Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak preventio…

Delete this message

Reply to this message
Author: Daniel Kahn Gillmor
Date:  
To: intrigeri, The Tails public development discussion list
New-Topics: Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak prevention'question
Subject: Re: [Tails-dev] [Secure Desktops] Tails' MAC 'leak prevention'question
On Fri 2016-08-26 14:50:12 -0400, intrigeri wrote:
> Since then, NetworkManager gained the ability to randomize MAC
> addresses [1]. If we delegate the bulk of the work to it, then this
> becomes:
>
> a) We remove the modules blacklist logic.
> b) We set up a boot-time firewall that blocks all outgoing connections
>    to non-loopback interfaces.
> c) Once the user has made their decision wrt. MAC spoofing (that is,
>    in tails-unblock-network, run by PostLogin, just as it is now):

>
>    1. We record that decision in some place where all legitimate
>       interested parties can check it out.
>    2. We configure NM accordingly.
>    3. We replace the boot-time firewall with the production one.
>    4. We start NetworkManager.

>
> Here again, hotplugged interfaces are not as well protected against
> permanent MAC address leaks as the coldplugged ones. But this is
> a compromise we are already doing in our current design.


fwiw, i prefer mac address spoofing at the udev layer since it means the
first userspace tool to see the device gets a chance to set the mac
address immediately.

It's easy enough to do by dropping a file in
/etc/systemd/network/99-default.link with the contents:

    [Link]
    MACAddressPolicy=random


Note that we will also need to tell network-manager to not automatically
reset the MAC address to a its permanent one though, since the defaults
for that setting are wrong:

https://bugzilla.gnome.org/show_bug.cgi?id=770611

for the versions of nm with that crappy default setting, you'll also
want to include a file
/etc/NetworkManager/conf.d/20-mac-addr-preserve.conf with the contents:

    [device-mac-addr-preserve]
    ethernet.cloned-mac-address=preserve
    wifi.cloned-mac-address=preserve


Regards,

--dkg