This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Adopt stable-ssid as the default MAC address randomization mode for Wi-Fi networks in NetworkManager for Fedora 40, enhancing user privacy without compromising network stability.
The change involves adding a new file, /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf. This file sets
wifi.cloned-mac-address=”stable-ssid” as the default mode for MAC address randomization in Wi-Fi connections within NetworkManager for Fedora Linux 40. The
stable-ssid mode, which generates a MAC address based on the network’s SSID, is aimed at enhancing user privacy. This new default value will apply to Wi-Fi profiles in Fedora Linux 40, but profiles have the option to explicitly set different values to override the default. The content of the added file is:
[connection.22-wifi-mac-addr] match-device=type:wifi wifi.cloned-mac-address=stable-ssid [.config] enable=nm-version-min:1.45
For further details, please refer to
Note that this change will impact networks that rely on static MAC addresses. Users may need to adjust their Wi-Fi settings, particularly if their network operations depend on consistent MAC addresses. For example, networks with access control based on MAC addresses will need to explicitly set
wifi.cloned-mac-address to “preserve” in network profiles to avoid any disruptions in connectivity.
This change enhances user privacy by addressing the issue of MAC address tracking method used by network operators and advertisers to gather data about users’ movements and device usage patterns. By randomizing MAC addresses, Fedora reduces the potential for this type of passive surveillance, thereby enhancing individual privacy. It aligns Fedora with privacy-focused features present in other modern operating systems. The generated MAC address under the
stable-ssid mode is derived from the network’s SSID, a per-host key (from
/var/lib/NetworkManager/secret_key), and a per-interface identifier.
- Proposal owners:
The merge request is already merged upstream.
Other developers: N/A
Release engineering: #Releng issue number
Policies and guidelines: N/A (not needed for this Change)
Trademark approval: N/A (not needed for this Change)
With the adoption of
stable-ssid as the default in Fedora 40, existing users may experience changes in their Wi-Fi connection behavior, particularly those whose network setups depend on fixed MAC addresses. It’s crucial for users to be aware that upgrading to Fedora 40 will apply this new MAC address randomization by default. Users needing to maintain consistent MAC addresses for specific networks can address this by following one of these steps:
- Manually set
permanentfor specific profiles using
nmcli connection modify [$PROFILE] wifi.cloned-mac-address permanent
Create a custom configuration file in
/etc/NetworkManager/conf.d/22-wifi-mac-addr.conf, which can be empty or contain specific configurations. This will prevent the default file in
/usr/libfrom being loaded.
Create a higher priority .conf file like /etc/NetworkManager/conf.d/90-wifi-mac-addr.conf with:
For details on the order in which configuration files are loaded and their priority, refer to
- Upgrade NetworkManager to version 1.45 or newer implementing the stable-ssid mode
- Connect to Wi-Fi network using nmcli or the GNOME network settings
ip link show(replacing [device] with your Wi-Fi device’s name) to check the MAC address assigned to the device.
- Note the MAC address and reconnect to the same network to confirm that the MAC address remains consistent across sessions.
- Connect to different Wi-Fi networks and observe the MAC address for each connection.
- Ensure that the MAC address is derived from the network’s SSID.
- Manually override the MAC address for a specific Wi-Fi profile using
nmcli connection modify [profile] wifi.cloned-mac-address [your-mac-address]to set a specific MAC address
- Reconnect to the network and use
nmcli device show [device]to verify that the specified MAC address is being used.
Users will experience an additional layer of privacy without any required action on their part. The change is transparent, with minimal impact on the day-to-day user experience. However, for those with specific network configurations reliant on static MAC addresses, this update may require manual adjustments to network profile settings. Users in such scenarios will need to be aware of the change and how to revert to a fixed MAC address if necessary, ensuring their network connectivity aligns with their requirements.
- Contingency mechanism: Revert to previous MAC address handling if significant issues arise.
- Contingency deadline: Beta freeze of Fedora 40.
- Blocks release? No
No documentation change is required.
The change will be mentioned in the Release Notes.