Search

US-12621296-B2 - Correlations between private network addresses and assigned network addresses

US12621296B2US 12621296 B2US12621296 B2US 12621296B2US-12621296-B2

Abstract

In some examples, a management system receives, from an electronic device, a message containing a first information element that includes a first address of the electronic device, and a second information element that includes a device identifier of the electronic device, where the first address differs from an assigned network address assigned to the electronic device. In response to the first address extracted from the first information element and the device identifier extracted from the second information element of the message, the management system generates correlation information that associates a private network address of the electronic device with a value that represents the assigned network address. The management system applies a management action for the electronic device based on the correlation information.

Inventors

  • Takaharu Tanaka

Assignees

  • HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Dates

Publication Date
20260505
Application Date
20230111

Claims (18)

  1. 1 . A non-transitory machine-readable storage medium comprising instructions that upon execution cause a management system to: receive, at the management system from an electronic device, a message containing a first information element that includes a private network address of the electronic device, and a second information element that includes a device identifier of the electronic device, wherein the private network address differs from an assigned network address assigned to the electronic device; in response to the private network address extracted from the first information element and the device identifier extracted from the second information element of the message, generate correlation information that associates the private network address of the electronic device with a value that represents the assigned network address; and apply a management action for the electronic device based on the correlation information, wherein the device identifier in the message is the assigned network address, and the value, in the correlation information, that represents the assigned network address is the assigned network address.
  2. 2 . The non-transitory machine-readable storage medium of claim 1 , wherein the private network address is a randomized Media Access Control (MAC) address.
  3. 3 . The non-transitory machine-readable storage medium of claim 1 , wherein the first information element is part of a header of a packet comprising the message.
  4. 4 . The non-transitory machine-readable storage medium of claim 1 , wherein the applying of the management action based on the correlation information comprises using the correlation information to verify that the electronic device is registered with the management system.
  5. 5 . The non-transitory machine-readable storage medium of claim 1 , wherein the message is a Dynamic Host Configuration Protocol (DHCP) message.
  6. 6 . The non-transitory machine-readable storage medium of claim 1 , wherein the instructions upon execution cause the management system to: receive, at the management system from the electronic device, a further message that requests information to allow the electronic device to communicate over a network, wherein the further message contains the private network address; and authenticate the electronic device in response to determining that the correlation information associates the private network address with the value that represents the assigned network address, wherein the management action comprises the authenticating of the electronic device.
  7. 7 . The non-transitory machine-readable storage medium of claim 6 , wherein the further message is to request an Internet Protocol (IP) address, and wherein the private network address is a randomized Media Access Control (MAC) address.
  8. 8 . The non-transitory machine-readable storage medium of claim 1 , wherein the device identifier in the message is a program-generated identifier of the electronic device generated by a program in the electronic device, and the value, in the correlation information, that represents the assigned network address is derived based on the program-generated identifier.
  9. 9 . The non-transitory machine-readable storage medium of claim 8 , wherein the value that represents the assigned network address is a pseudo network address.
  10. 10 . The non-transitory machine-readable storage medium of claim 1 , wherein a portion of the message containing the second information element is encrypted with an encryption key.
  11. 11 . The non-transitory machine-readable storage medium of claim 1 , wherein the message is a first message, and wherein the instructions upon execution cause the management system to: receive a second message containing the private network address of the electronic device; in response to the second message, determine whether the correlation information is present in the management system; and in response to determining that the correlation information is not present in the management system, send a response to the second message, the response containing a remediation zone Internet Protocol (IP) address assigned to the electronic device.
  12. 12 . The non-transitory machine-readable storage medium of claim 1 , wherein the management action comprises an authenticated Dynamic Host Configuration Protocol (DHCP) process.
  13. 13 . The non-transitory machine-readable storage medium of claim 1 , wherein the management action comprises confirming, as part of a network access control process, that the electronic device has a configuration in compliance with a policy.
  14. 14 . The non-transitory machine-readable storage medium of claim 1 , wherein the management action comprises disconnecting a further electronic device from a network in response to determining that a private network address of the further electronic device is not correlated by correlation information to a value representing an assigned network address of the further electronic device.
  15. 15 . A management system comprising: a hardware processor; and a non-transitory storage medium storing instructions executable on the hardware processor to: receive, at the management system from an electronic device, a message containing a first information element that includes a private network address of the electronic device, and a second information element that includes a device identifier of the electronic device, wherein the private network address differs from an assigned network address assigned to the electronic device; in response to the private network address extracted from the first information element and the device identifier extracted from the second information element of the message, generate correlation information that associates the private network address of the electronic device with a value that represents the assigned network address; receive, at the management system from the electronic device, a request for a management action, the request containing the private network address of the electronic device; in response to the request, determine whether the private network address is in the correlation information; and in response to the private network address being in the correlation information, apply the management action for the electronic device, wherein the device identifier in the message is a program-generated device identifier, and wherein the instructions are executable on the hardware processor to: generate a pseudo network address based on the program-generated device identifier, wherein the correlation information associates the private network address with the pseudo network address.
  16. 16 . The management system of claim 15 , wherein the device identifier in the message is the assigned network address, and the correlation information associates the private network address with the assigned network address.
  17. 17 . A method of a management system, comprising: receiving, at the management system from an electronic device, a message containing a first information element that includes a private Media Access Control (MAC) address of the electronic device, and a second information element that includes a device identifier of the electronic device, wherein the private MAC address differs from an assigned MAC address assigned to the electronic device; in response to the private MAC address extracted from the first information element and the device identifier extracted from the second information element of the message, generating, at the management system, correlation information that associates the private MAC address of the electronic device with a value that represents the assigned MAC address; receiving, at the management system from the electronic device, a request for a management action, the request containing the private MAC address of the electronic device; in response to the request, determining, by the management system, whether the private MAC address is in the correlation information; and in response to the private MAC address being in the correlation information, applying, by the management system, the management action for the electronic device, wherein the device identifier in the message is the assigned network address, and the value, in the correlation information, that represents the assigned network address is the assigned network address.
  18. 18 . The method of claim 17 , wherein the device identifier in the message is the assigned MAC address or a program-generated device identifier.

Description

BACKGROUND Electronic devices are able to connect to networks to communicate with other devices. An electronic device is assigned a network address that is used in communications of the electronic device over a network. The network address can include a Media Access Control (MAC) address. BRIEF DESCRIPTION OF THE DRAWINGS Some implementations of the present disclosure are described with respect to the following figures. FIG. 1 is a block diagram of an arrangement that includes a client device and a management system according to some examples. FIGS. 2 and 3A-3B are message flow diagrams of processes formed by electronic devices and management systems according to some examples. FIG. 4 is a block diagram of a storage medium storing machine-readable instructions according to some examples. FIG. 5 is a block diagram of a system according to some examples. FIG. 6 is a flow diagram of a process according to some examples. Throughout the drawings, identical reference numbers designate similar, but not necessarily identical, elements. The figures are not necessarily to scale, and the size of some parts may be exaggerated to more clearly illustrate the example shown. Moreover, the drawings provide examples and/or implementations consistent with the description; however, the description is not limited to the examples and/or implementations provided in the drawings. DETAILED DESCRIPTION For privacy, network addresses such as Media Access Control (MAC) addresses used by electronic devices can be randomized. Network address randomization produces randomized network addresses (also referred to as “private network addresses”) that differ from the “real” MAC address of electronic devices. A randomized network address can be used to protect the privacy of an electronic device, such as to prevent tracking of the location and/or network usage of the electronic device within a network. Protecting the privacy of an electronic device may be useful when the electronic device connects to a public network, such as a public wireless network (e.g., a public Wi-Fi network) or a public wired network. However, the electronic device may also be used in a protected network, such as a network operated by an enterprise. An “enterprise” can refer to a business concern, a government agency, an educational organization, a non-profit organization, an individual, or any other type of entity. A “protected network” can refer to a network in which a security system ensures that electronic devices connecting to the network are in fact authorized to do so. The security system can perform any or some combination of the following security actions: device identification and authentication, authenticated assignment of an Internet Protocol (IP) address, network access control, network connection prevention, and so forth. The security system relies on the “real” MAC address of an electronic device to perform its security actions. In other words, the “real” MAC address of the electronic device is the identity of the electronic device relied upon by the security system. If MAC address randomization is enabled in the electronic device such that the security system receives a randomized MAC address (private MAC address), then the security system may not be able to perform its security actions since the security system would not be able to successfully identify the electronic device. Although MAC address randomization can be turned off in electronic devices, turning off MAC address randomization can involve extra work for a user or an information technology (IT) administrator that is responsible for configuring devices for a network. A management system (e.g., a security system or another type of management system) that relies on a real MAC address (also referred to as an “assigned MAC address”) in performing management operations is referred to as an “assigned MAC address-based management system. In accordance with some implementations of the present disclosure, an assigned MAC address-based management system can perform a management action for an electronic device that communicates with a private network address based on generating, by the assigned MAC address-based management system, a correlation between the private network address and a value representing an assigned network address of the electronic device. In some examples, the electronic device sends, to the management system, a message containing a first information element that includes the private network address (e.g., a randomized MAC address) of the electronic device, and a second information element that includes a device identifier (e.g., the assigned MAC address or a program-generated identity) of the electronic device. The private network address differs from the assigned network address of the electronic device. In response to the private network address extracted from the first information element and the device identifier extracted from the second information element of the message, the ma