After my initial post (Endpoint classification rules: Caution when using OUI vendor names), I got curious how often and in which way the OUI database changes. I googled around for a changelog, but I was not able to find anything useful.

I wrote a small script, that downloads the OUI database text file every night and compares the entries with with previous version (it’s very easy when using GIT).

I got surprised that the database (text file) almost change every day. There are minor and major changes. Here are some examples:
Minus (-) is the old entry / plus (+) is the current entry as of today

Example 1: Company name changes completely
-00-16-ED   (hex)       Digital Safety Technologies, Inc
+00-16-ED   (hex)       Utility, Inc

In this case one comapy aquired another.
⇒ Classification rules based on vendor names are kind of useless

Example 2: Cosmetic changes
-00-1B-D3   (hex)  Panasonic Corp. AVC Company
+00-1B-D3   (hex)  Panasonic Corporation AVC Networks Company
or
-00-26-92   (hex)  Mitsubishi Electric Co.
+00-26-92   (hex)  Mitsubishi Electric Corporation
⇒ Too strict rules based on vendor names could cause trouble

Example 3: Added entries
+08-F4-AB   (hex)               Apple, Inc.
+18-60-24   (hex)               Hewlett Packard
+40-01-7A   (hex)               Cisco Systems, Inc
⇒ In this case classification rules based on vendor names actually makes sense

Again … changes are very frequent here. So take care when using real-time OUI database information in your network automation scripts or products.

I guess I’ll start a changelog for the OUI database here. Let’s wait and see.

Cheers

Categories: Uncategorized

0 Comments

Leave a Reply