hand
out
of
a
hundred
great.
A
So
the
next
question
is:
are
there
any
actions
required
at
the
ietf?
And
here
again
we
don't
necessarily
know
what
type
of
actions
we
are
asking
openly
whether
an
action
is
simply
informing
other
sdos
about
issues
or
highlighting
things
that
they
might
want
to
consider.
A
It
could
be
informational
drafts,
it
could
be
vcps
or
something
else
that
we
don't
have
not
considered
yet.
So
do
people
think
that
there
are
any
actions
required.
Are
the
idf?
A
A
P
A
Sorry,
sorry,
is
that
which
question
are
you
referring
to.
A
Kind
of
left
it
open-ended
because
this
is
a
non-forming
working
group
buff
and
we
just
wanted
to
get
the
high
level
feedback,
but
indeed,
depending
on
the
the
results
and
the
discussion
here,
we
have
to
do
our
homework
and
perhaps
going
to
into
more
detailed
questions.
A
A
A
All
right,
so
this
gives
us
a
very
good
feedback.
There
has
been
a
lot
of
very
interesting
points
actually
from
people,
and
I
think
we
we
need
to.
We
look
at
all
this
information
and
then
see
how
we
can
consider
it,
but
we
are
getting
close
to
closing
and
I
see
yari
at
the
queue
gary.
Would
you
like
to
say
something.
U
Yeah
just
a
brief
comment
that
at
least
for
me,
the
last
two
questions
were
really
really
difficult.
So
so
maybe
I
would
like
to
work
on
this
if
I
was
convinced
that
there
was
a
sort
of
a
market
need
to
address
successfully,
and
I
think
we
didn't
explore
all
the
questions
that
we
would
need
to
explore
for
us
to
answer
that.
But
but
certainly
more
research
is
needed,
like
let's
try
to
figure
that
out
what
would
make
sense
in
this
space
and
not
not
just
design
new
identifiers.
G
I
would
echo
yuri
that
like
without
knowing
what
specifically
we're
planning
to
work
on
it's
very
difficult
to
answer
these
questions,
but
in
addition
to
yara's
point
that
he's
interested
in
working
on
it.
If
there's
a
good
proposal,
I'm
also
interested
in
working
on
it.
If
there's
a
bad
proposal
to
try
to
make
it
less
bad,
I
think
you
know
something
coming
out
that
that
is
problematic.
I
do
think
we
need
to
engage
and
reduce
the
harms.
A
Okay,
thanks
good
point:
alisa.
R
I
was
thinking
that
maybe
an
action
item
that
people
can
can
take
after
this
is
it
would
be
good.
To
I
mean
we
got
a
good
overview
about
the
work,
the
related
work
in
ieee.
It
would
be
nice
to
have
something
similar
for
wba
and
wfa,
just
to
know
like
the
scope
of
what's
going
on
over
there,
because
it
does
seem
like
one
part
of
this
is
just
maybe
motivating
the
industry
to
adopt
some
of
the
existing
technologies.
R
So
I'm
happy
to
work
with
people
offline
to
you
know,
get
get
something
authoritative
from
from
those
groups
as
well.
We
don't
usually
work
as
closely
with
them
directly,
but
I'm
sure
that
we
can
make
that
happen.
I
think
that
would
be
valuable.
R
A
O
A
A
C
Indeed,
and
and
thank
you
jc
and
carlos
for
running
this
buff,
I
think
it's
pretty
clear
to
everyone
that
many
people
are
interrupted
by
the
topic
and
by
the
way,
a
lot
of
information
was
exchanged
into
the
chat
and,
as
we
all
know,
the
chat
I
recorded.
So
I
put
the
link
on
the
to
the
chat
log
into
the
menu,
so
we
can
go
back
there
and
see
the
useful
information
that
was
exchanged
there.
C
This
could
come
as
multiple
sets
from
documenting
informational
draft
bcp,
either
for
operators
or
even
bcp
for
the
ietf
community,
because
it
changed
somehow
the
the
layer
two
and
the
interaction
that
the
iplayer
can
have
with
the
layer
two,
so
this
could
be
documented
somewhere.
C
C
A
E
A
That's
a
good
reminder
that
please
people
interested
join
the
mailing
list.
That's
going
to
be
the
best
way
to
to
move
on
for
now
with
the
discussion
and
deciding
on
what,
and
if
are
the
next
steps
required.
A
So
with
that,
thanks,
everyone
and
good
night
good
morning
and
good
evening
to
wherever
you
are.