MAC addresses

A MAC address (short for medium access control address or media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI) network model, MAC addresses are used in the medium access control protocol sublayer of the data link layer. As typically represented, MAC addresses are recognizable as six groups of two hexadecimal digits, separated by hyphens, colons, or without a separator.

MAC addresses are primarily assigned by device manufacturers, and are therefore often referred to as the burned-in address, or as an Ethernet hardware address, hardware address, or physical address. Each address can be stored in the interface hardware, such as its read-only memory, or by a firmware mechanism. Many network interfaces, however, support changing their MAC addresses. The address typically includes a manufacturer's organizationally unique identifier (OUI). MAC addresses are formed according to the principles of two numbering spaces based on extended unique identifiers (EUIs) managed by the Institute of Electrical and Electronics Engineers (IEEE): EUI-48—which replaces the obsolete term MAC-48—and EUI-64.

Network nodes with multiple network interfaces, such as routers and multilayer switches, must have a unique MAC address for each network interface in the same network. However, two network interfaces connected to two different networks can share the same MAC address.

Address details

The IEEE 802 MAC address originally comes from the Xerox Network Systems Ethernet addressing scheme.

This 48-bit address space contains potentially 2⁴⁸ (over 281 trillion) possible MAC addresses. The IEEE manages the allocation of MAC addresses, originally known as MAC-48 and now called EUI-48 identifiers. The IEEE has a target lifetime of 100 years (until 2080) for applications using EUI-48 space and restricts applications accordingly. The IEEE encourages adoption of the more plentiful EUI-64 for non-Ethernet applications.

The distinctions between EUI-48 and MAC-48 identifiers are in name and application only. MAC-48 was used to address hardware interfaces within existing 802-based networking applications; EUI-48 is now used for 802-based networking and is also used to identify other devices and software, for example Bluetooth. The IEEE now considers ''MAC-48'' to be an obsolete term. ''EUI-48'' is now used in all cases. In addition, the EUI-64 numbering system originally encompassed both MAC-48 and EUI-48 identifiers by a simple translation mechanism. These translations have since been deprecated.

The Individual Address Block (IAB) is an inactive registry which has been replaced by the ''MA-S'' (''MAC address block, small''), previously named ''OUI-36'', and has no overlaps in addresses with the IAB registry product as of January 1, 2014. The IAB uses an OUI from the ''MA-L'' (''MAC address block, large'') registry, previously called the ''OUI'' registry. The term ''OUI'' is still in use, but the IEEE Registration Authority does not administer them. An OUI is concatenated with 12 additional IEEE-provided bits (for a total of 36 bits), leaving only 12 bits for the organisation owning the IAB to assign to its (up to 4096) individual devices. An IAB is ideal for organizations requiring not more than 4096 unique 48-bit numbers (EUI-48). Unlike an OUI, which allows the assignee to assign values in various number spaces (for example, EUI-48, EUI-64, and the various context-dependent identifier number spaces, as in SNAP or EDID), the Individual Address Block could only be used to assign EUI-48 identifiers. All other potential uses based on the OUI from which the IABs are allocated are reserved and remain the property of the IEEE Registration Authority. Between 2007 and September 2012, the OUI value 00:50:C2 was used for IAB assignments. After September 2012, the value 40:D8:55 was used. Owners of an already assigned IAB may continue to use it.

The MA-S registry includes, for each registrant, both a 36-bit unique number used in some standards and a block of EUI-48 and EUI-64 identifiers (while the registrant of an IAB cannot assign an EUI-64). MA-S does not include assignment of an OUI.

Additionally, the ''MA-M'' (''MAC address block, medium'') provides both 2²⁰ EUI-48 identifiers and 2³⁶ EUI-64 identifiers, the first 28 bits being assigned by IEEE. The first 24 bits of the assigned MA-M block are an OUI assigned to IEEE that will not be reassigned, so the MA-M does not include assignment of an OUI.

Universal vs. local (U/L bit)

Addresses can either be universally administered addresses (UAA) or locally administered addresses (LAA). A universally administered address is uniquely assigned to a device by its manufacturer. The first three octets (in transmission order) identify the organization that issued the identifier and are known as the organizationally unique identifier (OUI). The remainder of the address (three octets in EUI-48 or five in EUI-64) are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. A locally administered address is assigned to a device by software or a network administrator, overriding the burned-in address of a physical device.

Locally administered addresses are distinguished from universally administered addresses by setting (assigning the value of 1 to) the second- least-significant bit of the first octet of the address. This bit is also referred to as the ''U/L'' bit, short for ''Universal/Local'', which identifies how the address is administered.
If the bit is 0, the address is universally administered, which is why this bit is 0 in all UAAs. If it is 1, the address is locally administered. In the example address , the first octet is 06 (hexadecimal), the binary form of which is 00000110, where the second-least-significant bit is 1. Therefore, it is a locally administered address. Even though many hypervisors manage dynamic MAC addresses within their own OUI, often it is useful to create an entire unique MAC within the LAA range.

Universal addresses that are administered locally

In virtualisation, hypervisors such as QEMU and Xen have their own OUIs. Each new virtual machine is started with a MAC address set by assigning the last three bytes to be unique on the local network. While this is local administration of MAC addresses, it is not an LAA in the IEEE sense.

A historical example of this hybrid situation is the DECnet protocol, where the universal MAC address (with Digital Equipment Corporation's OUI AA-00-04) is administered locally. The DECnet software sets the last three bytes of the complete MAC address to (so that the full MAC address is ), where reflects the host's DECnet network address ''xx.yy''. This eliminates the need for DECnet to have an address resolution protocol since the MAC address of any DECnet host can be determined from its DECnet address.

Unicast vs. multicast (I/G bit)

The least significant bit of an address's first octet is referred to as the ''I/G'', or ''Individual/Group'', bit. When this bit is 0 (zero), the frame is meant to reach only one receiving network interface. This type of transmission is called unicast. A unicast frame is transmitted to all nodes within the collision domain. In a modern wired setting (i.e. with ''switches'', not simple '' hubs'') the collision domain usually is the length of the Ethernet cabling between two network interfaces. In a wireless setting, the collision domain is all receivers that can detect a given wireless signal. If a switch does not know which port leads to a given MAC address, the switch will forward a unicast frame to all of its ports (except the originating port), an action known as unicast flood. Only the node with the matching hardware MAC address will (normally) accept the frame; network interfaces with non-matching MAC-addresses ignore the frame unless they are in promiscuous mode.

If the least significant bit of the first octet is set to 1 (i.e. the second hexadecimal digit is odd) the frame will still be sent only once; however, network interface controllers will choose to accept or ignore it based on criteria other than the matching of their individual MAC addresses: for example, based on a configurable list of accepted multicast MAC addresses. This is called multicast addressing.

The IEEE has built in several special address types to allow more than one network interface card to be addressed at one time:
* Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be . A broadcast frame is flooded and is forwarded to and accepted by all other nodes.
* Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.
* Functional addresses identify one or more Token Ring NICs that provide a particular service, defined in IEEE 802.5.

These are all examples of ''group addresses'', as opposed to ''individual addresses''; the least significant bit of the first octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and set to 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered.

Ranges of group and locally administered addresses

The U/L and I/G bits are handled independently, and there are instances of all four possibilities. IPv6 multicast uses locally administered, multicast MAC addresses in the range (with both bits set).

Given the locations of the U/L and I/G bits, they can be discerned in a single digit in common MAC address notation as shown in the following table:

IEEE 802c local MAC address usage

IEEE standard 802c further divides the locally administered MAC address block into four quadrants. This additional partitioning is called Structured Local Address Plan (SLAP) and its usage is optional.

Applications

The following network technologies use the EUI-48 identifier format:
* IEEE 802 networks
** Ethernet
** 802.11 wireless networks (Wi-Fi)
** Bluetooth
** IEEE 802.5 Token Ring
* Fiber Distributed Data Interface (FDDI)
* Asynchronous Transfer Mode (ATM), switched virtual connections only, as part of an NSAP address
* Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)
* The ITU-T G.hn standard, which provides a way to create a high-speed (up to 1 gigabit/s) local area network using existing home wiring ( power lines, phone lines and coaxial cables). The G.hn Application Protocol Convergence (APC) layer accepts Ethernet frames that use the EUI-48 format and encapsulates them into G.hn Medium Access Control Service Data Units (MSDUs).

Every device that connects to an IEEE 802 network (such as Ethernet and Wi-Fi) has an EUI-48 address. Common networked consumer devices such as PCs, smartphones and tablet computers use EUI-48 addresses.

EUI-64 identifiers are used in:
* IEEE 1394 (FireWire)
* InfiniBand
* IPv6 (Modified EUI-64 as the least-significant 64 bits of a unicast network address or link-local address when stateless address autoconfiguration is used.) IPv6 uses a ''modified EUI-64'', treats MAC-48 as EUI-48 instead (as it is chosen from the same address pool) and inverts the local bit. This results in extending MAC addresses (such as IEEE 802 MAC address) to modified EUI-64 using only (and never ) and with the local bit inverted.
* Zigbee / 802.15.4 / 6LoWPAN wireless personal-area networks
* IEEE 11073-20601 (IEEE 11073-20601 compliant medical devices)

Use in hosts

On broadcast networks, such as Ethernet, the MAC address is expected to uniquely identify each node on that segment and allows frames to be marked for specific hosts. It thus forms the basis of most of the link layer (OSI layer 2) networking upon which upper-layer protocols rely to produce complex, functioning networks.

Many network interfaces support changing their MAC address. On most Unix-like systems, the command utility ifconfig may be used to remove and add link address aliases. For instance, the ''active'' ifconfig directive may be used on NetBSD to specify which of the attached addresses to activate. Hence, various configuration scripts and utilities permit the randomization of the MAC address at the time of booting or before establishing a network connection.

Changing MAC addresses is necessary in network virtualization. In MAC spoofing, this is practiced in exploiting security vulnerabilities of a computer system. Some modern operating systems, such as Apple iOS and Android, especially in mobile devices, are designed to assign a random MAC address to their network interface when scanning for wireless access points to avert tracking systems.

In Internet Protocol (IP) networks, the MAC address of an interface corresponding to an IP address may be queried with the Address Resolution Protocol (ARP) for IPv4 and the Neighbor Discovery Protocol (NDP) for IPv6. Thus ARP and NDP relate OSI layer 3 addresses to layer 2 addresses.

Tracking

Randomization

According to Edward Snowden, the US National Security Agency has a system that tracks the movements of mobile devices in a city by monitoring MAC addresses. To avert this practice, Apple started using random MAC addresses in iOS devices while scanning for networks. Other vendors quickly followed suit. MAC address randomization during scanning was added in Android starting from version 6.0, in Windows 10, and in Linux 3.18. The actual implementations of the MAC address randomization technique vary largely in different devices. Moreover, various flaws and shortcomings in these implementations may allow an attacker to track a device even if its MAC address is changed, for instance its probe requests' other elements, or their timing. If random MAC addresses are not used, researchers have confirmed that it is possible to link a real identity to a particular wireless MAC address.Alt URL
/ref>

Randomized MAC addresses can be identified by the "locally administered" bit described above.

Other information leakage

Using wireless access points in SSID-hidden mode ( network cloaking), a mobile wireless device may not only disclose its own MAC address when traveling, but even the MAC addresses associated to SSIDs the device has already connected to, if they are configured to send these as part of probe request packets. Alternative modes to prevent this include configuring access points to be either in beacon-broadcasting mode or probe-response with SSID mode. In these modes, probe requests may be unnecessary or sent in broadcast mode without disclosing the identity of previously known networks.

Anonymization

Notational conventions

The standard (IEEE 802) format for printing EUI-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens () in transmission order (e.g. ). This form is also commonly used for EUI-64 (e.g. ). Other conventions include six groups of two hexadecimal digits separated by colons (:) (e.g. ), and three groups of four hexadecimal digits separated by dots (.) (e.g. ); again in transmission order.

Bit-reversed notation

The standard notation, also called canonical format, for MAC addresses is written in transmission order with the least significant bit of each byte transmitted first, and is used in the output of the ifconfig, ip address, and ipconfig commands, for example.

However, since IEEE 802.3 (Ethernet) and IEEE 802.4 (Token Bus) send the bytes (octets) over the wire, left-to-right, with the least significant bit in each byte first, while IEEE 802.5 (Token Ring) and IEEE 802.6 (FDDI) send the bytes over the wire with the most significant bit first, confusion may arise when an address in the latter scenario is represented with bits reversed from the canonical representation. For example, an address in canonical form would be transmitted over the wire as bits 01001000 00101100 01101010 00011110 01011001 00111101 in the standard transmission order (least significant bit first). But for Token Ring networks, it would be transmitted as bits 00010010 00110100 01010110 01111000 10011010 10111100 in most-significant-bit first order. The latter might be incorrectly displayed as . This is referred to as ''bit-reversed order'', ''non-canonical form'', ''MSB format'', ''IBM format'', or ''Token Ring format''.

See also

* Hot Standby Router Protocol
* MAC filtering
* Network management
* Sleep Proxy Service, which may spoof another device's MAC address during certain periods
* Transparent bridging
* Virtual Router Redundancy Protocol

Notes

References

{{Reflist, 30em

External links

IEEE Registration Authority Tutorials

IEEE Registration Authority - Frequently Asked Questions


* ttps://standards-oui.ieee.org/oui/oui.txt IEEE Public OUI/MA-L list
IEEE Public OUI-28/MA-M list

IEEE Public OUI-36/MA-S list

IEEE Public IAB list

IEEE IAB and OUI MAC Address Lookup Database and API

IANA list of Ethernet Numbers



Media access control
Network addressing
Unique identifiers