Wrong source MAC for DHCP requests with AddressRandomization=network

Wrong source MAC for DHCP requests with AddressRandomization=network

[Toke Høiland-Jørgensen]

Hi

When setting AddressRandomization=network in main.conf, I am unable to
connect to networks because I don't get a DHCP reply after the L2
connection.

Looking at a packet dump, it seems the DHCP request uses the wrong
source MAC in the request:


12:42:27.268867 1e:aa:ca:6d:0d:e0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 26:db:f3:cb:58:e2, length 300

Running 'dhcpcd' uses the right source MAC, and gets a reply:

12:42:28.631616 1e:aa:ca:6d:0d:e0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
12:42:28.634842 92:0a:9a:27:ca:65 > 1e:aa:ca:6d:0d:e0, ethertype IPv4 (0x0800), length 359: 10.42.3.33.67 > 10.42.3.52.68: BOOTP/DHCP, Reply, length 317
12:42:28.635323 1e:aa:ca:6d:0d:e0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
12:42:28.636450 92:0a:9a:27:ca:65 > 1e:aa:ca:6d:0d:e0, ethertype IPv4 (0x0800), length 359: 10.42.3.33.67 > 10.42.3.52.68: BOOTP/DHCP, Reply, length 317

The initial connection after starting iwd works, but connecting to
another network later fails, so it seems to be related to the
per-network MAC address selection. Changing the config to
AddressRandomization=once makes this issue go away.

This issue occurs with both iwd 2.8 and 2.9 (on Arch Linux and iwlwifi
hardware).

-Toke

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Denis Kenzior]

Hi Toke,

On 11/24/23 05:58, Toke Høiland-Jørgensen wrote:
> Hi
> 
> When setting AddressRandomization=network in main.conf, I am unable to
> connect to networks because I don't get a DHCP reply after the L2
> connection.
> 
> Looking at a packet dump, it seems the DHCP request uses the wrong
> source MAC in the request:
> 

Can you try the following patch on the ell mailing list?  Here's the patchwork 
link in case you're not subscribed:
https://patchwork.kernel.org/project/ell/patch/20231124161740.1243946-1-denkenz@gmail.com/

Regards,
-Denis

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Toke Høiland-Jørgensen]

Denis Kenzior <denkenz@gmail.com> writes:

> Hi Toke,
>
> On 11/24/23 05:58, Toke Høiland-Jørgensen wrote:
>> Hi
>> 
>> When setting AddressRandomization=network in main.conf, I am unable to
>> connect to networks because I don't get a DHCP reply after the L2
>> connection.
>> 
>> Looking at a packet dump, it seems the DHCP request uses the wrong
>> source MAC in the request:
>> 
>
> Can you try the following patch on the ell mailing list?  Here's the patchwork 
> link in case you're not subscribed:
> https://patchwork.kernel.org/project/ell/patch/20231124161740.1243946-1-denkenz@gmail.com/

Yup, that resolves the issue so that I can connect. However, this is the
DHCP packets I see when moving between two networks (back and forth):


17:49:59.040639 1e:aa:ca:6d:0d:e0 > 92:0a:9a:27:ca:65, ethertype IPv4 (0x0800), length 342: 10.42.3.52.68 > 10.42.3.33.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
17:49:59.392682 ba:06:75:75:30:90 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ba:06:75:75:30:90, length 300
17:49:59.396012 e6:49:86:36:22:bf > ba:06:75:75:30:90, ethertype IPv4 (0x0800), length 335: 10.42.3.97.67 > 10.42.3.102.68: BOOTP/DHCP, Reply, length 293
17:49:59.396167 ba:06:75:75:30:90 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ba:06:75:75:30:90, length 300
17:49:59.397811 e6:49:86:36:22:bf > ba:06:75:75:30:90, ethertype IPv4 (0x0800), length 335: 10.42.3.97.67 > 10.42.3.102.68: BOOTP/DHCP, Reply, length 293

17:50:03.306455 ba:06:75:75:30:90 > e6:49:86:36:22:bf, ethertype IPv4 (0x0800), length 342: 10.42.3.102.68 > 10.42.3.97.67: BOOTP/DHCP, Request from ba:06:75:75:30:90, length 300
17:50:03.614293 1e:aa:ca:6d:0d:e0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
17:50:03.619009 92:0a:9a:27:ca:65 > 1e:aa:ca:6d:0d:e0, ethertype IPv4 (0x0800), length 359: 10.42.3.33.67 > 10.42.3.52.68: BOOTP/DHCP, Reply, length 317
17:50:03.619085 1e:aa:ca:6d:0d:e0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
17:50:03.620141 92:0a:9a:27:ca:65 > 1e:aa:ca:6d:0d:e0, ethertype IPv4 (0x0800), length 359: 10.42.3.33.67 > 10.42.3.52.68: BOOTP/DHCP, Reply, length 317

As you can see, in each case, there's an initial unicast request that
contains the old MAC and IP. Which seems to be a bit counter productive
if this is supposed to be a privacy feature that doesn't leak addresses
across networks? :)

-Toke

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Denis Kenzior]

Hi Toke,

> 
> Yup, that resolves the issue so that I can connect. However, this is the
> DHCP packets I see when moving between two networks (back and forth):
> 

Excellent.

> 
> 17:49:59.040639 1e:aa:ca:6d:0d:e0 > 92:0a:9a:27:ca:65, ethertype IPv4 (0x0800), length 342: 10.42.3.52.68 > 10.42.3.33.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300

Looking at the timestamps, are you sure this isn't a DHCP RELEASE going out to 
the old network?  Enabling DHCP client debugging might be helpful:

export IWD_DHCP_DEBUG=debug
<start iwd>

> 
> As you can see, in each case, there's an initial unicast request that

iwd should be sending a DHCP release when we start to leave the network.  Maybe 
it is being sent at the wrong time (after we queue the CMD_DISCONNECT), but it 
should never makes it out to the new AP over the air since the client is stopped 
once the disassociation is detected.

> contains the old MAC and IP. Which seems to be a bit counter productive
> if this is supposed to be a privacy feature that doesn't leak addresses
> across networks? :)

Definitely.  Can you provide more detailed logs if you still suspect this is 
happening?

Regards,
-Denis

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Toke Høiland-Jørgensen]

Denis Kenzior <denkenz@gmail.com> writes:

> Hi Toke,
>
>> 
>> Yup, that resolves the issue so that I can connect. However, this is the
>> DHCP packets I see when moving between two networks (back and forth):
>> 
>
> Excellent.
>
>> 
>> 17:49:59.040639 1e:aa:ca:6d:0d:e0 > 92:0a:9a:27:ca:65, ethertype IPv4 (0x0800), length 342: 10.42.3.52.68 > 10.42.3.33.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
>
> Looking at the timestamps, are you sure this isn't a DHCP RELEASE going out to 
> the old network?

Ah, yes, you're right, that's the release - my bad! Didn't realise a
release was also a "request" type at the top protocol level :)

So in that case, thanks for the quick fix!

-Toke

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Rhys Perry]

On Fri, 24 Nov 2023 at 17:51, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>
> Denis Kenzior <denkenz@gmail.com> writes:
>
> > Hi Toke,
> >
> >>
> >> Yup, that resolves the issue so that I can connect. However, this is the
> >> DHCP packets I see when moving between two networks (back and forth):
> >>
> >
> > Excellent.
> >
> >>
> >> 17:49:59.040639 1e:aa:ca:6d:0d:e0 > 92:0a:9a:27:ca:65, ethertype IPv4 (0x0800), length 342: 10.42.3.52.68 > 10.42.3.33.67: BOOTP/DHCP, Request from 1e:aa:ca:6d:0d:e0, length 300
> >
> > Looking at the timestamps, are you sure this isn't a DHCP RELEASE going out to
> > the old network?
>
> Ah, yes, you're right, that's the release - my bad! Didn't realise a
> release was also a "request" type at the top protocol level :)
>
> So in that case, thanks for the quick fix!
>
> -Toke
>

Just gonna tack on the end here that I was also experiencing this
issue - posted about it in the IRC but there was no response. Thanks
for the fix :)

Re: Wrong source MAC for DHCP requests with AddressRandomization=network

[Denis Kenzior]

Hi Rhys,

> 
> Just gonna tack on the end here that I was also experiencing this
> issue - posted about it in the IRC but there was no response. Thanks
> for the fix :)

Please post any bug reports to the mailing list in the future, it has much more 
visibility than IRC nowadays.

Regards,
-Denis