[strongSwan] Calculating the generated MAC address when identity_lease is enabled

Tobias Brunner tobias at strongswan.org
Wed Apr 4 10:35:17 CEST 2018

Hi Micah,

> However, I became confused here, because the MAC address I am seeing on my DHCP server is 7a:a7:bc:8b:b5:ec. After the hardcoded 0x7A and 0xA7 bytes, there are only four bytes, but the SipHash-2-4 documentation I'm reading, as well as the commit message for commit 1255de5a2076dc591dfa1ffefffea077bd218319 which appears to have added this functionality, claims that SipHash-2-4 returns 64 bits / 8 bytes.

A MAC address is 48 bits, so the 32 bits after the first two bytes are
taken from the 64-bit SipHash-2-4 value (just by casting to an uint32_t)
which is then run through htonl() and copied to the address buffer.  To
calculate the value the 128-bit key 0x000102030405060708090a0b0c0d0e0f
is used.

> Have I missed something? And more importantly, is there a better way to do this?

If you use FQDNs as client identities they will be sent in a hostname
option (12) in the DHCP request, which you might be able to use directly.


More information about the Users mailing list