Question Are MAC addresses coupled to customer details upon purchase of NICs or computers? If not, why is this?

[phenomena-in-code]

Hi everyone,

I have done quite some research, but there is something about MAC addresses and traceability that I don't understand. Can someone explain it to me?

My current understanding is as follows:

MAC addresses are used on the local network level. If someone attempts to connect to an external server from his computer, his home router/switch will send out a request to the external server using a public (placeholder) IP address (and the computer's MAC will be replaced with the switch's MAC at that point). However, the switch will maintain a table in which the public IP to which the server's response is sent is connected to the local computer's MAC address. Would this person perform an illegal act on a public wifi network (and not (succesfully) make using of MAC spoofing), the public IP address associated with the illegal act could be connected to the user's MAC address by consulting the MAC address tables maintained in the router/switch. Would this person's name and address be coupled to this MAC address, it would be easy to find/arrest him. However, when I google, it seems that MAC addresses associated with NICs are not registered in connection to the buyer of the NICs or the systems that embed the NICs.

Wouldn't it be easy (or worth it for law enforcement), to keep track of the MAC addresses of NICs (and computer systems embedding them) and register the buyer's information in connection to these MAC addresses in the vendor's database (or elsewhere)? I mean, when someone buys a computer off of Amazon, wouldn't it be easy to register the customer information in relation to the MAC address of the purchased system? Even a sticker (perhaps encrypted) with the MAC address on the computer box would make it possible to link the two together.

So I guess my question is as follows:
(1) Does a register of this kind exist? Or is the only person who knows the connection between the customer and the MAC address after purchase the customer himself ?
(2) If such a register does not exist, what is the reason for this? Wouldn't it be an efficient way to track criminals (who do not spoof their MAC address succesfully) down, if the logs of a router/switch that they were using at the time of the illegal act can be consulted?

Just to be clear: I am not saying such a register is something 'good', or worth the cost in terms of privacy. I'm just wondering why it hasn't been implemented or enforced by parties who might prioritize catching criminals over privacy considerations.

 

[COLGeek]

No, there is no registry for this information. Nor should there be. It simply isn't feasible to manage such a beast for a multitude of reasons.

 

[phenomena-in-code]

No, there is no registry for this information. Nor should there be. It simply isn't feasible to manage such a beast for a multitude of reasons.

Thanks a lot for the quick reply! Would it be possible to shed some more light on this multitude of reasons? Is it because most people doing something bad would spoof their MAC address anyway? Or is the problem of a legal kind?

 

[COLGeek]

Privacy. Who would manage such a repository? How could it be verified? Cost to maintain. Just to name a few.

It just isn't feasible to do this in any practical manner.

 

[bill001g]

First you confusing concepts of IP addresses and mac addresses. Mac addresses never leave a subnet. Although most people think of this as internet if you have multiple subnets in your house you can actually have the same mac address on both.

Next mac addresses are not actually unique. Vendors only have limited pools and reuse them. Most people never see this but if you work for a large company that buys thousands of identical laptops you will find from time to time you get a duplicate mac address.

 

[phenomena-in-code]

First you confusing concepts of IP addresses and mac addresses. Mac addresses never leave a subnet. Although most people think of this as internet if you have multiple subnets in your house you can actually have the same mac address on both.

Next mac addresses are not actually unique. Vendors only have limited pools and reuse them. Most people never see this but if you work for a large company that buys thousands of identical laptops you will find from time to time you get a duplicate mac address.

Thanks for the reply. I haven't talked about MAC addresses leaving a subnet. I talked about consulting MAC address tables in the switch governing a subnet. These tables in the switch - as I understand it now - map a PC's MAC address on the subnet to the source IP address that is transmitted to the external server as part of the request (so the PC's MAC address never leaves the subnet).

 

[falcon291]

First you confusing concepts of IP addresses and mac addresses. Mac addresses never leave a subnet. Although most people think of this as internet if you have multiple subnets in your house you can actually have the same mac address on both.

Next mac addresses are not actually unique. Vendors only have limited pools and reuse them. Most people never see this but if you work for a large company that buys thousands of identical laptops you will find from time to time you get a duplicate mac address.

I don't deny that it can happen, because I saw it once, but still it is a very bad mistake at the vendor's side. Because the architecture was built on the premise that mac addresses are unique.

 

[bill001g]

Again you are confusing concepts. This is where having some training in networks helps.

A switch is a layer 2 device. It has no concept of ip addresses. It only understand mac addresses. The switch does have a table of which mac addresses are tied to a physical port but it has no idea what IP addresses are being used. You do not even need to use IP addresses to communicate between devices on the same lan if you don't want to. There are a couple of older protocols that did not use IP but did use mac addresses.

All traffic between subnets is done with a layer 3 device many times called a router. A router does not actually know the mac address of the end device what it might know is the mac address of the next router in the path. The very final router might have a entry in ARP table but this is a very temporary things that times out quickly. The only place you might have a mapping of mac to ip is in a DHCP server but that assumes the pc is using DHCP. If you statically set the IP in the pc then the DHCP server has no information.

 

[falcon291]

The only place you might have a mapping of mac to ip is in a DHCP server but that assumes the pc is using DHCP. If you statically set the IP in the pc then the DHCP server has no information.

I don't think static IPs are used that much anymore.

So more or less DHCP servers have mac id information, though I don't know if that information is archived.

 

[phenomena-in-code]

Again you are confusing concepts. This is where having some training in networks helps.

A switch is a layer 2 device. It has no concept of ip addresses. It only understand mac addresses. The switch does have a table of which mac addresses are tied to a physical port but it has no idea what IP addresses are being used. You do not even need to use IP addresses to communicate between devices on the same lan if you don't want to. There are a couple of older protocols that did not use IP but did use mac addresses.

All traffic between subnets is done with a layer 3 device many times called a router. A router does not actually know the mac address of the end device what it might know is the mac address of the next router in the path. The very final router might have a entry in ARP table but this is a very temporary things that times out quickly. The only place you might have a mapping of mac to ip is in a DHCP server but that assumes the pc is using DHCP. If you statically set the IP in the pc then the DHCP server has no information.

Again, thanks for the reply. I might be confusing switches and routers then.

What I have read was on this page:

Static IP Vs Dynamic IP - What’s The Difference?

If you ever wonder what makes a device recognizable on a vast internet sea, it is the IP (Internet Protocol) address. When connected to a network, every

www.technewstoday.com

Here it says: "The ISP uses your CPE device’s mac address to assign an IP address. The CPE then relays another IP address to other devices on your network. All of these IP address is recorded in a table along with the MAC of the connected devices."


Then I am confused as to how the router knows which computer to send the server's response back to. The external server does not know the MAC address, so if the server's response only contains a destination IP address, how does the router know where to send it on the local network?

 

[USAFRet]

1. MAC addresses can be trivially changed, even at the consumer level.
2. MAC addresses are not guaranteed to be unique.

 

[bill001g]

You have to stop reading networking stuff put out by publications targeting home users. Many times the people writing these articles have degrees in journalism and have little to no actual hands on experience in IT or networking. These publication can not afford to hire actual engineers to write or even audit these articles so you get lots of very general or even misinformation.

A "router" uses the routing table to send the traffic to the next hop IP address. This many times is another router but it does not have the mac address. The very final router might have a temporary ARP table that know the ip/mac but it can also use a broadcast method to get it to the correct end device.

A CPE is not really a router many times it is some kind of modem that may or may not have other functions. Many of these CPE devices have some kind of unique identifier but it may not be a actual mac address. The concept of mac address is really ethernet the connection between your house and the ISP are not ethernet they are generally something else like Docsis or gpon or maybe even DSL. This is mostly done to prevent unauthorized equipment to be attached. ATT actually uses a unique certificate they load into the units that is part of the encryption.

At best the ISP keeps track of which IP they assigned to the account in your house. This account may or may not be tied to some other address. Some systems use a userid/password to authenticate to the system. You see this in DSL or even in the public hotspot feature used by many cable systems that let you use pretty much any ones cable modem with your account information

Now some ISP keep the account and IP that was being used for some period time but it means nothing about which device. If someone were to configure their network as open or you where say using a restaurant wifi it would track back to the IP of the account and not the device that was actually running. This is why bad people do not use their own internet. Most even go a step farther to use VPN service that does not keep track of which account is using which IP address.

 

[phenomena-in-code]

Thanks again for all the information. You say:

Now some ISP keep the account and IP that was being used for some period time but it means nothing about which device. If someone were to configure their network as open or you where say using a restaurant wifi it would track back to the IP of the account and not the device that was actually running.

Would it be technically possible then, that if I have a dynamic IP address determined by a DCHP server on a restaurant's router, and my MAC address is mapped to this dynamic IP in this router, online activity could be traced back to me (my MAC address as mapped to my dynamic IP) if the DCHP server logs are consulted? Or would any activity that leaves a trace only leave a trace back to the IP of the router and not to my dynamic IP in the subnet?

 

[bill001g]

Depends where you attempt to log it. Anything outside the restaurant would see all the traffic coming from the restaurants IP with no way to see which machine did it.