What’s Normal: MAC Addresses, (Fri, Oct 13th)

Category :

SANS Full Feed

Posted On :

In this installment of “What’s Normal”, I want to discuss MAC addresses. MAC addresses are used to identify devices on ethernet networks. They are six bytes in length and typically expressed in hexadecimal, separated by a colon or a dash. MAC addresses identify network interfaces on the local network. They must be locally unique and are, to some extent globally unique.

The first thing to check about a MAC address is the “OUI” (Organization Unique Identifier”). IEEE assigns these, and you can find the authoritative list here: https://standards-oui.ieee.org/ .

However, some MAC addresses are “normal” but do not use one of the officially assigned OUIs. To see some of the use cases for these addresses, lets look at the first byte of the MAC address more carefully:



The last two bits of the first byte of the MAC address have special meaning:

U/L: If this bit is set, the address is globally assigned by IEEE. If not, then it is an address that is not globally assigned. Sometimes, you see these addresses used by VPNs or virtualization solutions (VMWare has its own globally assigned range).

I/G: The “individual/group” bit is cleared if this is a unicast address. It is set if it is a multicast/broadcast address. Most notably broadcast (FF:FF:FF:FF:FF:FF).

But there are some other interesting “odd” MAC addresses that you may run into:

Private MAC addresses: Recently, WiFi devices started using random MAC addresses whenever they connect to a new network. This is supposed to prevent tracking a device between different networks. These addresses have the “U/L” bit set, indicating that IEEE does not assign them.
00:00:5e:00:01:01: The entire “00:00:5e” prefix is assigned to IANA for the Virtual Router Redundancy Protocol. You will, for example, see this if you are using two PFSense or OPNSense routers in failover mode. The last byte of the MAC is used to identify the router. https://datatracker.ietf.org/doc/html/rfc5798#section-7.3
If you use routers in a failover configuration, you often use two IP addresses for one interface. One IP is shared between both routers and one is unique to each router. This will also trigger various “ARP poisoning alerts.”
The “MAC Address” isn’t always equivalent to the “Hardware Address”. Some network cards have longer (eight-byte) hardware addresses. ipconfig on Windows may display these longer addresses and the MAC address used for Ethernet.
Various other failover configurations (multiple network interfaces being used for one IP address), like bonded or “team” interfaces, will also often be seen as “odd”. You will see multiple MAC addresses for each IP address.
In my experience, one of the most common reasons you may have duplicate MAC addresses on your network is if you “move” a VMWare virtual machine instead of copying it. “Moving” will retain the MAC address. “Copying” will assign a new MAC address.

Anything I missed?





Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.