F40 Change Proposal: Wifi MAC Randomization (System Wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wiki -> https://fedoraproject.org/wiki/Changes/WifiMACRandomization

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
Adopt stable-ssid as the default MAC address randomization mode for
Wi-Fi networks in NetworkManager for Fedora 40, enhancing user privacy
without compromising network stability.


== Owner ==
* Name: [[User:sfaye| Stanislas FAYE]], [[User:Till| Till Maas]]
* Email:  <sfaye@xxxxxxxxxx>, <till@xxxxxxxxxxxxxxxxx>


== Detailed Description ==
The change involves adding a new file,
/usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf. This file sets
`wifi.cloned-mac-address=”stable-ssid”` as the default mode for MAC
address randomization in Wi-Fi connections within NetworkManager for
[https://docs.fedoraproject.org/en-US/releases/f40/ Fedora Linux 40].
The `stable-ssid` mode, which generates a MAC address based on the
network's SSID, is aimed at enhancing user privacy. This new default
value will apply to Wi-Fi profiles in
[https://docs.fedoraproject.org/en-US/releases/f40/ Fedora Linux 40],
but profiles have the option to explicitly set different values to
override the default.
The content of the added file is:
   [connection.22-wifi-mac-addr]
   match-device=type:wifi
   wifi.cloned-mac-address=stable-ssid

   [.config]
   enable=nm-version-min:1.45

For further details, please refer to `man NetworkManager.conf`.

Note that this change will impact networks that rely on static MAC
addresses. Users may need to adjust their Wi-Fi settings, particularly
if their network operations depend on consistent MAC addresses. For
example, networks with access control based on MAC addresses will need
to explicitly set `wifi.cloned-mac-address` to “preserve” in network
profiles to avoid any disruptions in connectivity.


== Benefit to Fedora ==
This change enhances user privacy by addressing the issue of MAC
address tracking method used by network operators and advertisers to
gather data about users’ movements and device usage patterns. By
randomizing MAC addresses, Fedora reduces the potential for this type
of passive surveillance, thereby enhancing individual privacy. It
aligns Fedora with privacy-focused features present in other modern
operating systems. The generated MAC address under the `stable-ssid`
mode is derived from the network’s SSID, a per-host key (from
`/etc/machine-id` and `/var/lib/NetworkManager/secret_key`), and a
per-interface identifier.


== Scope ==
* Proposal owners:
The [https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1789
merge request] is already merged upstream.

* Other developers: N/A

* Release engineering: [https://pagure.io/releng/issues #Releng issue number]

* Policies and guidelines: N/A (not needed for this Change)

* Trademark approval: N/A (not needed for this Change)


== Upgrade/compatibility impact ==

With the adoption of `stable-ssid` as the default in Fedora 40,
existing users may experience changes in their Wi-Fi connection
behavior, particularly those whose network setups depend on fixed MAC
addresses. It’s crucial for users to be aware that upgrading to Fedora
40 will apply this new MAC address randomization by default. Users
needing to maintain consistent MAC addresses for specific networks can
address this by following one of these steps:

1. Manually set `wifi.cloned-mac-address` to `permanent` for specific
profiles using

   `nmcli connection modify [$PROFILE] wifi.cloned-mac-address permanent`

2. Create a custom configuration file in
`/etc/NetworkManager/conf.d/22-wifi-mac-addr.conf`, which can be empty
or contain specific configurations. This will prevent the default file
in `/usr/lib` from being loaded.

3. Create a higher priority .conf file like
/etc/NetworkManager/conf.d/90-wifi-mac-addr.conf with:

   [connection-90-wifi-mac-addr-conf]
   wifi.cloned-mac-address=permanent

For details on the order in which configuration files are loaded and
their priority, refer to `man NetworkManager.conf`


== How To Test ==
* Upgrade NetworkManager to version 1.45 or newer  implementing the
stable-ssid mode
* Connect to Wi-Fi network using nmcli or the GNOME network settings
* Use `ip link show` (replacing [device] with your Wi-Fi device’s
name) to check the MAC address assigned to the device.
* Note the MAC address and reconnect to the same network to confirm
that the MAC address remains consistent across sessions.
* Connect to different Wi-Fi networks and observe the MAC address for
each connection.
* Ensure that the MAC address is derived from the network’s SSID.
* Manually override the MAC address for a specific Wi-Fi profile using
`nmcli connection modify [profile] wifi.cloned-mac-address
[your-mac-address]` to set a specific MAC address
* Reconnect to the network and use `nmcli device show [device]` to
verify that the specified MAC address is being used.

== User Experience ==
Users will experience an additional layer of privacy without any
required action on their part. The change is transparent, with minimal
impact on the day-to-day user experience. However, for those with
specific network configurations reliant on static MAC addresses, this
update may require manual adjustments to network profile settings.
Users in such scenarios will need to be aware of the change and how to
revert to a fixed MAC address if necessary, ensuring their network
connectivity aligns with their requirements.

== Dependencies ==
N/A


== Contingency Plan ==
* Contingency mechanism: Revert to previous MAC address handling if
significant issues arise.
* Contingency deadline: Beta freeze of Fedora 40.
* Blocks release? No


== Documentation ==
No documentation change is required.

== Release Notes ==
The change will be mentioned in the Release Notes.


-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney
--
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux