My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

What's Normal: MAC Addresses

Published: 2023-10-13. Last Updated: 2023-10-13 17:12:31 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

In this installment of "What's Normal", I want to discuss MAC addresses. MAC addresses are used to identify devices on ethernet networks. They are six bytes in length and typically expressed in hexadecimal, separated by a colon or a dash. MAC addresses identify network interfaces on the local network. They must be locally unique and are, to some extent globally unique.

The first thing to check about a MAC address is the "OUI" (Organization Unique Identifier"). IEEE assigns these, and you can find the authoritative list here: https://standards-oui.ieee.org/ .

However, some MAC addresses are "normal" but do not use one of the officially assigned OUIs. To see some of the use cases for these addresses, lets look at the first byte of the MAC address more carefully:

7 6 5 4 3 2 1 0
X X X X X X U/L I/G

The last two bits of the first byte of the MAC address have special meaning:

U/L: If this bit is set, the address is globally assigned by IEEE. If not, then it is an address that is not globally assigned. Sometimes, you see these addresses used by VPNs or virtualization solutions (VMWare has its own globally assigned range).

I/G: The "individual/group" bit is cleared if this is a unicast address. It is set if it is a multicast/broadcast address. Most notably broadcast (FF:FF:FF:FF:FF:FF).

But there are some other interesting "odd" MAC addresses that you may run into:

  • Private MAC addresses: Recently, WiFi devices started using random MAC addresses whenever they connect to a new network. This is supposed to prevent tracking a device between different networks. These addresses have the "U/L" bit set, indicating that IEEE does not assign them.
  • 00:00:5e:00:01:01: The entire "00:00:5e" prefix is assigned to IANA for the Virtual Router Redundancy Protocol. You will, for example, see this if you are using two PFSense or OPNSense routers in failover mode. The last byte of the MAC is used to identify the router. https://datatracker.ietf.org/doc/html/rfc5798#section-7.3
  • If you use routers in a failover configuration, you often use two IP addresses for one interface. One IP is shared between both routers and one is unique to each router. This will also trigger various "ARP poisoning alerts."
  • The "MAC Address" isn't always equivalent to the "Hardware Address". Some network cards have longer (eight-byte) hardware addresses. ipconfig on Windows may display these longer addresses and the MAC address used for Ethernet.
  • Various other failover configurations (multiple network interfaces being used for one IP address), like bonded or "team" interfaces, will also often be seen as "odd". You will see multiple MAC addresses for each IP address.
  • In my experience, one of the most common reasons you may have duplicate MAC addresses on your network is if you "move" a VMWare virtual machine instead of copying it. "Moving" will retain the MAC address. "Copying" will assign a new MAC address.

Anything I missed?

 

 

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
4 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Not a miss so much as a related observation: DHCP clients most often use the MAC address as the unique identifier for getting assigned an address. However, while I work in primarily Windows environments, I've noticed for several years that Linux clients often use a much longer identifier, which surprised me until I did a bit of searching to find out what was happening.

Kurt

Kurt
I think there is a typo. It says, "U/L: If this bit is set, the address is globally assigned by IEEE. If not, then it is an address that is not globally assigned," but then it says, "These addresses have the 'U/L' bit set, indicating that IEEE does not assign them."
P.S. The page says "1 comment," but no comment is shown, presumably because it's waiting to be approved.
Regarding private mac addresses:

> These addresses have the "U/L" bit set, indicating that IEEE does not assign them.

Did you mean to say that those addresses do _not_ have the "U/L" bit set?
thanks for pointing out the U/L bit issuse

Diary Archives