After my initial post (Endpoint classification rules: Caution when using OUI vendor names), I got curious how often and in which way the OUI database changes. I googled around for a changelog, but I was not able to find anything useful.
I wrote a small script, that downloads the OUI database text file every night and compares the entries with with previous version (it’s very easy when using GIT).
I got surprised that the database (text file) almost change every day. There are minor and major changes. Here are some examples:
Minus (-) is the old entry / plus (+) is the current entry as of today
Example 1: Company name changes completely
-00-16-ED (hex) Digital Safety Technologies, Inc
+00-16-ED (hex) Utility, Inc
In this case one comapy aquired another.
⇒ Classification rules based on vendor names are kind of useless
Example 2: Cosmetic changes
-00-1B-D3 (hex) Panasonic Corp. AVC Company
+00-1B-D3 (hex) Panasonic Corporation AVC Networks Company
-00-26-92 (hex) Mitsubishi Electric Co.
+00-26-92 (hex) Mitsubishi Electric Corporation
⇒ Too strict rules based on vendor names could cause trouble
Example 3: Added entries
+08-F4-AB (hex) Apple, Inc.
+18-60-24 (hex) Hewlett Packard
+40-01-7A (hex) Cisco Systems, Inc
⇒ In this case classification rules based on vendor names actually makes sense
Again … changes are very frequent here. So take care when using real-time OUI database information in your network automation scripts or products.
I guess I’ll start a changelog for the OUI database here. Let’s wait and see.