<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes" ?>
<?rfc compact="yes"?>
<?rfc text-list-symbols="o*+-"?>
<rfc category="info" docName="draft-ietf-lmap-framework-03" ipr="trust200902"
     obsoletes="" updates="">
  <front>
    <title abbrev="LMAP Framework">A framework for large-scale measurement
    platforms (LMAP)</title>

    <author fullname="Philip Eardley" initials="P." surname="Eardley">
      <organization abbrev="BT">British Telecom</organization>

      <address>
        <postal>
          <street>Adastral Park, Martlesham Heath</street>

          <city>Ipswich</city>

          <country>ENGLAND</country>
        </postal>

        <email>philip.eardley@bt.com</email>
      </address>
    </author>

    <author fullname="Al Morton" initials="A." surname="Morton">
      <organization abbrev="AT&amp;T Labs">AT&amp;T Labs</organization>

      <address>
        <postal>
          <street>200 Laurel Avenue South</street>

          <city>Middletown, NJ</city>

          <country>USA</country>
        </postal>

        <email>acmorton@att.com</email>
      </address>
    </author>

    <author fullname="Marcelo Bagnulo" initials="M." surname="Bagnulo">
      <organization abbrev="UC3M">Universidad Carlos III de
      Madrid</organization>

      <address>
        <postal>
          <street>Av. Universidad 30</street>

          <city>Leganes</city>

          <region>Madrid</region>

          <code>28911</code>

          <country>SPAIN</country>
        </postal>

        <phone>34 91 6249500</phone>

        <email>marcelo@it.uc3m.es</email>

        <uri>http://www.it.uc3m.es</uri>
      </address>
    </author>

    <author fullname="Trevor Burbridge" initials="T." surname="Burbridge">
      <organization abbrev="BT">British Telecom</organization>

      <address>
        <postal>
          <street>Adastral Park, Martlesham Heath</street>

          <city>Ipswich</city>

          <country>ENGLAND</country>
        </postal>

        <email>trevor.burbridge@bt.com</email>
      </address>
    </author>

    <author fullname="Paul Aitken" initials="P." surname="Aitken">
      <organization abbrev="Cisco Systems">Cisco Systems, Inc.</organization>

      <address>
        <postal>
          <street>96 Commercial Street</street>

          <city>Edinburgh</city>

          <region>Scotland</region>

          <code>EH6 6LX</code>

          <country>UK</country>
        </postal>

        <email>paitken@cisco.com</email>
      </address>
    </author>

    <author fullname="Aamer Akhter" initials="A." surname="Akhter">
      <organization abbrev="Cisco Systems">Cisco Systems, Inc.</organization>

      <address>
        <postal>
          <street>7025 Kit Creek Road</street>

          <city>RTP</city>

          <region>NC</region>

          <code>27709</code>

          <country>USA</country>
        </postal>

        <email>aakhter@cisco.com</email>
      </address>
    </author>

    <date day="21" month="January" year="2014"/>

    <abstract>
      <t>Measuring broadband service on a large scale requires a description
      of the logical architecture and standardisation of the key protocols
      that coordinate interactions between the components. The document
      presents an overall framework for large-scale measurements. It also
      defines terminology for LMAP (large-scale measurement platforms).</t>
    </abstract>
  </front>

  <middle>
    <section title="Introduction">
      <t>There is a desire to be able to coordinate the execution of broadband
      measurements and the collection of measurement results across a large
      scale set of diverse devices. These devices could be software based
      agents on PCs, embedded agents in consumer devices (e.g. blu-ray
      players), service provider controlled devices such as set-top players
      and home gateways, or simply dedicated probes. It is expected that such
      a system could easily comprise 100k devices. Such a scale presents
      unique problems in coordination, execution and measurement result
      collection. Several use cases have been proposed for large- scale
      measurements including:</t>

      <t><list style="symbols">
          <t>Operators: to help plan their network and identify faults</t>

          <t>Regulators: to benchmark several network operators and support
          public policy development</t>
        </list>Further details of the use cases can be found at <xref
      target="I-D.ietf-lmap-use-cases"/>. The LMAP framework should be useful
      for these, as well as other use cases that the LMAP WG doesn't
      concentrate on, such as to help end users run diagnostic checks like a
      network speed test.</t>

      <t>The LMAP framework has four basic elements: Measurement Agents,
      Measurement Peers, Controllers and Collectors.</t>

      <t>Measurement Agents (MAs) perform Measurement Tasks, perhaps in
      conjunction with Measurement Peers. They are pieces of code that can be
      executed in specialized hardware (hardware probe) or on a
      general-purpose device (like a PC or mobile phone). A device with a
      Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL,
      fibre, etc.) and the Measurement Tasks may specify any one of these.
      Measurement Tasks may be Active (the MA or Measurement Peer generates
      Active Measurement Traffic), Passive (the MA observes user traffic), or
      some hybrid form of the two. For Active Measurement Tasks, the MA (or
      Measurement Peer) generates Active Measurement Traffic and measures some
      metric associated with its transfer over the path to (or from) a
      Measurement Peer. For example, one Active Measurement Task could be to
      measure the UDP latency between the MA and a given Measurement Peer. MAs
      may also conduct Passive Measurement Tasks through the observation of
      traffic. The Measurement Tasks themselves may be on IPv4, IPv6, and on
      various services (DNS, HTTP, XMPP, FTP, VoIP, etc.).</t>

      <t>The Controller manages one or more MAs by instructing it which
      Measurement Tasks it should perform and when. For example it may
      instruct a MA at a home gateway: &ldquo;Measure the &lsquo;UDP
      latency&rsquo; with the Measurement Peer mp.example.org; repeat every
      hour at xx.05&rdquo;. The Controller also manages a MA by instructing it
      how to report the Measurement Results, for example: &ldquo;Report
      results once a day in a batch at 4am&rdquo;. We refer to these as the
      Measurement Schedule and Report Schedule.</t>

      <t>The Collector accepts Reports from the MAs with the Results from
      their Measurement Tasks. Therefore the MA is a device that gets
      Instructions from the Controller, initiates the Measurement Tasks, and
      reports to the Collector.</t>

      <t>There are additional elements that are part of a measurement system,
      but that are out of the scope for LMAP. We provide a detailed discussion
      of all the elements in the rest of the document.</t>

      <t>The desirable features for a large-scale measurement systems we are
      designing for are:</t>

      <t><list style="symbols">
          <t>Standardised - in terms of the Measurement Tasks that they
          perform, the components, the data models and protocols for
          transferring information between the components. Amongst other
          things, standardisation enables meaningful comparisons of
          measurements made of the same metric at different times and places,
          and enables the operator of a measurement system to buy the various
          components from different vendors. Today's systems are proprietary
          in some or all of these aspects.</t>

          <t>Large-scale - <xref target="I-D.ietf-lmap-use-cases"/> envisages
          Measurement Agents in every home gateway and edge device such as
          set-top-boxes and tablet computers. It is expected that a
          measurement system could easily encompass a few hundred thousand
          Measurement Agents. Existing systems have up to a few thousand MAs
          (without judging how much further they could scale).</t>

          <t>Diversity - a measurement system should handle different types of
          Measurement Agent - for example Measurement Agents may come from
          different vendors, be in wired and wireless networks and be on
          devices with IPv4 or IPv6 addresses.</t>
        </list></t>
    </section>

    <section title="Outline of an LMAP-based measurement system">
      <t>Figure 1 shows the main components of a measurement system, and the
      interactions of those components. Some of the components are outside the
      scope of LMAP. In this section we provide an overview of the whole
      measurement system and we introduce the main terms needed for the LMAP
      framework. The new terms are capitalized. In the next section we provide
      a terminology section with a compilation of all the LMAP terms and their
      definition. The subsequent sections study the LMAP components in more
      detail.</t>

      <t>A Measurement Task measures some performance or reliability Metric of
      interest. An Active Measurement Task involves either a Measurement Agent
      (MA) injecting Active Measurement Traffic into the network destined for
      a Measurement Peer, and/or a Measurement Peer sending Active Measurement
      Traffic to a MA; one of them measures some parameter associated with the
      transfer of the packet(s). A Passive Measurement Task involves only a
      MA, which simply observes existing traffic - for example, it could
      simply count bytes or it might calculate the average loss for a
      particular flow.</t>

      <t>It is very useful to standardise Measurement Methods (a Measurement
      Method is a generalisation of a Measurement Task), so that it is
      meaningful to compare measurements of the same Metric made at different
      times and places. It is also useful to define a registry for
      commonly-used Metrics <xref
      target="I-D.bagnulo-ippm-new-registry-independent"/> so that a
      Measurement Method can be referred to simply by its identifier in the
      registry. The Measurement Methods and registry will hopefully be
      referenced by other standards organisations.</t>

      <t>In order for a Measurement Agent and a Measurement Peer to execute an
      Active Measurement Task, they exchange Active Measurement Traffic. The
      protocols used for the Active Measurement Traffic is out of the scope of
      the LMAP WG and falls within the scope of other IETF WGs such as
      IPPM.</t>

      <t>For Measurement Results to be truly comparable, as might be required
      by a regulator, not only do the same Measurement Methods need to be used
      but also the set of Measurement Tasks should follow a similar
      Measurement Schedule and be of similar number. The details of such a
      characterisation plan are beyond the scope of work in IETF although
      certainly facilitated by IETF's work.</t>

      <t>The next components we consider are the Measurement Agent (MA),
      Controller and Collector. The main work of the LMAP working group is to
      define the Control Protocol between the Controller and MA, and the
      Report Protocol between the MA and Collector. Section 4 onwards
      considers the LMAP components in more detail; here we introduce
      them.</t>

      <t>The Controller manages a MA by instructing it which Measurement Tasks
      it should perform and when. For example it may instruct a MA at a home
      gateway: &ldquo;Run the &lsquo;download speed test&rsquo; with the
      Measurement Peer at the end user's first IP point in the network; if the
      end user is active then delay the test and re-try 1 minute later, with
      up to 3 re-tries; repeat every hour at xx.05 + Unif[0,180]
      seconds&rdquo;. The Controller also manages a MA by instructing it how
      to report the Measurement Results, for example: &ldquo;Report results
      once a day in a batch at 4am + Unif[0,180] seconds; if the end user is
      active then delay the report 5 minutes&rdquo;. These are called the
      Measurement and Report Schedule. As well as periodic Measurement Tasks,
      a Controller can initiate a one-off (non-recurring) Measurement Task
      ("Do measurement now", "Report as soon as possible").</t>

      <t>The Collector accepts a Report from a MA with the results from its
      Measurement Tasks. It may also do some post-processing on the results,
      for instance to eliminate outliers, as they can severely impact the
      aggregated results.</t>

      <t>Finally we introduce several components that are out of scope of the
      LMAP WG and will be provided through existing protocols or applications.
      They affect how the measurement system uses the Measurement Results and
      how it decides what set of Measurement Tasks to perform.</t>

      <t>The MA needs to be bootstrapped with initial details about its
      Controller, including authentication credentials. The LMAP WG considers
      the bootstrap process, since it affects the Information Model. However,
      it does not define a bootstrap protocol, since it is likely to be
      technology specific and could be defined by the Broadband Forum,
      CableLabs or IEEE depending on the device. Possible protocols are SNMP,
      NETCONF or (for Home Gateways) CPE WAN Management Protocol (CWMP) from
      the Auto Configuration Server (ACS) (as specified in TR-069).</t>

      <t>A Subscriber parameter database contains information about the line,
      such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), the
      line technology (DSL or fibre), the time zone where the MA is located,
      and the type of home gateway and MA. These parameters are already
      gathered and stored by existing operations systems. They may affect the
      choice of what Measurement Tasks to run and how to interpret the
      Measurement Results. For example, a download test suitable for a line
      with an 80Mb/s contract may overwhelm a 2Mb/s line.</t>

      <t>A results repository records all Measurement Results in an equivalent
      form, for example an SQL database, so that they can easily be accessed
      by the data analysis tools. The data analysis tools also need to
      understand the Subscriber's service information, for example the
      broadband contract.</t>

      <t>The data analysis tools receive the results from the Collector or via
      the Results repository. They might visualise the data or identify which
      component or link is likely to be the cause of a fault or degradation.
      This information could help the Controller decide what follow-up
      Measurement Task to perform in order to diagnose a fault.</t>

      <t>The operator's OAM (Operations, Administration, and Maintenance) uses
      the results from the tools.</t>

      <t/>

      <figure>
        <artwork><![CDATA[                                                              ^
                                                              |
                                 Active                       IPPM
            +---------------+  Measurement +-------------+    Scope
   +------->| Measurement   |<------------>| Measurement |    v
   |        |   Agent       |   Traffic    |     Peer    |    ^
   |        +---------------+              +-------------+    |
   |              ^      |                                    |
   |  Instruction |      |  Report                            |
   |              |      +-----------------+                  |
   |              |                        |                  |
   |              |                        v                  LMAP
   |         +------------+             +------------+        Scope
   |         | Controller |             |  Collector |        |
   |         +------------+             +------------+        v
   |                ^   ^                       |             ^
   |                |   |                       |             |
   |                |   +----------+            |             |
   |                |              |            v             |
+------------+   +----------+    +--------+    +----------+   | 
|Bootstrapper|   |Subscriber|--->|  data  |<---|repository|   Out
+------------+   |parameter |    |analysis|    +----------+   of
                 |database  |    | tools  |                   Scope
                 +----------+    +--------+                   |  
                                                              |
                                                              v

Figure 1: Schematic of main elements of an LMAP-based 
measurement system
(showing the elements in and out of the scope of the LMAP WG)
]]></artwork>
      </figure>
    </section>

    <section title="Terminology">
      <t>This section defines terminology for LMAP. Please note that defined
      terms are capitalized.</t>

      <t>Active Measurement Method (Task): A type of Measurement Method (Task)
      that involves a Measurement Agent and a Measurement Peer (or possibly
      Peers), where either the Measurement Agent or the Measurement Peer
      injects Active Measurement Traffic into the network destined for the
      other, and which involves one of them measuring some performance or
      reliability parameter associated with the transfer of the traffic.</t>

      <t>Active Measurement Traffic: the packet(s) generated by the
      Measurement Agent and/or the Measurement Peer, as part of an Active
      Measurement Task.</t>

      <t>Bootstrap: A process that initialises a Measurement Agent with the
      information necessary to be integrated into a measurement system.</t>

      <t>Capabilities: Information about the Measurement Methods that the MA
      can perform and the device hosting the MA, for example its interface
      type and speed and its IP address.</t>

      <t>Channel: an Instruction Channel, Report Channel or MA-to-Controller
      Channel</t>

      <t>Collector: A function that receives a Report from a Measurement
      Agent.</t>

      <t>Composite Metric: A Metric that is a combination of other Metrics,
      and/or a combination of the same Metric measured over different parts of
      the network or at different times.</t>

      <t>Controller: A function that provides a Measurement Agent with
      Instruction(s).</t>

      <t>Control Channel: a communications channel between a Controller and a
      MA, which is defined by a specific Controller, MA and associated
      security, and over which Instructions are sent.</t>

      <t>Control Protocol: The protocol delivering Instruction(s) from a
      Controller to a Measurement Agent. It also delivers Failure Information
      and Capabilities Information from the Measurement Agent to the
      Controller.</t>

      <t>Cycle-ID: (optional) A tag that is sent by the Controller in an
      Instruction and echoed by the MA in its Report. The same Cycle-ID is
      used by several MAs that use the same Measurement Method with the same
      Input Parameters. Hence the Cycle-ID allows the Collector to easily
      identify Measurement Results that should be comparable.</t>

      <t>Data Model: The implementation of an Information Model in a
      particular data modelling language.</t>

      <t>Environmental Constraint: A parameter that is measured as part of the
      Measurement Task, its value determining whether the rest of the
      Measurement Task proceeds.</t>

      <t>Failure Information: Information about the MA's failure to action or
      execute an Instruction, whether concerning Measurement Tasks or
      Reporting.</t>

      <t>Group-ID: (optional) An identifier of a group of MAs.</t>

      <t>Information Model: The protocol-neutral definition of the semantics
      of the Instructions, the Report, the status of the different elements of
      the measurement system as well of the events in the system.</t>

      <t>Input Parameter: A parameter whose value is left open by the
      Measurement Method and is set to a specific value in a Measurement Task.
      Altering the value of an Input Parameter does not change the fundamental
      nature of the Measurement Method.</t>

      <t>Instruction: The description of Measurement Tasks to perform and the
      details of the Report to send. The Instruction is sent by a Controller
      to a Measurement Agent.</t>

      <t>MA-to-Controller Channel: a communications channel between a MA and a
      Controller, which is defined by a specific Controller, MA and associated
      security, and over which Capabilities and Failure Information is
      sent.</t>

      <t>Measurement Agent (MA): The function that receives Instructions from
      a Controller, performs Measurement Tasks (perhaps in concert with a
      Measurement Peer) and reports Measurement Results to a Collector.</t>

      <t>Measurement Agent Identifier (MA-ID): a UUID <xref
      target="RFC4122"/>, which is configured as part of the Bootstrapping and
      included in a Capabilities message, Failure Information message and
      optionally in a Report.</t>

      <t>Measurement Method: The process for assessing the value of a Metric;
      the process of measuring some performance or reliability parameter; the
      generalisation of a Measurement Task.</t>

      <t>Measurement Peer: The function that receives control messages and
      Active Measurement Traffic from a Measurement Agent and may reply to the
      Measurement Agent as defined by the Active Measurement Method.</t>

      <t>Measurement Result: The output of a single Measurement Task (the
      value obtained for the parameter of interest or Metric).</t>

      <t>Measurement Schedule: the schedule for performing Measurement
      Tasks.</t>

      <t>Measurement Suppression: a type of Instruction that temporarily stops
      (suppresses) Active Measurement Tasks.</t>

      <t>Measurement Task: The act that yields a single Measurement Result;
      the act consisting of the (single) operation of the Measurement Method
      at a particular time and with all its parameters set to specific
      values.</t>

      <t>Metric: The quantity related to the performance and reliability of
      the network that we'd like to know the value of, and that is carefully
      specified.</t>

      <t>Passive Measurement Method (Task): A Measurement Method (Task) in
      which a Measurement Agent observes existing traffic but does not inject
      Active Measurement Traffic.</t>

      <t>Report: The Measurement Results and other associated information (as
      defined by the Instruction). The Report is sent by a Measurement Agent
      to a Collector.</t>

      <t>Report Channel: a communications channel between a MA and a
      Collector, which is defined by a specific MA, Collector, Report Schedule
      and associated security, and over which Reports are sent.</t>

      <t>Report Protocol: The protocol delivering Report(s) from a Measurement
      Agent to a Collector.</t>

      <t>Report Schedule: the schedule for sending one or more Reports to a
      Collector.</t>

      <t>Subscriber: An entity (associated with one or more users) that is
      engaged in a subscription with a service provider. The Subscriber is
      allowed to subscribe and un-subscribe services, and to register a user
      or a list of users authorized to enjoy these services. <xref
      target="Q1741"/> Both the Subscriber and service provider are allowed to
      set the limits relative to the use that associated users make of
      subscribed services.</t>

      <t/>
    </section>

    <section title="Constraints">
      <t>The LMAP framework makes some important assumptions, which constrain
      the scope of the work to be done.</t>

      <section title="Measurement system is under the direction of a single organisation">
        <t>In the LMAP framework, the measurement system is under the
        direction of a single organisation that is responsible both for the
        data and the quality of experience delivered to its users. Clear
        responsibility is critical given that a misbehaving large-scale
        measurement system could potentially harm user experience, user
        privacy and network security.</t>

        <t>However, the components of an LMAP measurement system can be
        deployed in administrative domains that are not owned by the measuring
        organisation. Thus, the system of functions deployed by a single
        organisation constitutes a single LMAP domain which may span ownership
        or other administrative boundaries.</t>
      </section>

      <section title="Each MA may only have a single Controller at any point in time">
        <t>A MA is instructed by one Controller and is in one measurement
        system. The constraint avoids different Controllers giving a MA
        conflicting instructions and so means that the MA does not have to
        manage contention between multiple Measurement (or Report) Schedules.
        This simplifies the design of MAs (critical for a large-scale
        infrastructure) and allows a Measurement Schedule to be tested on
        specific types of MA before deployment to ensure that the end user
        experience is not impacted (due to CPU, memory or broadband-product
        constraints).</t>

        <t>An operator may have several Controllers, perhaps with a Controller
        for different types of MA (home gateways, tablets) or location
        (Ipswich, Edinburgh).</t>
      </section>
    </section>

    <section title="LMAP Protocol Model">
      <t>A protocol model <xref target="RFC4101"/> presents an architectural
      model for how the protocol operates and needs to answer three basic
      questions:</t>

      <t><list style="numbers">
          <t>What problem is the protocol trying to achieve?</t>

          <t>What messages are being transmitted and what do they mean?</t>

          <t>What are the important, but unobvious, features of the
          protocol?</t>
        </list></t>

      <t>An LMAP system goes through the following phases:</t>

      <t><list style="symbols">
          <t>a bootstrapping process before the MA can take part in the other
          three phases</t>

          <t>a Control Protocol, which delivers an Instruction from a
          Controller to a MA, detailing what Measurement Tasks the MA should
          perform and when, and how it should report the Measurement
          Results</t>

          <t>the actual Measurement Tasks are performed. An Active Measurement
          Task involves sending Active Measurement Traffic between the
          Measurement Agent and a Measurement Peer, whilst a Passive
          Measurement Task involves (only) the Measurement Agent observing
          existing user traffic. The LMAP WG does not define Measurement
          Methods, however the IPPM WG does.</t>

          <t>a Report Protocol, which delivers a Report from the MA to a
          Collector. The Report contains the Measurement Results.</t>
        </list></t>

      <t>In the diagrams the following convention is used:</t>

      <t><list style="symbols">
          <t>(optional): indicated by round brackets</t>

          <t>[potentially repeated]: indicated by square brackets</t>
        </list></t>

      <t>The protocol model is closely related to the Information Model <xref
      target="I-D.burbridge-lmap-information-model"/>, which is the abstract
      definition of the information carried by the protocol model. The purpose
      of both is to provide a protocol and device independent view, which can
      be implemented via specific protocols. The LMAP WG will define a
      specific Control Protocol and Report Protocol, but others could be
      defined by other standards bodies or be proprietary. However it is
      important that they all implement the same Information Model and
      protocol model, in order to ease the definition, operation and
      interoperability of large-scale measurement systems.</t>

      <t>The diagrams show the various LMAP messages and Section 5.5 considers
      how they could be mapped onto an underlying transport protocol.</t>

      <section title="Bootstrapping process">
        <t>The primary purpose of bootstrapping is to enable the MA and
        Controller to be integrated into a measurement system. In order to do
        that, the MA needs to retrieve information about itself (like its
        identity in the measurement system), about the Controller, as well as
        security information (such as certificates and credentials).<figure>
            <artwork><![CDATA[                                                     +--------------+
                                                     | Measurement  |
                                                     |  Agent       |
                                                     +--------------+ 
(initial Controller details:
 address or FQDN,                      ->
 security credentials)

+-----------------+
|    initial      |
|   Controller    |
+-----------------+
                                       <-              (register)

Controller details:
 address or FQDN,                      ->
 security credentials

+-----------------+
|                 |
|   Controller    |
+-----------------+            
                                       <-              register 
MA-ID, (Group-ID),                     ->
Control Channel,
(Suppression Channel),
MA-to-Controller Channel
]]></artwork>
          </figure></t>

        <t/>

        <t>The MA knows how to contact a Controller through some device
        /access specific mechanism. For example, this could be in the
        firmware, downloaded, manually configured or via a protocol like
        TR-069. The Controller could either be the one that will send it
        Instructions or else an initial Controller (whose details may be
        statically configured). The role of an initial Controller is simply to
        inform the MA how to contact its actual Controller, for example its
        FQDN (Fully Qualified Domain Name) <xref target="RFC1035"/>.</t>

        <t>The MA learns its identifier (MA-ID). It may also be told a
        Group-ID and whether to include the MA-ID as well as the Group-ID in
        its Reports. A Group-ID would be shared by several MAs and could be
        useful for privacy reasons, for instance to hinder tracking of a
        mobile device.</t>

        <t>The MA is also told about the Control Channel over which it will
        receive Instructions from the Controller, in particular the associated
        security information, for example to enable the MA to decrypt the
        Instruction. Optionally any Suppression messages can be sent over a
        different Channel. The MA is also informed about the MA-to-Controller
        Channel, over which the MA can tell the Controller about its
        Capabilities and any Failure Information. This consists of the address
        of the Controller, for instance its URL, and security details for
        MA-to-Controller messages.</t>

        <t/>

        <t>The MA may tell the Controller its Capabilities, in particular the
        Measurement Methods it can perform.</t>

        <t>If the device with the MA re-boots, then the MA needs to
        re-register, so that it can receive a new Instruction. To avoid a
        "mass calling event" after a widespread power restoration affecting
        many MAs, it is sensible for an MA to pause for a random delay
        (perhaps in the range of one minute or so) before re-registering.</t>

        <t>Whilst the LMAP WG considers the bootstrapping process, it is out
        of scope to define a bootstrap mechanism, as it depends on the type of
        device and access.</t>

        <t/>
      </section>

      <section title="Control Protocol">
        <t>The primary purpose of the Control Protocol is to allow the
        Controller to configure a Measurement Agent with an Instruction about
        what Measurement Tasks to do, when to do them, and how to report the
        Measurement Results. The Measurement Agent then acts on the
        Instruction autonomously.</t>

        <t><figure>
            <artwork><![CDATA[+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|  Controller     |===================================|  Agent      |
+-----------------+                                   +-------------+ 

(Capabilities request)                   ->
                                         <-            Capabilities
ACK                                      ->

                                       
Instruction:
[(Measurement Task (Input Parameters)),  ->
 (Measurement Schedule),
 (Report Channel(s))]
                                         <-              ACK 


                                         <-         Failure Information:
                                                    [reason]
ACK                                      ->
 
]]></artwork>
          </figure></t>

        <t>The Controller needs to know the Capabilities of the MA, and in
        particular what Measurement Methods it supports, so that it can
        correctly instruct the MA. It is possible that the Controller knows
        the MA's Capabilities via some mechanism beyond the scope of LMAP,
        such as a device-specific protocol. In LMAP, the MA can inform the
        Controller about its Capabilities. This message could be sent in
        several circumstances: when the MA first communicates with a
        Controller; when the MA becomes capable of a new Measurement Method;
        when requested by the Controller (for example, if the Controller
        forgets what the MA can do or otherwise wants to resynchronize what it
        knows about the MA). Note that Capabilities do not include dynamic
        information like the MA's currently unused CPU, memory or battery
        life.</t>

        <t>A single Instruction message contains one, two, three or all four
        of the following elements:</t>

        <t><list style="symbols">
            <t>configuration of all the Measurement Tasks, each of which
            needs:<list style="symbols">
                <t>the Measurement Method, specified as a URN to a registry
                entry. The registry could be defined by the IETF <xref
                target="I-D.bagnulo-ippm-new-registry-independent"/>, locally
                by the operator of the measurement system or perhaps by
                another standards organisation.</t>

                <t>any Input Parameters that need to be set for the
                Measurement Method, such as the address of the Measurement
                Peer</t>

                <t>if the device with the MA has multiple interfaces, then the
                interface to use</t>

                <t>optionally, a Cycle-ID</t>

                <t>a name for this Measurement Task configuration</t>
              </list></t>

            <t>configuration of all the Report Channels, each of which
            needs:<list style="symbols">
                <t>the address of the Collector, for instance its URL</t>

                <t>the timing of when to report Measurement Results, for
                example every hour or immediately</t>

                <t>security for sending the Report, for example the X.509
                certificate</t>

                <t>a name for this Report Channel</t>
              </list></t>

            <t>the set of periodic Measurement Schedules, each of which
            needs:<list style="symbols">
                <t>the name of one or several Measurement Task
                configurations</t>

                <t>the timing of when the Measurement Tasks are to be
                performed. Possible types of timing are periodic and
                calendar-based periodic</t>

                <t>the name of a Report Channel or Channels on which to report
                the Measurement Results</t>

                <t>a name for this Measurement Schedule</t>
              </list></t>

            <t>the set of one-off Measurement Schedules, each of which needs
            the same items as for a periodic Measurement Schedule, except that
            the possible types of timing are one-off immediate and one-off at
            a future time.</t>
          </list></t>

        <t>A single Instruction message contains one, two, three or all four
        of the above elements. This allows the different elements to be
        updated independently at different times and intervals, for example it
        is likely that the periodic Measurement Schedule will be updated more
        often than the other elements.</t>

        <t>Note that an Instruction message replaces (rather than adds to)
        those elements that it includes. For example, if the message includes
        (only) a periodic Measurement Schedule, then that replaces the old
        periodic Measurement Schedule but does not alter the configuration of
        the Measurement Tasks and Report Channels.</t>

        <t>Periodic Measurement Schedules contain the name of one or several
        Measurement Task configurations that are to be carried out on a
        recurring basis, whilst one-off Measurement Schedules contain
        non-recurring Measurement Tasks. One-off and periodic Measurement
        Schedules are kept separate so that the Controller can instruct the MA
        to perform an ad hoc Measurement Task (for instance to help isolate a
        fault) without having to re-notify the MA about the periodic
        Measurement Schedule.</t>

        <t>Note that the Instruction informs the MA; the Control Protocol does
        not allow the MA to negotiate, as this would add complexity to the MA,
        Controller and Control Protocol for little benefit.</t>

        <t>The MA can inform the Controller about a Failure. There are two
        broad categories of failure: (1) the MA cannot action the Instruction
        (for example, it doesn't include a parameter that is mandatory for the
        requested Measurement Method; or it is missing details of the target
        Collector). (2) the MA cannot execute the Measurement Task or deliver
        the Report (for example, the MA unexpectedly has no spare CPU cycles;
        or the Collector is not responding). Note that it is not considered a
        failure if a Measurement Task (correctly) doesn't start; for example
        if the MA detects cross-traffic, this is reported to the Collector in
        the normal manner. Note also that the MA does not inform the
        Controller about normal operation of its Measurement Tasks and
        Reports.</t>

        <t>In the Figure, ACK means that the message has been delivered
        successfully.</t>

        <t/>

        <t>Finally, note that the MA doesn't do a 'safety check' with the
        Controller (that it should still continue with the requested
        Measurement Tasks) - nor does it inform the Controller about
        Measurement Tasks starting and stopping. It simply carries out the
        Measurement Tasks as instructed, unless it gets an updated
        Instruction.</t>

        <t>The LMAP WG will define a Control Protocol and its associated Data
        Model that implements the Protocol &amp; Information Model. This may
        be a simple instruction-response protocol.</t>

        <section title="Measurement Suppression">
          <t>Measurement Suppression is used if the measurement system wants
          to eliminate inessential traffic, because there is some unexpected
          network issue for example. The Controller instructs the MA to
          temporarily not begin new Active Measurement Tasks. By default,
          suppression applies to all Active Measurement Tasks, starts
          immediately and continues until an un-suppress message is received.
          Optionally the suppress message may include:</t>

          <t><list style="symbols">
              <t>a set of Active Measurement Tasks to suppress; the others are
              not suppressed. For example, a particular Measurement Task may
              be overloading a Measurement Peer.</t>

              <t>a set of Measurement Schedules to suppress; the others are
              not suppressed. For example, suppose the measurement system has
              defined two Schedules, one with the most critical Active
              Measurement Tasks and the other with less critical ones that
              create a lot of traffic, then it may only want to suppress the
              second.</t>

              <t>a start time, at which suppression begins</t>

              <t>an end time, at which suppression ends.</t>
            </list></t>

          <t>It is not standardised what the impact of Suppression is on:</t>

          <t><list style="symbols">
              <t>Passive Measurement Tasks; since they do not create any
              Active Measurement Traffic there is no need to suppress them,
              however it may be simpler for an implementation to do so</t>

              <t>on-going Active Measurement Tasks; see Section 5.3</t>
            </list>Note that Suppression is not intended to permanently stop a
          Measurement Task (instead, the Controller should send a new
          Measurement Schedule), nor to permanently disable a MA (instead,
          some kind of management action is suggested).</t>

          <t/>

          <t/>

          <figure>
            <artwork><![CDATA[+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|  Controller     |===================================|  Agent      |
+-----------------+                                   +-------------+ 

Suppress:
[(Measurement Task),                     ->               
 (Measurement Schedule),
 start time, end time]
                                         <-              ACK 

Un-suppress                              ->
                                         <-              ACK 
                                       
]]></artwork>
          </figure>
        </section>
      </section>

      <section title="Starting and stopping Measurement Tasks">
        <t>The LMAP WG is neutral to what the actual Measurement Task is. The
        WG does not define a generic start and stop process, since the correct
        approach depend on the particular Measurement Task; the details are
        defined as part of each Measurement Method, and hence potentially by
        the IPPM WG. This section provides some general hints.</t>

        <t>Once the MA gets its Measurement and Report Schedules from its
        Controller then it acts autonomously, in terms of operation of the
        Measurement Tasks and reporting of the result. One implication is that
        the MA initiates Measurement Tasks. As an example, for the common case
        where the MA is on a home gateway, the MA initiates a &lsquo;download
        speed test&rsquo; by asking a Measurement Peer to send the file.</t>

        <t/>

        <t>Many Active Measurement Tasks begin with a pre-check before the
        test traffic is sent. Action could include:</t>

        <t><list style="symbols">
            <t>the MA checking that there is no cross-traffic; in other words,
            a check that the user isn&rsquo;t already sending traffic;</t>

            <t>the MA checking with the Measurement Peer that it can handle a
            new Measurement Task (in case the Measurement Peer is already
            handling many Measurement Tasks with other MAs);</t>

            <t>the first part of the Measurement Task consisting of traffic
            that probes the path to make sure it isn&rsquo;t overloaded.</t>
          </list>It is possible that similar checks continue during the
        Measurement Task, especially one that is long-running and/or creates a
        lot of Active Measurement Traffic, which may be abandoned whilst
        in-progress. A Measurement Task could also be abandoned in response to
        a "suppress" message (see Section 5.2.1). Action could include:</t>

        <t><list style="symbols">
            <t>For &lsquo;upload&rsquo; tests, the MA not sending traffic</t>

            <t>For &lsquo;download&rsquo; tests, the MA closing the TCP
            connection or sending a TWAMP Stop control message <xref
            target="RFC5357"/>.</t>
          </list></t>

        <t>The Controller may want a MA to run the same Measurement Task
        indefinitely (for example, "run the 'upload speed' Measurement Task
        once an hour until further notice"). To avoid the MA generating
        traffic forever after a Controller has permanently failed, it is
        suggested that the Measurement Schedule includes a time limit ("run
        the 'upload speed' Measurement Task once an hour for the next 30
        days") and that the Measurement Schedule is updated regularly (say,
        every 10 days).</t>

        <t>{Comment: It is possible that the set of measurement schedules
        implies overlapping Measurement Tasks. It is not clear the best thing
        to do. Our current suggestion is to leave this to the protocol
        document.}</t>
      </section>

      <section title="Report Protocol">
        <t>The primary purpose of the Report Protocol is to allow a
        Measurement Agent to report its Measurement Results to a Collector,
        and the context in which they were obtained.</t>

        <t><figure>
            <artwork><![CDATA[+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|   Collector     |===================================|  Agent      |
+-----------------+                                   +-------------+ 
                                                       
                                   <-          Report: 
                                                 [MA-ID &/or Group-ID,
                                                  Measurement Results,
                                          details of Measurement Task]
ACK                                ->

]]></artwork>
          </figure></t>

        <t>The Report contains:<list style="symbols">
            <t>the MA-ID or a Group-ID (to anonymise results)</t>

            <t>the actual Measurement Results, including the time they were
            measured</t>

            <t>the details of the Measurement Task (to avoid the Collector
            having to ask the Controller for this information later)</t>
          </list></t>

        <t>The MA sends Reports as defined by the Report Channel in the
        Controller's Instruction. It is possible that the Instruction tells
        the MA to report the same Results to more than one Collector, or to
        report a different subset of Results to different Collectors. It is
        also possible that a Measurement Task may create two (or more)
        Measurement Results, which could be reported differently (for example,
        one Result could be reported periodically, whilst the second Result
        could be an alarm that is created as soon as the measured value of the
        Metric crosses a threshold and that is reported immediately).</t>

        <t>Optionally, a Report is not sent when there are no Measurement
        Results.</t>

        <t>In the initial LMAP Information Model and Report Protocol, for
        simplicity we assume that all Measurement Results are reported as-is,
        but allow extensibility so that a measurement system (or perhaps a
        second phase of LMAP) could allow a MA to pre-process Measurement
        Results before it reports them. Potential examples of pre-processing
        by the MA are:</t>

        <t><list style="symbols">
            <t>labelling, or perhaps not including, Measurement Results
            impacted by, for instance, cross-traffic or the Measurement Peer
            being busy</t>

            <t>not reporting the Measurement Results if the MA believes that
            they are invalid</t>

            <t>detailing when suppression started and ended</t>

            <t>filtering outlier Results</t>

            <t>calculating some statistic like average (beyond that defined by
            the Measurement Task itself)</t>
          </list></t>

        <t>The measurement system may define what happens if a Collector
        unexpectedly does not hear from a MA, for example the Controller could
        send a fresh Report Schedule to the MA.</t>

        <t>The LMAP WG will define a Report Protocol and its associated Data
        Model that implements the Information Model and protocol model. This
        may be a simple instruction-response protocol.</t>
      </section>

      <section title="Operation of LMAP over the underlying transport protocol">
        <t>The above sections have described LMAP's protocol model. The LMAP
        working group will also specify how it operates over an existing
        protocol, to be selected, for example REST-style HTTP(S). It is also
        possible that a different choice is made for the Control and Report
        Protocols, for example NETCONF-YANG and IPFIX respectively. It is even
        possible that a different choice could be made for Suppression and for
        other Instruction messages.</t>

        <t>For the Control Protocol, the underlying transport protocol could
        be:</t>

        <t><list style="symbols">
            <t>a 'push' protocol (that is, from the Controller to the MA)</t>

            <t>a multicast protocol (from the Controller to a group of
            MAs)</t>

            <t>a 'pull' protocol. The MA periodically checks with Controller
            if the Instruction has changed and pulls a new Instruction if
            necessary. A pull protocol seems attractive for a MA behind a NAT
            (as is typical for a MA on an end-user's device), so that it can
            initiate the communications. A pull mechanism is likely to require
            the MA to be configured with how frequently it should check in
            with the Controller, and perhaps what it should do if the
            Controller is unreachable after a certain number of attempts.</t>

            <t>a hybrid protocol. In addition to a pull protocol, the
            Controller can also push an alert to the MA that it should
            immediately pull a new Instruction.</t>
          </list>For the Report Protocol, the underlying transport protocol
        could be:</t>

        <t><list style="symbols">
            <t>a 'push' protocol (that is, from the MA to the Collector)</t>

            <t>perhaps supplemented by the ability for the Collector to 'pull'
            Measurement Results from a MA.</t>
          </list></t>
      </section>

      <section title="Items beyond the scope of the LMAP Protocol Model">
        <t>There are several potential interactions between LMAP elements that
        are out of scope of definition by the LMAP WG:</t>

        <t><list style="numbers">
            <t>It does not define a coordination process between MAs. Whilst a
            measurement system may define coordinated Measurement Schedules
            across its various MAs, there is no direct coordination between
            MAs.</t>

            <t>It does not define interactions between the Collector and
            Controller. It is quite likely that there will be such
            interactions, optionally intermediated by the data analysis tools.
            For example if there is an "interesting" Measurement Result then
            the measurement system may want to trigger extra Measurement Tasks
            that explore the potential cause in more detail.</t>

            <t>It does not define coordination between different measurement
            systems. For example, it does not define the interaction of a MA
            in one measurement system with a Controller or Collector in a
            different measurement system. Whilst it is likely that the Control
            and Report Protocols could be re-used or adapted for this
            scenario, any form of coordination between different organisations
            involves difficult commercial and technical issues and so, given
            the novelty of large-scale measurement efforts, any form of
            inter-organisation coordination is outside the scope of the LMAP
            WG. Note that a single MA is instructed by a single Controller and
            is only in one measurement system.<list style="symbols">
                <t>An interesting scenario is where a home contains two
                independent MAs, for example one controlled by a regulator and
                one controlled by an ISP. Then the Active Measurement Traffic
                of one MA is treated by the other MA just like any other user
                traffic.</t>
              </list></t>

            <t>It does not consider how to prevent a malicious party "gaming
            the system". For example, where a regulator is running a
            measurement system in order to benchmark operators, a malicious
            operator could try to identify the broadband lines that the
            regulator was measuring and prioritise that traffic. It is assumed
            this is a policy issue and would be dealt with through a code of
            conduct for instance.</t>

            <t>It does not define how to analyse Measurement Results,
            including how to interpret missing Results.</t>

            <t>It does not specifically define a enduser-controlled
            measurement system, see sub-section 5.6.1.</t>
          </list></t>

        <section title="Enduser-controlled measurement system">
          <t>The WG concentrates on the cases where an ISP or a regulator runs
          the measurement system. However, we expect that LMAP functionality
          will also be used in the context of an enduser-controlled
          measurement system. There are at least two ways this could happen
          (they have various pros and cons):</t>

          <t><list style="numbers">
              <t>an enduser could somehow request the ISP- (or regulator-) run
              measurement system to test his/her line. The ISP (or regulator)
              Controller would then send an Instruction to the MA in the usual
              LMAP way. Note that a user can&rsquo;t directly initiate a
              Measurement Task on an ISP- (or regulator-) controlled MA.</t>

              <t>an enduser could deploy their own measurement system, with
              their own MA, Controller and Collector. For example, the user
              could implement all three functions onto the same enduser-owned
              end device, perhaps by downloading the functions from the ISP or
              regulator. Then the LMAP Control and Report Protocols do not
              need to be used, but using LMAP's Information Model would still
              be beneficial. The Measurement Peer could be in the home gateway
              or outside the home network; in the latter case the Measurement
              Peer is highly likely to be run by a different organisation,
              which raises extra privacy considerations.</t>
            </list></t>

          <t>In both cases there will be some way for the user to initiate the
          Measurement Task(s). The mechanism is out-of-scope of the LMAP WG,
          but could include the user clicking a button on a GUI or sending a
          text message. Presumably the user will also be able to see the
          Measurement Results, perhaps summarised on a webpage. It is
          suggested that these interfaces conform to the LMAP guidance on the
          privacy in Section 8.</t>

          <t/>
        </section>
      </section>
    </section>

    <section title="Deployment considerations">
      <t/>

      <section title="Controller">
        <t>The Controller should understand both the MA's LMAP Capabilities
        (for instance what Measurement Methods it can perform) and about the
        MA's other capabilities like processing power and memory. This allows
        the Controller to make sure that the Measurement Schedule of
        Measurement Tasks and the Reporting Schedule are sensible for each MA
        that it Instructs.</t>

        <t>An Instruction is likely to include several Measurement Tasks.
        Typically these run at different times, but it is also possible for
        them to run at the same time, if the Controller is sure that one Task
        will not affect the Results of another Task.</t>

        <t>The Controller should ensure that the Active Measurement Tasks do
        not have an adverse effect on the end user. Typically Tasks,
        especially those that generate a substantial amount of traffic, will
        include a pre-check that the user isn&rsquo;t already sending traffic
        (Section 5.3). Another consideration is whether Active Measurement
        Traffic will impact a Subscriber's bill or traffic cap.</t>

        <t>The different elements of the Instruction can be updated
        independently. For example, the Measurement Tasks could be configured
        with different Input Parameters whilst keeping the same Measurement
        Schedule. In general this should not create any issues, since
        Measurement Methods should be defined so their fundamental nature does
        not change for a new value of Input Parameter. There could be a
        problem if, for example, a Measurement Task involving a 1kB file
        upload could be changed into a 1GB file upload.</t>

        <t>A measurement system may have multiple Controllers (but note the
        overriding principle that a single MA is instructed by a single
        Controller at any point in time (Section 4.2)). For example, there
        could be different Controllers for different types of MA (home
        gateways, tablets) or locations (Ipswich, Edinburgh), for load
        balancing or to cope with failure of one Controller. One possibility
        is that Bootstrapping involves an initial Controller, whose role is
        simply to inform the MA how to contact its actual Controller.</t>

        <t/>
      </section>

      <section title="Measurement Agent">
        <t>The Measurement Agent could take a number of forms: a dedicated
        probe, software on a PC, embedded into an appliance, or even embedded
        into a gateway. A single site (home, branch office etc.) that is
        participating in a measurement could make use of one or multiple
        Measurement Agents in a single measurement. If the site is multi homed
        there might be a Measurement Agent per interface.</t>

        <t>The Measurement Agent could be deployed in a variety of locations.
        Not all deployment locations are available to every kind of
        Measurement Agent. There are also a variety of limitations and
        trade-offs depending on the final placement. The next sections outline
        some of the locations a Measurement Agent may be deployed. This is not
        an exhaustive list and combinations may also apply.</t>

        <t/>

        <t>If the Instruction includes several Measurement Tasks, these could
        be scheduled to run at different times or possibly at the same time -
        some Tasks may be compatible, in that they do not affect each other's
        Results, whilst with others great care would need to be taken.</t>

        <t>The measurement system also needs to consider carefully how to
        interpret missing Results; for example, if the missing Results are
        ignored and the lack of a Report is caused by its broadband being
        broken, then the estimate of overall performance, averaged across all
        MAs, would be too optimistic.</t>

        <t/>

        <section title="Measurement Agent embedded in site gateway">
          <t>A Measurement Agent embedded with the site gateway, for example a
          home router or the edge router of a branch office in a managed
          service environment, is one of better places the Measurement Agent
          could be deployed. All site-to-ISP traffic would traverse through
          the gateway and passive measurements could easily be performed.
          Similarly, due to this user traffic visibility, an Active
          Measurements Task could be rescheduled so as not to compete with
          user traffic. Generally NAT and firewall services are built into the
          gateway, allowing the Measurement Agent the option to offer its
          Controller facing management interface outside of the NAT/firewall.
          This placement of the management interface allows the Controller to
          unilaterally contact the Measurement Agent for instructions.
          However, if the site gateway is owned and operated by the service
          provider, the Measurement Agent will generally not be directly
          available for over the top providers, the regulator, end users or
          enterprises.</t>

          <t/>
        </section>

        <section title="Measurement Agent embedded behind site NAT /Firewall">
          <t>The Measurement Agent could also be embedded behind a NAT, a
          firewall, or both. In this case the Controller may not be able to
          unilaterally contact the Measurement Agent unless either static port
          forwarding configuration or firewall pin holing is configured, and
          might not always be possible. It would require user intervention or
          pre-provisioning by the operator via a mechanisms such as TR-069.
          The Measurement Agent may originate a session towards the Controller
          and maintain the session for bidirectional communications. This
          would alleviate the need to have user intervention on the gateway,
          but would reduce the overall saleability of the Controller as it
          would have to maintain a higher number of active sessions. That
          said, sending keepalives to prop open the firewall could serve a
          dual purpose in testing network reachability for the Measurement
          Agent. An alternative would be to use a protocol such as UPnP or PCP
          <xref target="RFC6887"/> to control the NAT/firewall if the gateway
          supports this kind of control.</t>
        </section>

        <section title="Measurement Agent in a multi-homed site">
          <t>A broadband site may be multi-homed. For example, the site may be
          connected to multiple broadband ISPs, perhaps for redundancy or
          load- sharing, or have both wired and wireless broadband
          connectivity. It may also be helpful to think of dual stack IPv4 and
          IPv6 broadband devices as multi-homed. In these cases, there needs
          to be clarity on which network connectivity option is being
          measured. Sometimes this is easily resolved by the location of the
          MA itself. For example, if the MA is built into the gateway (and the
          gateway only has a single WAN side interface), there is little
          confusion or choice. However, for multi-homed gateways or devices
          behind the gateway(s) of multi-homed sites it would be preferable to
          explicitly select the network to measure (<xref target="RFC5533"/>)
          but the network measured should be included in the Measurement
          Result. Section 3.2 of <xref target="I-D.ietf-homenet-arch"/>
          describes dual-stack and multi-homing topologies that might be
          encountered in a home network (which is generally a broadband
          connected site). The Multiple Interfaces (mif) working group covers
          cases where hosts are either directly attached to multiple networks
          (physical or virtual) or indirectly (multiple default routers,
          etc.). <xref target="RFC6419"/> provides the current practices of
          multi-interfaces hosts today. As one aim is for a MA is to measure
          the end user's quality of experience, it is important to understand
          the current practices.</t>

          <t/>
        </section>
      </section>

      <section title="Measurement Peer">
        <t>A Measurement Peer participates in Active Measurement Tasks. It may
        have specific functionality to enable it to participate in a
        particular Measurement Method. On the other hand, other Measurement
        Methods may require no special functionality, for example if the
        Measurement Agent sends a ping to example.com then the server at
        example.com plays the role of a Measurement Peer.</t>

        <t>A device may participate in some Measurement Tasks as a Measurement
        Agent and in others as a Measurement Peer.</t>

        <t/>
      </section>
    </section>

    <section title="Security considerations">
      <t/>

      <t>The security of the LMAP framework should protect the interests of
      the measurement operator(s), the network user(s) and other actors who
      could be impacted by a compromised measurement deployment. The
      measurement system must secure the various components of the system from
      unauthorised access or corruption.</t>

      <t>We assume that each Measurement Agent (MA) will receive its
      Instructions from a single organisation, which operates the Controller.
      These Instructions must be authenticated (to ensure that they come from
      the trusted Controller), checked for integrity (to ensure no-one has
      tampered with them) and not vulnerable to replay attacks. If a malicious
      party can gain control of the MA they can use it to launch DoS attacks
      at targets, reduce the end user's quality of experience and corrupt the
      Measurement Results that are reported to the Collector. By altering the
      Measurement Tasks and/or the address that Results are reported to, they
      can also compromise the confidentiality of the network user and the MA
      environment (such as information about the location of devices or their
      traffic).</t>

      <t>Reporting by the MA must also be secured to maintain confidentiality.
      The results must be encrypted such that only the authorised Collector
      can decrypt the results to prevent the leakage of confidential or
      private information. In addition it must be authenticated that the
      results have come from the expected MA and that they have not been
      tampered with. It must not be possible to fool a MA into injecting
      falsified data into the measurement platform or to corrupt the results
      of a real MA. The results must also be held and processed securely after
      collection and analysis.</t>

      <t>Availability should also be considered. While the loss of some MAs
      may not be considered critical, the unavailability of the Collector
      could mean that valuable business data or data critical to a regulatory
      process is lost. Similarly, the unavailability of a Controller could
      mean that the MAs do not operate a correct Measurement Schedule.</t>

      <t>A malicious party could "game the system". For example, where a
      regulator is running a measurement system in order to benchmark
      operators, an operator could try to identify the broadband lines that
      the regulator was measuring and prioritise that traffic. This potential
      issue is currently handled by a code of conduct. It is outside the scope
      of the LMAP WG to consider the issue.</t>

      <t/>
    </section>

    <section title="Privacy Considerations for LMAP">
      <t>The LMAP Working Group will consider privacy as a core requirement
      and will ensure that by default the Control and Report Protocols operate
      in a privacy-sensitive manner and that privacy features are
      well-defined.</t>

      <t>This section provides a set of privacy considerations for LMAP. This
      section benefits greatly from the timely publication of <xref
      target="RFC6973"/>. Privacy and security (Section 7) are related. In
      some jurisdictions privacy is called data protection.</t>

      <t>We begin with a set of assumptions related to protecting the
      sensitive information of individuals and organisations participating in
      LMAP-orchestrated measurement and data collection.</t>

      <section title="Categories of Entities with Information of Interest">
        <t>LMAP protocols need to protect the sensitive information of the
        following entities, including individuals and organisations who
        participate in measurement and collection of results.<list
            style="symbols">
            <t>Individual Internet users: Persons who utilise Internet access
            services for communications tasks, according to the terms of
            service of a service agreement. Such persons may be a service
            Subscriber, or have been given permission by the Subscriber to use
            the service.</t>

            <t>Internet service providers: Organisations who offer Internet
            access service subscriptions, and thus have access to sensitive
            information of individuals who choose to use the service. These
            organisations desire to protect their Subscribers and their own
            sensitive information which may be stored in the process of
            performing Measurement Tasks and collecting and Results.</t>

            <t>Regulators: Public authorities responsible for exercising
            supervision of the electronic communications sector, and which may
            have access to sensitive information of individuals who
            participate in a measurement campaign. Similarly, regulators
            desire to protect the participants and their own sensitive
            information.</t>

            <t>Other LMAP system operators: Organisations who operate
            measurement systems or participate in measurements in some
            way.</t>
          </list></t>

        <t>Although privacy is a protection extended to individuals, we
        include discussion of ISPs and other LMAP system operators in this
        section. These organisations have sensitive information involved in
        the LMAP system, and many of the same dangers and mitigations are
        applicable. Further, the ISPs store information on their Subscribers
        beyond that used in the LMAP system (for instance billing
        information), and there should be a benefit in considering all the
        needs and potential solutions coherently.</t>
      </section>

      <section title="Examples of Sensitive Information">
        <t>This section gives examples of sensitive information which may be
        measured or stored in a measurement system, and which is to be kept
        private by default in the LMAP core protocols.</t>

        <t>Examples of Subscriber or authorised Internet user sensitive
        information:</t>

        <t><list style="symbols">
            <t>Sub-IP layer addresses and names (MAC address, base station ID,
            SSID)</t>

            <t>IP address in use</t>

            <t>Personal Identification (real name)</t>

            <t>Location (street address, city)</t>

            <t>Subscribed service parameters</t>

            <t>Contents of traffic (activity, DNS queries, destinations,
            equipment types, account info for other services, etc.)</t>

            <t>Status as a study volunteer and Schedule of (Active)
            Measurement Tasks</t>
          </list></t>

        <t>Examples of Internet Service Provider sensitive information:<list
            style="symbols">
            <t>Measurement device identification (equipment ID and IP
            address)</t>

            <t>Measurement Instructions (choice of measurements)</t>

            <t>Measurement Results (some may be shared, others may be
            private)</t>

            <t>Measurement Schedule (exact times)</t>

            <t>Network topology (locations, connectivity, redundancy)</t>

            <t>Subscriber billing information, and any of the above Subscriber
            information known to the provider.</t>

            <t>Authentication credentials (such as certificates)</t>
          </list></t>

        <t>Other organisations will have some combination of the lists above.
        The LMAP system would not typically expose all of the information
        above, but could expose a combination of items which could be
        correlated with other pieces collected by an attacker (as discussed in
        the section on Threats below).</t>
      </section>

      <section title="Key Distinction Between Active and Passive Measurement Tasks">
        <t>Passive and Active Measurement Tasks raise different privacy
        issues.</t>

        <t>Passive Measurement Tasks are conducted on a user's traffic, such
        that sensitive information is present and stored in the measurement
        system (however briefly this storage may be). We note that some
        authorities make a distinction on time of storage, and information
        that is kept only temporarily to perform a communications function is
        not subject to regulation (for example, active queue management, deep
        packet inspection). Passive Measurement Tasks could reveal all the
        websites a Subscriber visits and the applications and/or services they
        use.</t>

        <t>Active Measurement Tasks are conducted on traffic which is created
        specifically for the purpose. Even if a user host generates Active
        Measurement Traffic, there is significantly limited sensitive
        information about the Subscriber present and stored in the measurement
        system compared to the passive case, as follows:<list style="symbols">
            <t>IP address in use (and possibly sub-IP addresses and names)</t>

            <t>Status as a study volunteer and Schedule of Active Measurement
            Tasks</t>
          </list></t>

        <t>On the other hand, for a service provider the sensitive information
        like Measurement Results is the same for Passive and Active
        Measurement Tasks.</t>

        <t>From the Subscriber perspective, both Active and Passive
        Measurement Tasks potentially expose the description of Internet
        access service and specific service parameters, such as subscribed
        rate and type of access.</t>
      </section>

      <section title="Privacy analysis of the Communications Models">
        <t>This section examines each of the protocol exchanges described at a
        high level in Section 5 and some example Measurement Tasks, and
        identifies specific sensitive information which must be secured during
        communication for each case. With the protocol-related sensitive
        information identified, we have can better consider the threats
        described in the following section.</t>

        <t>From the privacy perspective, all entities participating in LMAP
        protocols can be considered "observers" according to the definition in
        <xref target="RFC6973"/>. Their stored information potentially poses a
        threat to privacy, especially if one or more of these functional
        entities has been compromised. Likewise, all devices on the paths used
        for control, reporting, and measurement are also observers.</t>

        <t/>

        <section title="MA Bootstrapping">
          <t>Section 5.1 provides the communication model for the
          Bootstrapping process.</t>

          <t>Although the specification of mechanisms for Bootstrapping the MA
          are beyond the LMAP scope, designers should recognize that the
          Bootstrapping process is extremely powerful and could cause an MA to
          join a new or different LMAP system with a different Controller and
          Collector, or simply install new Measurement Methods (for example to
          passively record DNS queries). A Bootstrap attack could result in a
          breach of the LMAP system with significant sensitive information
          exposure depending on the capabilities of the MA, so sufficient
          security protections are warranted.</t>

          <t>The Bootstrapping process provides sensitive information about
          the LMAP system and the organisation that operates it, such as <list
              style="symbols">
              <t>Initial Controller IP address or FQDN</t>

              <t>Assigned Controller IP address or FQDN</t>

              <t>Security certificates and credentials</t>
            </list></t>

          <t>During the Bootstrap process, the MA receives its MA-ID which is
          a persistent pseudonym for the Subscriber in the case that the MA is
          located at a service demarcation point. Thus, the MA-ID is
          considered sensitive information, because it could provide the link
          between Subscriber identification and Measurements Results.</t>

          <t>Also, the Bootstrap process could assign a Group-ID to the MA.
          The specific definition of information represented in a Group-ID is
          to be determined, but several examples are envisaged including use
          as a pseudonym for a set of Subscribers, a class of service, an
          access technology, or other important categories. Assignment of a
          Group-ID enables anonymisation sets to be formed on the basis of
          service type/grade/rates. Thus, the mapping between Group-ID and
          MA-ID is considered sensitive information.</t>
        </section>

        <section title="Controller &lt;-&gt; Measurement Agent">
          <t>The high-level communication model for interactions between the
          LMAP Controller and Measurement Agent is illustrated in Section 5.2.
          The primary purpose of this exchange is to authenticate and task a
          Measurement Agent with Measurement Instructions, which the
          Measurement Agent then acts on autonomously.</t>

          <t>Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are
          exchanged with a capability request, then measurement-related
          information of interest such as the parameters, schedule, metrics,
          and IP addresses of measurement devices. Thus, the measurement
          Instruction contains sensitive information which must be secured.
          For example, the fact that an ISP is running additional measurements
          beyond the set reported externally is sensitive information, as are
          the additional Measurements Tasks themselves. The Measurement
          Schedule is also sensitive, because an attacker intending to bias
          the results without being detected can use this information to great
          advantage.</t>

          <t>An organisation operating the Controller having no service
          relationship with a user who hosts the Measurement Agent *could*
          gain real-name mapping to a public IP address through user
          participation in an LMAP system (this applies to the Measurement
          Collection protocol, as well).</t>
        </section>

        <section title="Collector &lt;-&gt; Measurement Agent">
          <t>The high-level communication model for interactions between the
          Measurement Agent and Collector is illustrated in Section 5.4. The
          primary purpose of this exchange is to authenticate and collect
          Measurement Results from a MA, which the MA has measured
          autonomously and stored.</t>

          <t>The Measurement Results are the additional sensitive information
          included in the Collector-MA exchange. Organisations collecting LMAP
          measurements have the responsibility for data control. Thus, the
          Results and other information communicated in the Collector protocol
          must be secured.</t>
        </section>

        <section title="Measurement Peer &lt;-&gt; Measurement Agent ">
          <t>Although the specification of the mechanisms for an Active
          Measurement Task is beyond the scope of LMAP, it raises potential
          privacy issues. The high-level communications model below
          illustrates the various exchanges to execute Active Measurement
          Tasks and store the Results.</t>

          <t>We note the potential for additional observers in the figures
          below by indicating the possible presence of a NAT, which has
          additional significance to the protocols and direction of
          initiation.</t>

          <t>The various messages are optional, depending on the nature of the
          Active Measurement Task. It may involve sending Active Measurement
          Traffic from the Measurement Peer to MA, MA to Measurement Peer, or
          both. <figure>
              <artwork><![CDATA[ _________________                              _________________
|                 |                            |                 |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________|                            |_________________|

                               <-              (Key Negotiation &
                                               Encryption Setup)
(Encrypted Channel             ->
Established)
(Announce capabilities         ->
& status)
                               <-              (Select capabilities)
ACK                            ->
                               <-              (Measurement Request
                                              (MA+MP IPAddrs,set of
                                                Metrics, Schedule))
ACK                            ->

Active Measurement Traffic     <>        Active Measurement Traffic
(may/may not be encrypted)               (may/may not be encrypted)

                               <-            (Stop Measurement Task)

Measurement Results            ->
(if applicable)
                               <-               ACK, Close
]]></artwork>
            </figure>This exchange primarily exposes the IP addresses of
          measurement devices and the inference of measurement participation
          from such traffic. There may be sensitive information on key points
          in a service provider's network included. There may also be access
          to measurement-related information of interest such as the Metrics,
          Schedule, and intermediate results carried in the Active Measurement
          Traffic (usually a set of timestamps).</t>

          <t>If the Active Measurement Traffic is unencrypted, as found in
          many systems today, then both timing and limited results are open to
          on-path observers.</t>
        </section>

        <section title="Passive Measurement Agent ">
          <t>Although the specification of the mechanisms for a Passive
          Measurement Task is beyond the scope of LMAP, it raises potential
          privacy issues. </t>

          <t>The high-level communications model below illustrates the
          collection of user information of interest with the Measurement
          Agent performing the monitoring and storage of the Results. This
          particular exchange is for passive measurement of DNS Response Time,
          which most frequently uses UDP transport.</t>

          <t><figure>
              <artwork><![CDATA[ _________________                                      ____________
|                 |                                    |            |
|  DNS Server     |=========== NAT ? ==========*=======| User client|
|_________________|                            ^       |____________|
                                         ______|_______
                                        |              |
                                        |  Measurement |
                                        |    Agent     |
                                        |______________|

                               <-              Name Resolution Req
                                              (MA+MP IPAddrs, 
                                               Desired Domain Name)
Return Record                  ->

]]></artwork>
            </figure></t>

          <t>This exchange primarily exposes the IP addresses of measurement
          devices and the intent to communicate with or access the services of
          "Domain Name". There may be information on key points in a service
          provider's network, such as the address of one of its DNS servers.
          The Measurement Agent may be embedded in the user host, or it may be
          located in another device capable of observing user traffic.</t>

          <t>In principle, any of the user sensitive information of interest
          (listed above) can be collected and stored in the passive monitoring
          scenario and so must be secured.</t>

          <t>It would also be possible for a Measurement Agent to source the
          DNS query itself. But then, as with any active measurement task,
          there are few privacy concerns.</t>

          <t/>
        </section>

        <section title="Storage and Reporting of Measurement Results">
          <t>Although the mechanisms for communicating results (beyond the
          initial Collector) are beyond the LMAP scope, there are potential
          privacy issues related to a single organisation's storage and
          reporting of Measurement Results. Both storage and reporting
          functions can help to preserve privacy by implementing the
          mitigations described below.</t>
        </section>
      </section>

      <section title="Threats">
        <t>This section indicates how each of the threats described in <xref
        target="RFC6973"/> apply to the LMAP entities and their communication
        and storage of "information of interest".</t>

        <section title="Surveillance">
          <t>Section 5.1.1 of <xref target="RFC6973"/> describes Surveillance
          as the "observation or monitoring of and individual's communications
          or activities." Hence all Passive Measurement Tasks are a form of
          surveillance, with inherent risks.</t>

          <t>Active Measurement Methods which avoid periods of user
          transmission indirectly produce a record of times when a subscriber
          or authorised user has used their network access service.</t>

          <t>Active Measurement Methods may also utilise and store a
          Subscriber's currently assigned IP address when conducting
          measurements that are relevant to a specific Subscriber. Since the
          Measurement Results are time-stamped, they could provide a record of
          IP address assignments over time.</t>

          <t>Either of the above pieces of information could be useful in
          correlation and identification, described below.</t>
        </section>

        <section title="Stored Data Compromise">
          <t>Section 5.1.2 of <xref target="RFC6973"/> describes Stored Data
          Compromise as resulting from inadequate measures to secure stored
          data from unauthorised or inappropriate access. For LMAP systems
          this includes deleting or modifying collected measurement records,
          as well as data theft.</t>

          <t>The primary LMAP entity subject to compromise is the repository,
          which stores the Measurement Results; extensive security and privacy
          threat mitigations are warranted. The Collector and MA also store
          sensitive information temporarily, and need protection. The
          communications between the local storage of the Collector and the
          repository is beyond the scope of the LMAP work at this time, though
          this communications channel will certainly need protection as well
          as the mass storage itself.</t>

          <t>The LMAP Controller may have direct access to storage of
          Subscriber information (location, billing, service parameters, etc.)
          and other information which the controlling organisation considers
          private, and again needs protection.</t>

          <t/>
        </section>

        <section title="Correlation and Identification">
          <t>Sections 5.2.1 and 5.2.2 of <xref target="RFC6973"/> describes
          Correlation as combining various pieces of information to obtain
          desired characteristics of an individual, and Identification as
          using this process to infer identity.</t>

          <t>The main risk is that the LMAP system could unwittingly provide a
          key piece of the correlation chain, starting with an unknown
          Subscriber's IP address and another piece of information. For
          example, a Subscriber utilised Internet access from 2000 to 2310
          UTC, because the Active Measurement Tasks were deferred, or sent a
          name resolution for www.example.com at 2300 UTC.</t>
        </section>

        <section title="Secondary Use and Disclosure">
          <t>Sections 5.2.3 and 5.2.4 of <xref target="RFC6973"/> describes
          Secondary Use as unauthorised utilisation of an individual's
          information for a purpose the individual did not intend, and
          Disclosure is when such information is revealed causing other's
          notions of the individual to change, or confidentiality to be
          violated.</t>

          <t>Passive Measurement Tasks are a form of Secondary Use, and the
          Subscribers' permission and the measured ISP's permission should be
          obtained beforehand. Although user traffic is only indirectly
          involved, the Measurement Results from Active Measurement Tasks
          provide some limited information about the Subscriber/ISP and could
          be used for Secondary Uses. For example, the use of the Results in
          unauthorised marketing campaigns would qualify as Secondary Use.</t>
        </section>
      </section>

      <section title="Mitigations">
        <t>This section examines the mitigations listed in section 6 of <xref
        target="RFC6973"/> and their applicability to LMAP systems. Note that
        each section in <xref target="RFC6973"/> identifies the threat
        categories that each technique mitigates.</t>

        <section title="Data Minimisation">
          <t>Section 6.1 of <xref target="RFC6973"/> encourages collecting and
          storing the minimal information needed to perform a task.</t>

          <t>There are two levels of information needed for LMAP results to be
          useful for a specific task: troubleshooting and general results
          reporting.</t>

          <t>For general results, the results can be aggregated into large
          categories (the month of March, all subscribers West of the
          Mississippi River). In this case, all individual identifications
          (including IP address of the MA) can be excluded, and only relevant
          results are provided. However, this implies a filtering process to
          reduce the information fields, because greater detail was needed to
          conduct the Measurement Tasks in the first place.</t>

          <t>For troubleshooting, so that a network operator or end user can
          identify a performance issue or failure, potentially all the network
          information (IP addresses, equipment IDs, location), Measurement
          Schedule, service configuration, Measurement Results, and other
          information may assist in the process. This includes the information
          needed to conduct the Measurements Tasks, and represents a need
          where the maximum relevant information is desirable, therefore the
          greatest protections should be applied.</t>

          <t>We note that a user may give temporary permission for Passive
          Measurement Tasks to enable detailed troubleshooting, but withhold
          permission for them in general. Here the greatest breadth of
          sensitive information is potentially exposed, and the maximum
          privacy protection must be provided.</t>

          <t>For MAs with access to the sensitive information of users (e.g.,
          within a home or a personal host/handset), it is desirable for the
          results collection to minimise the data reported, but also to
          balance this desire with the needs of troubleshooting when a service
          subscription exists between the user and organisation operating the
          measurements.</t>

          <t>For passive measurements where the MA reports flow information to
          the Collector, the Collector may perform pre-storage minimisation
          and other mitigations (below) to help preserve privacy.</t>
        </section>

        <section title="Anonymity">
          <t>Section 6.1.1 of <xref target="RFC6973"/> describes a way in
          which anonymity is achieved: "there must exist a set of individuals
          that appear to have the same attributes as the individual", defined
          as an "anonymity set".</t>

          <t>Experimental methods for anonymisation of user identifiable data
          applicable to Passive Measurement Methods have been identified in
          <xref target="RFC6235"/>. However, the findings of several of the
          same authors is that "there is increasing evidence that
          anonymisation applied to network trace or flow data on its own is
          insufficient for many data protection applications as in <xref
          target="Bur10"/>."</t>

          <t>Essentially, the details of passive measurement tasks can only be
          accessed by closed organisations, and unknown injection attacks are
          always less expensive than the protections from them. However, some
          forms of summary may protect the user's sensitive information
          sufficiently well, and so each Metric must be evaluated in the light
          of privacy.</t>

          <t>The methods in <xref target="RFC6235"/> could be applied more
          successfully in Active Measurement Methods, where there are
          protections from injection attack. The successful attack would
          require breaking the integrity protection of the LMAP Reporting
          Protocol and injecting Measurement Results (known fingerprint, see
          section 3.2 of <xref target="RFC6973"/>) for inclusion with the
          shared and anonymised results, then fingerprinting those records to
          ascertain the anonymisation process.</t>

          <t>Beside anonymisation of measured Results for a specific user or
          provider, the value of sensitive information can be further diluted
          by summarising the results over many individuals or areas served by
          the provider. There is an opportunity enabled by forming anonymity
          sets <xref target="RFC6973"/> based on the reference path
          measurement points in <xref target="I-D.ietf-ippm-lmap-path"/>. For
          example, all measurements from the Subscriber device can be
          identified as "mp000", instead of using the IP address or other
          device information. The same anonymisation applies to the Internet
          Service Provider, where their Internet gateway would be referred to
          as "mp190".</t>
        </section>

        <section title="Pseudonymity">
          <t>Section 6.1.2 of <xref target="RFC6973"/> indicates that
          pseudonyms, or nicknames, are a possible mitigation to revealing
          one's true identity, since there is no requirement to use real names
          in almost all protocols.</t>

          <t>A pseudonym for a measurement device's IP address could be an
          LMAP-unique equipment ID. However, this would likely be a permanent
          handle for the device, and long-term use weakens a pseudonym's power
          to obscure identity.</t>
        </section>

        <section title="Other Mitigations">
          <t>Data can be de-personalised by blurring it, for example by adding
          synthetic data, data-swapping, or perturbing the values in ways that
          can be reversed or corrected.</t>

          <t>Sections 6.2 and 6.3 of <xref target="RFC6973"/> describe User
          Participation and Security, respectively.</t>

          <t>Where LMAP measurements involve devices on the Subscriber's
          premises or Subscriber-owned equipment, it is essential to secure
          the Subscriber's permission with regard to the specific information
          that will be collected. The informed consent of the Subscriber (and,
          if different, the end user) is needed, including the specific
          purpose of the measurements. The approval process could involve
          showing the Subscriber their measured information and results before
          instituting periodic collection, or before all instances of
          collection, with the option to cancel collection temporarily or
          permanently.</t>

          <t>It should also be clear who is legally responsible for data
          protection (privacy); in some jurisdictions this role is called the
          'data controller'. It is good practice to time limit the storage of
          personal information.</t>

          <t>Although the details of verification would be impenetrable to
          most subscribers, the MA could be architected as an "app" with open
          source-code, pre-download and embedded terms of use and agreement on
          measurements, and protection from code modifications usually
          provided by the app-stores. Further, the app itself could provide
          data reduction and temporary storage mitigations as appropriate and
          certified through code review.</t>

          <t>LMAP protocols, devices, and the information they store clearly
          need to be secure from unauthorised access. This is the hand-off
          between privacy and security considerations (Section 7). The Data
          Controller has the (legal) responsibility to maintain data
          protections described in the Subscriber's agreement and agreements
          with other organisations.</t>

          <t/>
        </section>
      </section>
    </section>

    <section title="IANA Considerations">
      <t>There are no IANA considerations in this memo.</t>
    </section>

    <section title="Acknowledgments">
      <t>This document is a merger of three individual drafts:
      draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, and
      draft-eardley-lmap-framework-02.</t>

      <t>Thanks to Juergen Schoenwaelder for his detailed review of the
      terminology. Thanks to Charles Cook for a very detailed review of
      -02.</t>

      <t>Thanks to numerous people for much discussion, directly and on the
      LMAP list (apologies to those unintentionally omitted): Alan Clark,
      Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
      Trammell, Charles Cook, Dave Thorne, Frode S&oslash;rensen, Greg Mirsky,
      Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit,
      Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Michael
      Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller, Ted
      Lemon, Timothy Carey, Vaibhav Bajpai, William Lupton.</t>

      <t>Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
      the Leone research project, which receives funding from the European
      Union Seventh Framework Programme [FP7/2007-2013] under grant agreement
      number 317647.</t>

      <t/>

      <t/>
    </section>

    <section title="History">
      <t>First WG version, copy of draft-folks-lmap-framework-00.</t>

      <t/>

      <section title="From -00 to -01">
        <t><list style="symbols">
            <t>new sub-section of possible use of Group-IDs for privacy</t>

            <t>tweak to definition of Control protocol</t>

            <t>fix typo in figure in S5.4</t>
          </list></t>
      </section>

      <section title="From -01 to -02">
        <t><list style="symbols">
            <t>change to INFORMATIONAL track (previous version had typo'd
            Standards track)</t>

            <t>new definitions for Capabilities Information and Failure
            Information</t>

            <t>clarify that diagrams show LMAP-level information flows.
            Underlying protocol could do other interactions, eg to get through
            NAT or for Collector to pull a Report</t>

            <t>add hint that after a re-boot should pause random time before
            re-register (to avoid mass calling event)</t>

            <t>delete the open issue "what happens if a Controller fails"
            (normal methods can handle)</t>

            <t>add some extra words about multiple Tasks in one Schedule</t>

            <t>clarify that new Schedule replaces (rather than adds to) and
            old one. Similarly for new configuration of Measurement Tasks or
            Report Channels.</t>

            <t>clarify suppression is temporary stop; send a new Schedule to
            permanently stop Tasks</t>

            <t>alter suppression so it is ACKed</t>

            <t>add un-suppress message</t>

            <t>expand the text on error reporting, to mention Reporting
            failures (as well as failures to action or execute Measurement
            Task &amp; Schedule)</t>

            <t>add some text about how to have Tasks running indefinitely</t>

            <t>add that optionally a Report is not sent when there are no
            Measurement Results</t>

            <t>add that a Measurement Task may create more than one
            Measurement Result</t>

            <t>clarify /amend /expand that Reports include the "raw"
            Measurement Results - any pre-processing is left for lmap2.0</t>

            <t>add some cautionary words about what if the Collector
            unexpectedly doesn't hear from a MA</t>

            <t>add some extra words about the potential impact of Measurement
            Tasks</t>

            <t>clarified various aspects of the privacy section</t>

            <t>updated references</t>

            <t>minor tweaks</t>
          </list></t>
      </section>

      <section title="From -02 to -03">
        <t><list style="symbols">
            <t>alignment with the Information Model <xref
            target="I-D.burbridge-lmap-information-model"/> as this is agreed
            as a WG document</t>

            <t>One-off and periodic Measurement Schedules are kept separate,
            so that they can be updated independently</t>

            <t>Measurement Suppression in a separate sub-section. Can now
            optionally include particular Measurement Tasks &amp;/or Schedules
            to suppress, and start/stop time</t>

            <t>for clarity, concept of Channel split into Control, Report and
            MA-to-Controller Channels</t>

            <t>numerous editorial changes, mainly arising from a very detailed
            review by Charles Cook</t>

            <t/>
          </list></t>
      </section>
    </section>
  </middle>

  <back>
    <references title="Informative References">
      <reference anchor="Bur10">
        <front>
          <title>The Role of Network Trace anonymisation Under Attack</title>

          <author initials="M" surname="Burkhart">
            <organization>Burkhart</organization>
          </author>

          <author initials="D" surname="Schatzmann">
            <organization/>
          </author>

          <author initials="B" surname="Trammell">
            <organization/>
          </author>

          <author initials="E" surname="Boschi">
            <organization>ACM Computer Communications Review, vol. 40, no. 1,
            pp. 6-11</organization>
          </author>

          <date month="January" year="2010"/>
        </front>
      </reference>

      <reference anchor="Q1741">
        <front>
          <title>IMT-2000 references to Release 9 of GSM-evolved UMTS core
          network</title>

          <author fullname="ITU-T Recommendation" initials=""
                  surname="Q.1741.7">
            <!---->

            <organization abbrev="Boeing">Boeing Computer
            Services</organization>
          </author>

          <date month="November" year="2011"/>
        </front>

        <seriesInfo name="" value="http://www.itu.int/rec/T-REC-Q.1741.7/en"/>
      </reference>

      <?rfc include='reference.RFC.1035'?>

      <?rfc include='reference.RFC.4101'?>

      <?rfc include='reference.RFC.4122'?>

      <?rfc include='reference.RFC.5357'?>

      <?rfc include='reference.I-D.ietf-lmap-use-cases'?>

      <?rfc include='reference.I-D.bagnulo-ippm-new-registry-independent'?>

      <?rfc include='reference.I-D.ietf-homenet-arch'?>

      <?rfc include='reference.RFC.6419'?>

      <?rfc include='reference.RFC.6887'?>

      <?rfc include='reference.RFC.5533'?>

      <?rfc include='reference.I-D.burbridge-lmap-information-model'?>

      <?rfc include='reference.RFC.6235'?>

      <?rfc include='reference.RFC.6973'?>

      <?rfc include='reference.I-D.ietf-ippm-lmap-path'?>
    </references>
  </back>
</rfc>
