/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MAC address randomization failure (user error almost certain) #3905

Closed
knifetheMAC opened this Issue May 17, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Ongoing
3 participants
@knifetheMAC @AlmightyLaxz @andrewdavidwong
@knifetheMAC

knifetheMAC commented May 17, 2018
edited
Edited 1 time
  • @knifetheMAC knifetheMAC edited May 18, 2018 (most recent)

Qubes OS version:

Qubes Release 4.0 (R4.0)

Affected component(s):

Debian-9 Template
sys-firewall

Steps to reproduce the behavior:

Using debian-9 template

Create a file named mac.conf in /etc/NetworkManager/conf.d/ directory.
File mac.conf contains:

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}

Create new NetVM named sys-MAC from template containing mac.conf file.

Change virtualization mode to HVM using GUI

Go to qubes settings -> Advanced -> 'Include in memory balancing' and UNcheck box

Shutdown all VMs and assign ethernet device to new NetVM using:

qvm-pci attach --persistent --option permissive=true --option no-strict-reset=true sys-MAC dom0:06_00.0

Configure sys-firewall to run through new sys-MAC NetVM

Disable start-on-boot for sys-net VM

Reboot

Start sys-MAC machine

Connect to Ethernet Network Wired Connection 1 in dom0 using GUI.

Check sys-MAC mac address using:

sudo ip link show

outputs:

(last three octets of MAC and ip6 have been replaced with placeholders)

user@sys-MAC:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether A0:50:99:11:11:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.141/24 brd 192.168.1.255 scope global dynamic ens5
       valid_lft 86355sec preferred_lft 86355sec
    inet6 fe80::120a:2219:f6c9:11aa/11 scope link 
       valid_lft forever preferred_lft forever

sys-firewall is downstream of sys-MAC and outputs:

(last three octets of MAC have been replaced with placeholders)

[user@sys-firewall ~]$ sudo ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:18:2b:11:11:11 brd ff:ff:ff:ff:ff:ff

Expected behavior:

MAC address should be randomized for all downstream VMs.
VMs should not continue to display burned in addresses when prompted with
sudo ip link show

Actual behavior:

Neither of the MAC addresses for sys-MAC or sys-firewall have changed. All subsequent downstream VMs are displaying native hardware addresses.

General notes:

I am a novice linux user. I have been using Fedora for about a year and Qubes for 6 months. I was using r3.2 until I recently upgraded to r4.0. Thanks for all your hard work!
I have read the FAQ and searched this forum and the Arch Linux wiki along with performing basic google searches. I can not tell if I am missing something that should be obivous to a seasoned user (which I am not) or if this is a new bug. Any help would be appreciated and I am willing to post the output of any commands that could help diagnose the issue.

Related issues:

On a related note, I have had some (mixed) results using the iproute2 and macchanger packages. These will allow to change MAC locally on any 1 machine. However, the sys-net/sys-firewall/sys-VPN VMs do not pass these changes through to any downstream VMs. All uses of sudo ip link show output only the burned in addresses, not the randomized ones.

I have tried to permanently change the MAC address of dom0 and each subsequent (fedora-26) machine by altering the files:

ifcfg-eth0
ifcfg-ens5

but these files are missing from:

/etc/sysconfig/network-scripts
@AlmightyLaxz

This comment has been minimized.

Show comment
Hide comment
@AlmightyLaxz

AlmightyLaxz May 17, 2018

Hi,
I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?
I believe at the time that was written MAC randomization was only possible through those config options. But now MAC randomization is available in the NetworkManager GUI.

  1. Right click on network manager icon>Edit Connections..
  2. Select desired connection and click edit
  3. Select the Cloned MAC Address drop down and set to Random or Stable
  4. Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)

Those steps have worked for me using the default preinstalled sys-net.

As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router). Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.

I think you are expecting the outcome to be a random MAC address per VM, which I don't think is currently possible; but the MAC address of each physical network adapter can be randomized using the steps above. You could probably change the MAC address in each VM for that VM's virtual network adapter but this isn't very useful as those MAC addresses only have meaning inside the Qubes machine.

AlmightyLaxz commented May 17, 2018
edited
Edited 1 time
  • @AlmightyLaxz AlmightyLaxz edited May 18, 2018 (most recent)

Hi,
I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?
I believe at the time that was written MAC randomization was only possible through those config options. But now MAC randomization is available in the NetworkManager GUI.

  1. Right click on network manager icon>Edit Connections..
  2. Select desired connection and click edit
  3. Select the Cloned MAC Address drop down and set to Random or Stable
  4. Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)

Those steps have worked for me using the default preinstalled sys-net.

As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router). Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.

I think you are expecting the outcome to be a random MAC address per VM, which I don't think is currently possible; but the MAC address of each physical network adapter can be randomized using the steps above. You could probably change the MAC address in each VM for that VM's virtual network adapter but this isn't very useful as those MAC addresses only have meaning inside the Qubes machine.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong May 18, 2018

Member

Related to (perhaps even a duplicate of) #938.
Member

andrewdavidwong commented May 18, 2018

Related to (perhaps even a duplicate of) #938.

@andrewdavidwong andrewdavidwong added help wanted C: doc task labels May 18, 2018

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone May 18, 2018

@AlmightyLaxz

This comment has been minimized.

Show comment
Hide comment
@AlmightyLaxz

AlmightyLaxz May 18, 2018

Related to (perhaps even a duplicate of) #938.

That issue was when NetworkManager had no MAC randomization functionality, now that it does it could probably be closed.

I have made a PR to the docs for randomizing MAC addresses through the GUI Network Manager which could make it easier for less experienced users.
QubesOS/qubes-doc#652
QubesOS/qubes-attachment#15

AlmightyLaxz commented May 18, 2018

Related to (perhaps even a duplicate of) #938.

That issue was when NetworkManager had no MAC randomization functionality, now that it does it could probably be closed.

I have made a PR to the docs for randomizing MAC addresses through the GUI Network Manager which could make it easier for less experienced users.
QubesOS/qubes-doc#652
QubesOS/qubes-attachment#15
@knifetheMAC

This comment has been minimized.

Show comment
Hide comment
@knifetheMAC

knifetheMAC May 18, 2018

Thank you AlmightyLaxz

I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?

Yes, this was the guide that I was following. I was unable to get this method to work on r4.0 --but this is most likely due to my inexperience.

1. Right click on network manager icon>Edit Connections..
2. Select desired connection and click edit
3. Select the Cloned MAC Address drop down and set to Random or Stable
4. Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)

Following the steps that you provided allowed me to randomize my MAC.

Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.

This was very helpful. I now understand that the MAC randomization will only be detectable once it leaves the LAN.

As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router).

I can now verify the MAC is changing by monitoring the outgoing traffic on my router.

Thanks again!

knifetheMAC commented May 18, 2018

Thank you AlmightyLaxz

I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?

Yes, this was the guide that I was following. I was unable to get this method to work on r4.0 --but this is most likely due to my inexperience.

1. Right click on network manager icon>Edit Connections..
2. Select desired connection and click edit
3. Select the Cloned MAC Address drop down and set to Random or Stable
4. Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)

Following the steps that you provided allowed me to randomize my MAC.

Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.

This was very helpful. I now understand that the MAC randomization will only be detectable once it leaves the LAN.

As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router).

I can now verify the MAC is changing by monitoring the outgoing traffic on my router.

Thanks again!

This was referenced May 26, 2018

Open
Closed
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong May 26, 2018

Member

Done by QubesOS/qubes-doc#652.
Member

andrewdavidwong commented May 26, 2018

Done by QubesOS/qubes-doc#652.

@andrewdavidwong andrewdavidwong closed this May 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment