Liaison statement
Liaison statement on Randomized and Changing MAC Address

The IEEE 802.1 Working Group has reviewed the draft "Liaison on Randomized and
Changing MAC Address" (draft-ietf-madinas-mac-address-randomization-09) and has
the following comments:

(1) Regarding the paragraph beginning “The IEEE 802.1 working group …” we
propose replacement with a version that more accurately summarizes the SLAP:

IEEE Std 802 [IEEE_802], as of the amendment IEEE 802c-2017 [IEEE_802c],
specifies a local MAC address space structure known as the Structured Local
Address Plan (SLAP). The SLAP designates a range of Extended Local Identifiers
(ELIs) for subassignment within a block of addresses assigned by the IEEE
Registration Authority via a Company ID (CID). A range of local MAC addresses
is designated for Standard Assigned Identifiers (SAI) to be specified by IEEE
802 standards. Another range of local MAC addresses is designated for
Administratively Assigned Identifiers (AAI) subject to assignment by a network
administrator.

(2) Regarding (1), we suggest adding to [12] the reference:

[IEEE_802] "IEEE Std 802 - IEEE Standard for Local and Metropolitan Area
Networks: Overview and Architecture", IEEE 802, 2014.

(3) We propose deleting unintelligible information from some of the referenced
IEEE standards; namely, "architecture, 8. W. -. 8. L., " from IEEE_802c,
"architecture, 8. W. -. 8. L., " from IEEE_802E, and "Group, 8. W. -. W. L. W.,
" from IEEE_802_11_aq.

(4) A major conclusion of the work in IEEE Std 802E concerned the difficulty of
defending privacy against adversaries of any sophistication. In particular it
has been shown that individuals can be successfully tracked by fingerprinting
using aspects of their communication other than MAC Addresses or other
permanent identifiers. Machine learning techniques facilitate fingerprinting
without the adversary needing to understand the technical reasons for the
correlation. There is a danger in the short reference currently in the MADINAS
draft that the reader might conclude that replacing a permanent identifier with
a temporary identifier *will improve* privacy, as opposed to avoiding making
things worse if the other contributions to fingerprinting have been addressed -
"reaching the conclusions" can overstate the expected privacy gain. The issue
of identifiers relates not just to service quality in any narrow sense, but
more broadly to providing service. The recently completed IEEE Std
802.1AEdk-2023: MAC Privacy protection includes an Informative Annex responding
to the IEEE Std 802E call for privacy study.

(5) Regarding the paragraph beginning with “Work within the IEEE 802.1 Security
task group… “ we propose a replacement that is more accurate:

IEEE Std 802E-2020: Recommended Practice for Privacy Considerations for IEEE
802 Technologies [IEEE_802E] recommends the use of temporary and transient
identifiers if there are no compelling reasons for a newly introduced
identifier to be permanent. This Recommended Practice is part of the basis for
the review of user privacy solutions for IEEE Std 802.11 (aka Wi-Fi) devices as
part of the RCM [rcm_privacy_csd] efforts. Annex T of IEEE Std 802.1AEdk-2023:
MAC Privacy Protection discusses privacy considerations in bridged networks.

(6) Since all readers may not be aware that IEEE 802 standards are available
for free from the IEEE GET program, we suggest including this information at
the beginning of the Informative References section:

IEEE 802 standards are available free via the IEEE GET Program at
https://ieeexplore.ieee.org/browse/standards/get-program/page/series?id=68.

(7) In the introduction text of this draft, reference is made to cellular
networks. These networks do not (currently at least) use MAC addresses. It is
suggested to remove the reference to cellular to avoid confusion.

Thank you for your consideration of these matters, and we welcome continued
collaboration going forward.