idnits 2.17.1 draft-ietf-lmap-framework-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 6, 2013) is 3795 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 250 -- Looks like a reference, but probably isn't: '180' on line 250 == Outdated reference: A later version (-06) exists of draft-ietf-lmap-use-cases-00 == Outdated reference: A later version (-17) exists of draft-ietf-homenet-arch-11 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Eardley 3 Internet-Draft BT 4 Intended status: Informational A. Morton 5 Expires: June 9, 2014 AT&T Labs 6 M. Bagnulo 7 UC3M 8 T. Burbridge 9 BT 10 P. Aitken 11 A. Akhter 12 Cisco Systems 13 December 6, 2013 15 A framework for large-scale measurement platforms (LMAP) 16 draft-ietf-lmap-framework-02 18 Abstract 20 Measuring broadband service on a large scale requires a description 21 of the logical architecture and standardisation of the key protocols 22 that coordinate interactions between the components. The document 23 presents an overall framework for large-scale measurements. It also 24 defines terminology for LMAP (large-scale measurement platforms). 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on June 9, 2014. 43 Copyright Notice 45 Copyright (c) 2013 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Outline of an LMAP-based measurement system . . . . . . . . . 5 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 10 64 4.1. Measurement system is under the direction of a single 65 organisation . . . . . . . . . . . . . . . . . . . . . . 10 66 4.2. Each MA may only have a single Controller at any point in 67 time . . . . . . . . . . . . . . . . . . . . . . . . . . 11 68 5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 11 69 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 12 70 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 14 71 5.3. Starting and stopping Measurement Tasks . . . . . . . . . 16 72 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 17 73 5.5. Items beyond the scope of the LMAP Protocol Model . . . . 19 74 5.5.1. User-controlled measurement system . . . . . . . . . 20 75 6. MA Deployment considerations . . . . . . . . . . . . . . . . 20 76 6.1. Measurement Agent embedded in site gateway . . . . . . . 21 77 6.2. Measurement Agent embedded behind Site NAT /Firewall . . 21 78 6.3. Measurement Agent in multi homed site . . . . . . . . . . 21 79 7. Security considerations . . . . . . . . . . . . . . . . . . . 22 80 8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 23 81 8.1. Categories of Entities with Information of Interest . . . 23 82 8.2. Examples of Sensitive Information . . . . . . . . . . . . 24 83 8.3. Key Distinction Between Active and Passive Measurement 84 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 25 85 8.4. Privacy analysis of the Communications Models . . . . . . 26 86 8.4.1. MA Bootstrapping and Registration . . . . . . . . . . 26 87 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 27 88 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 27 89 8.4.4. Active Measurement Peer <-> Measurement Agent . . . . 28 90 8.4.5. Passive Measurement Peer <-> Measurement Agent . . . 29 91 8.4.6. Result Storage and Reporting . . . . . . . . . . . . 29 92 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 30 93 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 30 94 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 30 95 8.5.3. Correlation and Identification . . . . . . . . . . . 31 96 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 31 97 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 31 98 8.6.1. Data Minimization . . . . . . . . . . . . . . . . . . 32 99 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 32 100 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 33 101 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 34 102 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 103 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 104 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 105 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 35 106 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 35 107 12. Informative References . . . . . . . . . . . . . . . . . . . 36 108 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 110 1. Introduction 112 There is a desire to be able to coordinate the execution of broadband 113 measurements and the collection of measurement results across a large 114 scale set of diverse devices. These devices could be software based 115 agents on PCs, embedded agents in consumer devices (e.g. blu-ray 116 players), service provider controlled devices such as set-top players 117 and home gateways, or simply dedicated probes. It is expected that 118 such a system could easily comprise 100k devices. Such a scale 119 presents unique problems in coordination, execution and measurement 120 result collection. Several use cases have been proposed for large- 121 scale measurements including: 123 o Operators: to help plan their network and identify faults 125 o Regulators: to benchmark several network operators and support 126 public policy development 128 Further details of the use cases can be found at 129 [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for 130 these, as well as other use cases that the LMAP WG doesn't 131 concentrate on, such as to help end users run diagnostic checks like 132 a network speed test. 134 The LMAP framework has four basic elements: Measurement Agents, 135 Measurement Peers, Controllers and Collectors. 137 Measurement Agents (MAs) perform network measurements. They are 138 pieces of code that can be executed in specialized hardware (hardware 139 probe) or on a general-purpose device (like a PC or mobile phone). 140 The Measurement Agents may have multiple interfaces (WiFi, Ethernet, 141 DSL, fibre, etc.) and the measurements may specify any one of these. 142 Measurements may be active (the MA or Measurement Peer (MP) generates 143 test traffic), passive (the MA observes user traffic), or some hybrid 144 form of the two. For active measurement tasks, the MA (or MP) 145 generates test traffic and measures some metric associated with its 146 transfer over the path to (or from) a Measurement Peer. For example, 147 one active measurement task could be to measure the UDP latency 148 between the MA and a given MP. MAs may also conduct passive testing 149 through the observation of traffic. The measurements themselves may 150 be on IPv4, IPv6, and on various services (DNS, HTTP, XMPP, FTP, 151 VoIP, etc.). 153 The Controller manages one or more MAs by instructing it which 154 measurement tasks it should perform and when. For example it may 155 instruct a MA at a home gateway: "Measure the 'UDP latency' with the 156 Measurement Peer mp.example.org; repeat every hour at xx.05". The 157 Controller also manages a MA by instructing it how to report the 158 measurement results, for example: "Report results once a day in a 159 batch at 4am". We refer to these as the Measurement Schedule and 160 Report Schedule. 162 The Collector accepts Reports from the MAs with the results from 163 their measurement tasks. Therefore the MA is a device that gets 164 instructions from the Controller initiates the measurement tasks, and 165 reports to the Collector. 167 There are additional elements that are part of a measurement system, 168 but that are out of the scope for LMAP. We provide a detailed 169 discussion of all the elements in the rest of the document. 171 The desirable features for a large-scale measurement systems we are 172 designing for are: 174 o Standardised - in terms of the tests that they perform, the 175 components, the data models and protocols for transferring 176 information between the components. For example so that it is 177 meaningful to compare measurements made of the same metric at 178 different times and places. For example so that the operator of a 179 measurement system can buy the various components from different 180 vendors. Today's systems are proprietary in some or all of these 181 aspects. 183 o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement 184 Agents in every home gateway and edge device such as set-top-boxes 185 and tablet computers. Existing systems have up to a few thousand 186 Measurement Agents (without judging how much further they could 187 scale). 189 o Diversity - a measurement system should handle different types of 190 Measurement Agent - for example Measurement Agents may come from 191 different vendors, be in wired and wireless networks and be on 192 devices with IPv4 or IPv6 addresses. 194 2. Outline of an LMAP-based measurement system 196 Figure 1 shows the main components of a measurement system, and the 197 interactions of those components. Some of the components are outside 198 the scope of LMAP. In this section we provide an overview on the 199 whole measurement system and we introduce the main terms needed for 200 the LMAP framework. The new terms are capitalized. In the next 201 section we provide a terminology section with a compilation of all 202 the LMAP terms and their definition. The subsequent sections study 203 the LMAP components in more detail. 205 A Measurement Task measures some performance or reliability Metric of 206 interest. An Active Measurement Task involves either a Measurement 207 Agent (MA) injecting Test Traffic into the network destined for a 208 Measurement Peer (MP), and/or a MP sending Test Traffic to a MA; one 209 of them measures the some parameter associated with the transfer of 210 the packet(s). A Passive Measurement Task involves only a MA, which 211 simply observes existing traffic - for example, it could simply count 212 bytes or it might calculate the average loss for a particular flow. 214 It is very useful to standardise Measurement Methods (a Measurement 215 Method is a generalisation of a Measurement Task), so that it is 216 meaningful to compare measurements of the same Metric made at 217 different times and places. It is also useful to define a registry 218 for commonly-used Metrics [I-D.bagnulo-ippm-new-registry-independent] 219 so that a Measurement Method can be referred to simply by its 220 identifier in the registry. The Measurement Methods and registry 221 would hopefully also be referenced by other standards organisations. 223 In order for a Measurement Agent and a Measurement Peer to execute an 224 Active Measurement Task, they exchange Active Measurement Traffic. 225 The protocols used for the Active Measurement Traffic is out of the 226 scope of the LMAP WG and falls within the scope of other IETF WGs 227 such as IPPM. 229 For Measurement Results to be truly comparable, as might be required 230 by a regulator, not only do the same Measurement Methods need to be 231 used but also the set of Measurement Tasks should follow a similar 232 Measurement Schedule and be of similar number. The details of such a 233 characterisation plan are beyond the scope of work in IETF although 234 certainly facilitated by IETF's work. 236 The next components we consider are the Measurement Agent (MA), 237 Controller and Collector. The main work of the LMAP working group is 238 to define the Control Protocol between the Controller and MA, and the 239 Report Protocol between the MA and Collector. Section 4 onwards 240 considers the LMAP compnents in more detail; here we introduce them. 242 The Controller manages a MA by instructing it which Measurement Tasks 243 it should perform and when. For example it may instruct a MA at a 244 home gateway: "Run the 'download speed test' with the Measurement 245 Peer at the end user's first IP point in the network; if the end user 246 is active then delay the test and re-try 1 minute later, with up to 3 247 re-tries; repeat every hour at xx.05 + Unif[0,180] seconds". The 248 Controller also manages a MA by instructing it how to report the 249 Measurement Results, for example: "Report results once a day in a 250 batch at 4am + Unif[0,180] seconds; if the end user is active then 251 delay the report 5 minutes". As well as regular Measurement Tasks, a 252 Controller can initiate a one-off Measurement Task ("Do measurement 253 now", "Report as soon as possible"). These are called the 254 Measurement and Report Schedule. 256 The Collector accepts a Report from a MA with the results from its 257 tests. It may also do some processing on the results - for instance 258 to eliminate outliers, as they can severely impact the aggregated 259 results. 261 Finally we introduce several components that are out of scope of the 262 LMAP WG and will be provided through existing protocols or 263 applications. They affect how the measurement system uses the 264 Measurement Results and how it decides what set of Measurement Tasks 265 to perform. 267 The MA needs to be bootstrapped with initial details about its 268 Controller, including authentication credentials. The LMAP WG 269 considers the boostrap process, since it affects the Information 270 Model. However, it does not define a bootstrap protocol, since it is 271 likely to be technology specific and could be defined by the 272 Broadband Forum, DOCSIS or IEEE. depending on the device. Possible 273 protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management 274 Protocol (CWMP) from the Auto Configuration Server (ACS) (as 275 specified in TR-069). 277 A Subscriber Parameter Database contains information about the line, 278 for example the customer's broadband contract (perhaps 2, 40 or 80Mb/ 279 s), the line technology (DSL or fibre), the time zone where the MA is 280 located, and the type of home gateway and MA. These are all factors 281 which may affect the choice of what Measurement Tasks to run and how 282 to interpret the Measurement Results. For example, a download test 283 suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s 284 line. Another example is if the Controller wants to run a one-off 285 Measurement Task to diagnose a fault, then it should understand what 286 problem the customer is experiencing and what Measurement Tasks have 287 already been run. The Subscribers' service parameters are already 288 gathered and stored by existing operations systems. 290 A Results Repository records all measurements in an equivalent form, 291 for example an SQL database, so that they can be easily accessed by 292 the Data Analysis Tools. The Data Analysis Tools also need to 293 understand the Subscriber's service information, for example the 294 broadband contract. 296 The Data Analysis Tools receive the results from the Collector or via 297 the Results Database. They might visualise the data or identify 298 which component or link is likely to be the cause of a fault or 299 degradation. 301 The operator's OAM (Operations, Administration, and Maintenance) uses 302 the results from the tools. 304 ^ 305 | 306 IPPM 307 +---------------+ Test +-------------+ Scope 308 +------->| Measurement |<---------->| Measurement | v 309 | | Agent | Traffic | Peer | ^ 310 | +---------------+ +-------------+ | 311 | ^ | | 312 | Instruction | | Report | 313 | | +-----------------+ | 314 | | | | 315 | | v LMAP 316 | +------------+ +------------+ Scope 317 | | Controller | | Collector | | 318 | +------------+ +------------+ v 319 | ^ ^ | ^ 320 | | | | | 321 | | +----------+ | | 322 | | | v | 323 +------------+ +----------+ +--------+ +----------+ | 324 |Bootstrapper| |Subscriber|--->| Data |<---|Repository| Out 325 +------------+ |Parameter | |Analysis| +----------+ of 326 |Database | | Tools | Scope 327 +----------+ +--------+ | 328 | 329 v 331 Figure 1: Schematic of main elements of an LMAP-based 332 measurement system 333 (showing the elements in and out of the scope of the LMAP WG) 335 3. Terminology 337 This section defines terminology for LMAP. Please note that defined 338 terms are capitalized. 340 Active Measurement Method (Task): A type of Measurement Method (Task) 341 that involves a Measurement Agent and a Measurement Peer (or possibly 342 Peers), where either the Measurement Agent or the Measurement Peer 343 injects test packet(s) into the network destined for the other, and 344 which involves one of them measuring some performance or reliability 345 parameter associated with the transfer of the packet(s). 347 Bootstrap Protocol: A protocol that initialises a Measurement Agent 348 with the information necessary to be integrated into a measurement 349 system. 351 Capabilities Information: The list of the Measurement Methods that 352 the MA can perform, plus information about the device hosting the MA 353 (for example its interface type and speed and its IP address). 355 Channel: a schedule, a target and the associated security information 356 for that target. In the case of a Report Channel it is a specific 357 Report Schedule, a Collector and its associated security information. 359 Collector: A function that receives a Report from a Measurement 360 Agent. Colloquially, a Collector is a physical device that performs 361 this function. 363 Controller: A function that provides a Measurement Agent with 364 Instruction(s). Colloquially, a Controller is a physical device that 365 performs this function. 367 Control Protocol: The protocol delivering Instruction(s) from a 368 Controller to a Measurement Agent. It also delivers Failure 369 Information and Capabilities Information from the Measurement Agent 370 to the Controller. 372 Cycle-ID: A tag that is sent by the Controller in an Instruction and 373 echoed by the MA in its Report; Measurement Results with the same 374 Cycle-ID are expected to be comparable. 376 Data Model: The implementation of an Information Model in a 377 particular data modelling language. 379 Derived Metric: A Metric that is a combination of other Metrics, and/ 380 or a combination of the same Metric measured over different parts of 381 the network, or at different times. 383 Environmental Constraint: A parameter that is measured as part of the 384 Measurement Task, its value determining whether the rest of the 385 Measurement Task proceeds. 387 Failure Information: Information about the MA's failure to action or 388 execute an Instruction, whether concerning Measurement Tasks or 389 Reporting. 391 Group-ID: An identifier of a group of MAs. 393 Information Model: The protocol-neutral definition of the semantics 394 of the Instructions, the Report, the status of the different elements 395 of the measurement system as well of the events in the system. 397 Instruction: The description of Measurement Tasks to perform and the 398 details of the Report to send. The Instruction is sent by a 399 Controller to a Measurement Agent. 401 Measurement Agent (MA): The function that receives Instructions from 402 a Controller, performs Measurement Tasks (perhaps in concert with a 403 Measurement Peer) and reports Measurement Results to a Collector. 404 Colloquially, a Measurement Agent is a physical device that performs 405 this function. 407 Measurement Method: The process for assessing the value of a Metric; 408 the process of measuring some performance or reliability parameter; 409 the generalisation of a Measurement Task. 411 Measurement Parameter: A parameter whose value is left open by the 412 Measurement Method. 414 Measurement Peer: The function that receives control messages and 415 test packets from a Measurement Agent and may reply to the 416 Measurement Agent as defined by the Measurement Method. 418 Measurement Result: The output of a single Measurement Task (the 419 value obtained for the parameter of interest, or Metric). 421 Measurement Schedule: the schedule for performing a series of 422 Measurement Tasks. 424 Measurement Suppression: a type of Instruction that stops 425 (suppresses) Measurement Tasks. 427 Measurement Task: The act that yields a single Measurement Result; 428 the act consisting of the (single) operation of the Measurement 429 Method at a particular time and with all its parameters set to 430 specific values. 432 Metric: The quantity related to the performance and reliability of 433 the Internet that we'd like to know the value of, and that is 434 carefully specified. 436 Passive Measurement Method (Task): A Measurement Method (Task) in 437 which a Measurement Agent observes existing traffic at a specific 438 measurement point, but does not inject test packet(s). 440 Report: The Measurement Results and other associated information (as 441 defined by the Instruction). The Report is sent by a Measurement 442 Agent to a Collector. 444 Report Protocol: The protocol delivering Report(s) from a Measurement 445 Agent to a Collector. 447 Report Schedule: the schedule for sending a series of Reports to a 448 Collector. 450 Subscriber: An entity (associated with one or more users) that is 451 engaged in a subscription with a service provider. The subscriber is 452 allowed to subscribe and un-subscribe services, and to register a 453 user or a list of users authorized to enjoy these services. [Q1741] 454 Both the subscriber and service provider are allowed to set the 455 limits relative to the use that associated users make of subscribed 456 services. 458 Active Measurement Traffic: for Active Measurement Tasks, the traffic 459 generated by the Measurement Agent and/or the Measurement Peer to 460 execute the requested Measurement Task. 462 4. Constraints 464 The LMAP framework makes some important assumptions, which constrain 465 the scope of the work to be done. 467 4.1. Measurement system is under the direction of a single organisation 469 In the LMAP framework, the measurement system is under the direction 470 of a single organisation that is responsible both for the data and 471 the quality of experience delivered to its users. Clear 472 responsibility is critical given that a misbehaving large-scale 473 measurement system could potentially harm user experience, user 474 privacy and network security. 476 However, the components of an LMAP measurement system can be deployed 477 in administrative domains that are not owned by the measuring 478 organisation. Thus, the system of functions deployed by a single 479 organisation constitutes a single LMAP domain which may span 480 ownership or other administrative boundaries. 482 4.2. Each MA may only have a single Controller at any point in time 484 A MA is instructed by one Controller and is in one measurement 485 system. The constraint avoids different Controllers giving a MA 486 conflicting instructions and so means that the MA does not have to 487 manage contention between multiple Measurement (or Report) Schedules. 488 This simplifies the design of MAs (critical for a large-scale 489 infrastructure) and allows a Measurement Schedule to be tested on 490 specific types of MA before deployment to ensure that the end user 491 experience is not impacted (due to CPU, memory or broadband-product 492 constraints). 494 An operator may have several Controllers, perhaps with a Controller 495 for different types of MA (home gateways, tablets) or location 496 (Ipswich, Edinburgh). 498 5. LMAP Protocol Model 500 A protocol model presents (RFC4101) "an architectural model for how 501 the protocol operates ... a short description of the system in 502 overview form, ... [which] needs to answer three basic questions: 504 1. What problem is the protocol trying to achieve? 506 2. What messages are being transmitted and what do they mean? 508 3. What are the important, but unobvious, features of the protocol?" 510 An LMAP system goes through the following phases: 512 o a bootstrapping process before the MA can take part in the three 513 items below 515 o a Control Protocol, which delivers an Instruction from a 516 Controller and a MA. The Instruction details what Measurement 517 Tasks the MA should perform and when, and how it should report the 518 Measurement Results 520 o the actual Measurement Tasks are performed. An Active Measurement 521 Task involves sending Active Measurement Traffic between the 522 Measurement Agent and a Measurement Peer, whilst a Passive 523 Measurement Task involves (only) the Measurement Agent observing 524 existing user traffic. The LMAP WG does not define Measurement 525 Methods, however the IPPM WG does. 527 o a Report Protocol, which delivers a Report from the MA to a 528 Collector. The Report contains the Measurement Results. 530 In the diagrams the following convention is used: 532 o (optional): indicated by round brackets 534 o [potentially repeated]: indicated by square brackets 536 The Protocol Model is closely related to the Information Model 537 [I-D.burbridge-lmap-information-model], which is the abstract 538 definition of the information carried by the protocol model. The 539 purpose of both is to provide a protocol and device independent view, 540 which can be implemented via specific protocols. The LMAP WG will 541 define a specific Control Protocol and Report Protocol, but other 542 Protocols could be defined by other standards bodies or be 543 proprietary. However it is important that they all implement the 544 same Information and Protocol Model, in order to ease the definition, 545 operation and interoperability of large-scale measurement systems. 547 The diagrams show the flow of LMAP information, however there may 548 need to be other protocol interactions. For example, typically the 549 MA is behind a NAT, so it needs to initiate communications in order 550 that the Controller can communicate with it. The communications 551 channel also needs to be secured before it is used. Another example 552 is that the Collector may want to 'pull' Measurement Results from a 553 MA. 555 5.1. Bootstrapping process 557 The primary purpose of bootstrapping is to enable the MA and 558 Controller to be integrated into a measurement system. In order to 559 do that, the MA needs to retrieve information about itself (like its 560 identity in the measurement system), about the Controller and the 561 Collector(s) as well as security information (such as certificates 562 and credentials). 564 +--------------+ 565 | Measurement | 566 | Agent | 567 +--------------+ 568 (Initial Controller details: 569 address or FQDN, -> 570 security credentials, MA-ID) 572 +-----------------+ 573 | Initial | 574 | Controller | 575 +-----------------+ 576 <- (register) 577 Controller details: 578 address or FQDN, -> 579 security credentials 581 +-----------------+ 582 | | 583 | Controller | 584 +-----------------+ 585 <- register 586 (MA-ID, Group-ID, report?) -> 588 The MA knows how to contact a Controller through some device /access 589 specific mechanism. For example, this could be in the firmware, 590 downloaded, manually configured or via a protocol like TR-069. The 591 Controller could either be the one that will send it Instructions 592 (see next sub-section) or else an initial Controller. The role of an 593 initial Controller is simply to inform the MA how to contact its 594 actual Controller; this could be useful, for example: for load 595 balancing; if the details of the initial Controller are statically 596 configured; if the measurement system has specific Controllers for 597 different devices types; or perhaps as a way of handling failure of 598 the Controller. 600 If the MA has not learnt its identifier (MA-ID) while bootstrapping, 601 it will do so when the MA registers with the Controller; it may also 602 be told a Group-ID and whether to include the MA-ID as well as the 603 Group-ID in its Reports. A Group-ID would be shared by several MAs 604 and could be useful for privacy reasons (for instance to hinder 605 tracking of a mobile MA device). The MA may also tell the Controller 606 its Capabilities (such as the Measurement Methods it can perform) 607 (see next sub-section). 609 If the device with the MA re-boots, then the MA need to re-register, 610 so that it can receive a new Instruction. To avoid a "mass calling 611 event" after a widespread power restoration affecting many MAs, it is 612 sensible for an MA to pause for a random delay (perhaps in the range 613 of one minute) before re-registering. 615 Whilst the LMAP WG considers the bootstrapping process, it is out of 616 scope to define a bootstrap mechanism, as it depends on the type of 617 device and access. 619 5.2. Control Protocol 621 The primary purpose of the Control Protocol is to allow the 622 Controller to configure a Measurement Agent with Measurement 623 Instructions, which it then acts on autonomously. 625 +-----------------+ +-------------+ 626 | | | Measurement | 627 | Controller |===================================| Agent | 628 +-----------------+ +-------------+ 630 (Capability request) -> 631 <- List of Measurement 632 Methods 633 ACK -> 635 Instruction: 636 [(Measurement Task (parameters)), -> 637 (Measurement Schedule), 638 (Report Channel(s))] 639 <- ACK 641 Suppress -> 642 <- ACK 643 Un-suppress -> 644 <- ACK 646 <- Failure report: 647 [reason] 648 ACK -> 650 The Instruction contains: 652 o what Measurement Tasks to do: the Measurement Methods could be 653 defined by reference to a registry entry, along with any 654 parameters that need to be set (such as the address of the 655 Measurement Peer) and any Environmental Constraint (such as, 656 'delay the measurement task if the end user is active') 658 o when to do them: the Measurement Schedule details the timings of 659 regular measurement tasks, one-off measurement tasks 661 o how to report the Measurement Results: via Reporting Channel(s), 662 each of which defines a target Collector and Report Schedule 664 An Instruction could contain one or more of the above elements, since 665 the Controller may want the MA to perform several different 666 Measurement Tasks (measure UDP latency and download speed), at 667 several frequencies (a regular test every hour and a one-off test 668 immediately), and report to several Collectors. The different 669 elements can be updated independently at different times and 670 regularities, for example it is likely that the Measurement Schedule 671 will be updated more often than the other elements. 673 A new Instruction replaces (rather than adds to) those elements that 674 it includes. For example, if the new Instruction includes (only) a 675 Measurement Schedule, then that replaces the old Measurement Schedule 676 but does not alter the configuration of the Measurement Tasks and 677 Report Channels. 679 If the Instruction includes several Measurement Tasks, these could be 680 scheduled to run at different times or possibly at the same time - 681 some Tasks may be compatible, in that they do not affect each other's 682 Results, whilst with others great care would need to be taken. 684 A Measurement Task may create more than one Measurement Result. For 685 example, one Result could be reported periodically, whilst another 686 could be an alarm that is reported immediately a the measured value 687 of a Metric goes below a threshold. 689 In general we expect that the Controller knows what Measurement 690 Methods the MA supports, such that the Controller can correctly 691 instruct the MA. Note that the Control Protocol does not allow 692 negotiation (which would add complexity to the MA, Controller and 693 Control Protocol for little benefit). 695 However, the Control protocol includes a Capabilities detection 696 feature, through which the MA can send to the Controller the complete 697 list of Measurement Methods that it is capable of. Note that it is 698 not intended to indicate dynamic capabilities like the MA's currently 699 unused CPU, memory or battery life. The list of Measurement Methods 700 could be useful in several circumstances: when the MA first 701 communicates with a Controller; when the MA becomes capable of a new 702 Measurement Method; when requested by the Controller (for example, if 703 the Controller forgets what the MA can do or otherwise wants to 704 resynchronize what it knows about the MA). 706 The Controller has the ability to send a "suppress" message to MAs. 707 This could be useful if there is some unexpected network issue and so 708 the measurement system wants to eliminate inessential traffic. As a 709 result, temporarily the MA does not start new Active Measurement 710 Tasks, and it may also stop in-progress Measurement Tasks, especially 711 ones that are long-running &/or create a lot of traffic. See the 712 next section for more information on stopping Measurement Tasks. 713 Note that if a Controller wants to permanently stop a Measurement 714 Task, it should send a new Measurement Schedule, as suppression is 715 intended to temporarily stop Tasks. The Controller can send an "un- 716 suppress" message to indicate that the temporary problem is solved 717 and Active Measurement Tasks can begin again. 719 The figure shows that the various messages are acknowledged, which 720 means that they have been delivered successfully. 722 There is no need for the MA to confirm to the Controller that it has 723 understood and acted on the Instruction, since the Controller knows 724 the capabilities of the MA. However, the Control Protocol must 725 support robust error reporting by the MA, to provide the Controller 726 with sufficiently detailed reasons for any failures. These could 727 concern either the Measurement Tasks and Schedules, or the Reporting. 728 In both cases there are two broad categories of failure. Firstly, 729 the MA cannot action the Instruction (for example, it doesn't include 730 a parameter that is mandatory for the requested Measurement Method; 731 or it is missing details of the target Collector). Secondly, the MA 732 cannot execute the Measurement Task or deliver the Report (for 733 example, the MA unexpectedly has no spare CPU cycles; or the 734 Collector is not responding). Note that it is not considered a 735 failure if a Measurement Task (correctly) doesn't start - for example 736 if the MA detects cross-traffic; instead this is reported to the 737 Collector in the normal manner. 739 Finally, note that the MA doesn't do a 'safety check' with the 740 Controller (that it should still continue with the requested 741 Measurement Tasks) - nor does it inform the Controller about 742 Measurement Tasks starting and stopping. It simply carries out the 743 Measurement Tasks as instructed, unless it gets an updated 744 Instruction. 746 The LMAP WG will define a Control Protocol and its associated Data 747 Model that implements the Protocol & Information Model. This may be 748 a simple instruction - response protocol, and LMAP will specify how 749 it operates over an existing protocol - to be selected, perhaps REST- 750 style HTTP(s) or NETCONF-YANG. 752 5.3. Starting and stopping Measurement Tasks 754 The LMAP WG is neutral to what the actual Measurement Task is. The 755 WG does not define a generic start and stop process, since the 756 correct approach depend on the particular Measurement Task; the 757 details are defined as part of each Measurement Method, and hence 758 potentially by the IPPM WG. 760 Once the MA gets its Measurement and Report Schedules from its 761 Controller then it acts autonomously, in terms of operation of the 762 Measurement Tasks and reporting of the result. One implication is 763 that the MA initiates Measurement Tasks. As an example, for the 764 common case where the MA is on a home gateway, the MA initiates a 765 'download speed test' by asking a Measurement Peer to send the file. 767 Many Active Measurement Tasks begin with a pre-check before the test 768 traffic is sent. Action could include: 770 o the MA checking that there is no cross-traffic (ie that the user 771 isn't already sending traffic); 773 o the MA checking with the Measurement Peer that it can handle a new 774 Measurement Task (in case the MP is already handling many 775 Measurement Tasks with other MAs); 777 o the first part of the Measurement Task consisting of traffic that 778 probes the path to make sure it isn't overloaded. 780 It is possible that similar checks continue during the Measurement 781 Task, especially one that is long-running &/or creates a lot of Test 782 Traffic, which may be abandoned whilst in-progress. A Measurement 783 Task could also be abandoned in response to a "suppress" message (see 784 previous section). Action could include: 786 o For 'upload' tests, the MA not sending traffic 788 o For 'download' tests, the MA closing the TCP connection or sending 789 a TWAMP Stop control message. 791 The Controller may want a MA to run the same Measurement Task 792 indefinitely (for example, "run the 'upload speed' Measurement Task 793 once an hour until further notice"). To avoid the MA generating 794 traffic forever after a Controller has permanently failed, it is 795 suggested that the Measurement Schedule includes a time limit ("run 796 the 'upload speed' Measurement Task once an hour for the next 30 797 days") and that the Measurement Schedule is updated regularly (say, 798 every 10 days). 800 5.4. Report Protocol 802 The primary purpose of the Report Protocol is to allow a Measurement 803 Agent to report its Measurement Results to a Collector, and the 804 context in which they were obtained. 806 +-----------------+ +-------------+ 807 | | | Measurement | 808 | Collector |===================================| Agent | 809 +-----------------+ +-------------+ 811 <- Report: 812 [MA-ID &/or Group-ID, 813 Measurement Results, 814 Measurement Task] 815 ACK -> 817 The MA acts autonomously in terms of reporting; it simply sends 818 Reports as defined by the Controller's Instruction. 820 The Report contains: 822 o the MA's identifier, or perhaps a Group-ID to anonymise results 824 o the actual Measurement Results, including the time they were 825 measured 827 o the details of the Measurement Task (to avoid the Collector having 828 to ask the Controller for this information later) 830 The MA may report the Results to more than one Collector, if the 831 Instruction says so. It could also report a different subset of 832 Results to different Collectors. 834 Optionally, a Report is not sent when there are no Measurement 835 Results. 837 In the initial LMAP Information Model and Report Protocol, for 838 simplicity we assume that all Measurement Results are reported as-is, 839 but allow extensibility so that a measurement system (or perhaps a 840 second phase of LMAP) could allow a MA to pre-process Measurement 841 Results before it reports them. Potential examples of pre-processing 842 by the MA are: 844 o labelling, or perhaps not including, Measurement Results impacted 845 by for instance cross-traffic or the MP being busy 847 o detailing the start and end of suppression 849 o filtering outlier Results 851 o calculating some statistic like average (beyond that defined by 852 the Measurement Task itself) 854 The measurement system may define what happens if a Collector 855 unexpectedly does not hear from a MA. Possible solutions could 856 include the ability for a Collector to 'pull' Measurement Results 857 from a MA, or (after an out-of-scope indication from the Collector to 858 the Controller) for the Controller to send a fresh Report Schedule to 859 the MA. The measurement system also needs to consider carefully how 860 to interpret missing Results; for example, if the missing Results are 861 ignored and the lack of a Report is caused by its broadband being 862 broken, then the estimate of overall performance, averaged across all 863 MAs, would be too optimistic. 865 The LMAP WG will define a Report Protocol and its associated Data 866 Model that implements the Protocol & Information Model. This may be 867 a simple instruction - response protocol, and LMAP will specify how 868 it operates over an existing protocol - to be selected, perhaps REST- 869 style HTTP(s) or IPFIX. 871 5.5. Items beyond the scope of the LMAP Protocol Model 873 There are several potential interactions between LMAP elements that 874 are out of scope of definition by the LMAP WG: 876 1. It does not define a coordination process between MAs. Whilst a 877 measurement system may define coordinated Measurement Schedules 878 across its various MAs, there is no direct coordination between 879 MAs. 881 2. It does not define interactions between the Collector and 882 Controller. It is quite likely that there will be such 883 interactions, probably intermediated by the data analysis tools. 884 For example if there is an "interesting" Measurement Result then 885 the measurement system may want to trigger extra Measurement 886 Tasks that explore the potential cause in more detail. 888 3. It does not define coordination between different measurement 889 systems. For example, it does not define the interaction of a MA 890 in one measurement system with a Controller or Collector in a 891 different measurement system. Whilst it is likely that the 892 Control and Report protocols could be re-used or adapted for this 893 scenario, any form of coordination between different 894 organisations involves difficult commercial and technical issues 895 and so, given the novelty of large-scale measurement efforts, any 896 form of inter-organisation coordination is outside the scope of 897 the LMAP WG. Note that a single MA is instructed by a single 898 Controller and is only in one measurement system. 900 * An interesting scenario is where a home contains two 901 independent MAs, for example one controlled by a regulator and 902 one controlled by an ISP. Then the test traffic of one MA is 903 treated by the other MA just like any other user traffic. 905 4. It does not specifically define a user-initiated measurement 906 system, see sub-section. 908 5.5.1. User-controlled measurement system 910 The WG concentrates on the cases where an ISP or a regulator runs the 911 measurement system. However, we expect that LMAP functionality will 912 also be used in the context of an end user-controlled measurement 913 system. There are at least two ways this could happen (they have 914 various pros and cons): 916 1. a user could somehow request the ISP- (or regulator-) run 917 measurement system to test his/her line. The ISP (or regulator) 918 Controller would then send an Instruction to the MA in the usual 919 LMAP way. Note that a user can't directly initiate a Measurement 920 Task on an ISP- (or regulator-) controlled MA. 922 2. a user could deploy their own measurement system, with their own 923 MA, Controller and Collector. For example, the user could 924 download all three functions onto the same user-owned end device; 925 then the LMAP Control and Report protocols do not need to be 926 used, but using LMAP's Information Model would still be 927 beneficial. The MP could be in the home gateway or outside the 928 home network; in the latter case the MP is highly likely to be 929 run by a different organisation, which raises extra privacy 930 considerations. 932 In both cases there will be some way for the user to initiate the 933 Measurement Task(s). The mechanism is out-of-scope of the LMAP WG, 934 but could include the user clicking a button on a GUI or sending a 935 text message. Presumably the user will also be able to see the 936 Measurement Results, perhaps summarised on a webpage. It is 937 suggested that these interfaces conform to the LMAP guidance on the 938 privacy of the Measurement Results and Subscriber information. 940 6. MA Deployment considerations 942 The Measurement Agent could take a number of forms: a dedicated 943 probe, software on a PC, embedded into an appliance, or even embedded 944 into a gateway. A single site (home, branch office etc.) that is 945 participating in a measurement could make use of one or multiple 946 Measurement Agents in a single measurement e.g., if there are 947 multiple output interfaces, there might be a Measurement Agent per 948 interface. 950 The Measurement Agent could be deployed in a variety of locations. 951 Not all deployment locations are available to every kind of 952 Measurement Agent operator. There are also a variety of limitations 953 and trade-offs depending on the final placement. The next sections 954 outline some of the locations a Measurement Agent may be deployed. 955 This is not an exhaustive list and combinations of the below may also 956 apply. 958 6.1. Measurement Agent embedded in site gateway 960 A Measurement Agent embedded with the site gateway (e.g. in the case 961 of a a branch office in a managed service environment) is one of 962 better places the Measurement Agent could be deployed. All site to 963 ISP traffic would traverse through the gateway and passive 964 measurements could easily be performed. Similarly, due to this user 965 traffic visibility, an Active Measurements Task could be rescheduled 966 so as not to compete with user traffic. Generally NAT and firewall 967 services are built into the gateway, allowing the Measurement Agent 968 the option to offer its Controller facing management interface 969 outside of the NAT/firewall. This placement of the management 970 interface allows the Controller to unilaterally contact the 971 Measurement Agent for instructions. However, if the site gateway is 972 owned and operated by the service provider, the Measurement Agent 973 will generally not be available for over the top providers, the 974 regulator, end users or enterprises. 976 6.2. Measurement Agent embedded behind Site NAT /Firewall 978 The Measurement Agent could also be embedded behind a NAT, a 979 firewall, or both. In this case the Controller may not be able to 980 unilaterally contact the Measurement Agent unless either static port 981 forwarding configuration or firewall pin holing is configured. This 982 would require user intervention, and ultimately might not be an 983 option available to the user (perhaps due to permissions). The 984 Measurement Agent may originate a session towards the Controller and 985 maintain the session for bidirectional communications. This would 986 alleviate the need to have user intervention on the gateway, but 987 would reduce the overall scalability of the Controller as it would 988 have to maintain a higher number of active sessions. That said, 989 sending keepalives to prop open the firewall could serve a dual 990 purpose in testing network reachability for the Measurement Agent. 991 An alternative would be to use a protocol such as UPnP or PCP 992 [RFC6887] to control the NAT/firewall if the gateway supports this 993 kind of control. 995 6.3. Measurement Agent in multi homed site 996 A broadband site may be multi-homed. For example, the site may be 997 connected to multiple broadband ISPs (perhaps for redundancy or load- 998 sharing), or have a broadband as well as mobile/WiFi connectivity. 999 It may also be helpful to think of dual stack IPv4 and IPv6 broadband 1000 sites as multi-homed. In these cases, there needs to be clarity on 1001 which network connectivity option is being measured. Sometimes this 1002 is easily resolved by the location of the MA itself. For example, if 1003 the MA is built into the gateway (and the gateway only has a single 1004 WAN side interface), there is little confusion or choice. However, 1005 for multi-homed gateways or devices behind the gateway(s) of multi- 1006 homed sites it would be preferable to explicitly select the network 1007 to measure (e.g. [RFC5533]) but the network measured should be 1008 included in the Measurement Result. Section 3.2 of 1009 [I-D.ietf-homenet-arch] describes dual-stack and multi-homing 1010 topologies that might be encountered in a home network (which is 1011 generally a broadband connected site). The Multiple Interfaces (mif) 1012 working group covers cases where hosts are either directly attached 1013 to multiple networks (physical or virtual) or indirectly (multiple 1014 default routers, etc.). [RFC6419] provides the current practices of 1015 multi-interfaces hosts today. As some of the end goals of a MA is to 1016 replicate the end user's network experience, it is important to 1017 understand the current practices. 1019 7. Security considerations 1021 The security of the LMAP framework should protect the interests of 1022 the measurement operator(s), the network user(s) and other actors who 1023 could be impacted by a compromised measurement deployment. The 1024 measurement system must secure the various components of the system 1025 from unauthorised access or corruption. 1027 We assume that each Measurement Agent will receive measurement tasks 1028 configuration, scheduling and reporting instructions from a single 1029 organisation (operator of the Controller). These instructions must 1030 be authenticated (to ensure that they come from the trusted 1031 Controller), checked for integrity (to ensure no-one has tampered 1032 with them) and be prevented from replay. If a malicious party can 1033 gain control of the Measurement Agent they can use the MA 1034 capabilities to launch DoS attacks at targets, reduce the network 1035 user experience and corrupt the measurement results that are reported 1036 to the Collector. By altering the tests that are operated and/or the 1037 Collector address they can also compromise the confidentiality of the 1038 network user and the MA environment (such as information about the 1039 location of devices or their traffic). 1041 The reporting of the MA must also be secured to maintain 1042 confidentiality. The results must be encrypted such that only the 1043 authorised Collector can decrypt the results to prevent the leakage 1044 of confidential or private information. In addition it must be 1045 authenticated that the results have come from the expected MA and 1046 that they have not been tampered with. It must not be possible to 1047 fool a MA into injecting falsified data into the measurement platform 1048 or to corrupt the results of a real MA. The results must also be 1049 held and processed securely after collection and analysis. 1051 Availability should also be considered. While the loss of some MAs 1052 may not be considered critical, the unavailability of the Collector 1053 could mean that valuable business data or data critical to a 1054 regulatory process is lost. Similarly, the unavailability of a 1055 Controller could mean that the MAs do not operate a correct 1056 Measurement Schedule. 1058 A malicious party could "game the system". For example, where a 1059 regulator is running a measurement system in order to benchmark 1060 operators, an operator could try to identify the broadband lines that 1061 the regulator was measuring and prioritise that traffic. This 1062 potential issue is currently handled by a code of conduct. It is 1063 outside the scope of the LMAP WG to consider the issue. 1065 8. Privacy Considerations for LMAP 1067 The LMAP Working Group will consider privacy as a core requirement 1068 and will ensure that by default measurement and collection mechanisms 1069 and protocols operate in a privacy-sensitive manner, i.e. that 1070 privacy features are well-defined. 1072 This section provides a set of privacy considerations for LMAP. This 1073 section benefits greatly from the timely publication of [RFC6973]. 1074 There are dependencies on the integrity of the LMAP security 1075 mechanisms, described in the Security Considerations section above. 1077 We begin with a set of assumptions related to protecting the 1078 sensitive information of individuals and organizations participating 1079 in LMAP-orchestrated measurement and data collection. 1081 8.1. Categories of Entities with Information of Interest 1083 LMAP protocols need to protect the sensitive information of the 1084 following entities, including individuals and organizations who 1085 participate in measurement and collection of results. 1087 o Individual Internet Users: Persons who utilize Internet access 1088 services for communications tasks, according to the terms of 1089 service of a service agreement. Such persons may be a Service 1090 Subscriber, or have been given permission by the subscriber to use 1091 the service. 1093 o Internet Service Providers: Organizations who offer Internet 1094 access service subscriptions, and thus have access to sensitive 1095 information of Individuals who choose to use the service. These 1096 organizations desire to protect their subscribers and their own 1097 sensitive information which may be stored in the process of 1098 measurement and result collection. 1100 o Other LMAP system Operators: Organizations who operate measurement 1101 systems or participate in measurements in some way. 1103 Although privacy is a protection extended to individuals, we include 1104 discussion of ISPs and other LMAP system operators in this section. 1105 These organizations have sensitive information involved in the LMAP 1106 system and revealed by measurements, and many of the same mitigations 1107 are applicable. Further, the ISPs store information on their 1108 subscribers beyond that used in the LMAP system (e.g., billing 1109 information), and there should be a benefit in considering all the 1110 needs and potential solutions coherently. 1112 8.2. Examples of Sensitive Information 1114 This section gives examples of sensitive information which may be 1115 measured or stored in a measurement system, and which is to be kept 1116 private by default in the LMAP core protocols. 1118 Examples of Subscriber or authorized Internet User Sensitive 1119 Information: 1121 o Sub-IP layer addresses and names (e.g., MAC address, BS id, SSID) 1123 o IP address in use 1125 o Personal Identification (Real Name) 1127 o Location (street address, city) 1129 o Subscribed Service Parameters 1131 o Contents of Traffic (Activity, DNS queries, Destinations, 1132 Equipment types, Account info for other services, etc.) 1134 o Status as a study volunteer and Schedule of (Active) Measurement 1135 Tasks 1137 Examples of Internet Service Provider Sensitive Information: 1139 o Measurement Device Identification (Equipment ID and IP address) 1140 o Measurement Instructions (choice of measurements) 1142 o Measurement Results (some may be shared, others may be private) 1144 o Measurement Schedule (exact times) 1146 o Network Topology (Locations, Connectivity, Redundancy) 1148 o Subscriber billing information, and any of the above Subscriber 1149 Information known to the provider. 1151 o Authentication credentials (e.g., certificates) 1153 Other organizations will have some combination of the lists above. 1154 The LMAP system would not typically expose all of the information 1155 above, but could expose a combination of items which could be 1156 correlated with other pieces collected by an attacker (as discussed 1157 in the section on Threats below). 1159 8.3. Key Distinction Between Active and Passive Measurement Tasks 1161 There are many possible definitions for the two main categories of 1162 measurement types, active and passive. For the purposes of this 1163 memo, we describe Passive and Active Measurements as follows: 1165 Passive: measurements conducted on Internet User traffic, such that 1166 sensitive information is present and stored in the measurement system 1167 (however briefly this storage may be). We note that some authorities 1168 make a distinction on time of storage, and information that is kept 1169 only temporarily to perform a communications function is not subject 1170 to regulation (e.g., Active Queue Management, Deep Packet 1171 Inspection). Passive measurements could reveal all websites a 1172 subscriber visits and the applications and/or services they use. 1174 Active: measurements conducted on traffic which serves only the 1175 purpose of measurement. Even if a user host generates active 1176 measurement traffic, there is significantly limited sensitive 1177 information about the Subscriber present and stored in the 1178 measurement system compared to the passive case, as follows: 1180 o IP address in use (and possibly Sub-IP addresses and names) 1182 o Status as a study volunteer schedule of active tests 1184 On the other hand, the sensitive information for an Internet Service 1185 Provider is the same whether active or passive measurements are used 1186 (e.g., measurement results). 1188 Both Active and Passive measurements potentially expose the 1189 description of Internet Access service and specific service 1190 parameters, such as subscribed rate and type of access. 1192 8.4. Privacy analysis of the Communications Models 1194 This section examines each of the protocol exchanges described at a 1195 high level in Section 5 and some example measurement tasks, and 1196 identifies specific sensitive information which must be secured 1197 during communication for each case. With the protocol-related 1198 sensitive information identified, we have can better consider the 1199 threats described in the following section. 1201 From the privacy perspective, all entities participating in LMAP 1202 protocols can be considered "observers" according to the definition 1203 in [RFC6973]. Their stored information potentially poses a threat to 1204 privacy, especially if one or more of these functional entities has 1205 been compromised. Likewise, all devices on the paths used for 1206 control, reporting, and measurement are also observers. 1208 8.4.1. MA Bootstrapping and Registration 1210 Section 5.1 provides the communication model for the Bootstrapping 1211 process. 1213 Although the specification of mechanisms for Bootstrapping the MA are 1214 beyond the LMAP scope, designers should recognize that the 1215 Bootstrapping process is extremely powerful and could cause an MA to 1216 join a new or different LMAP system with Control/Collection entities, 1217 or simply install new methods of measurement (e.g., a passive DNS 1218 Query collector). A Bootstrap attack could result in a breach of the 1219 LMAP system with significant sensitive information exposure depending 1220 on the capabilities of the MA, so sufficient security protections are 1221 warranted. 1223 The Bootstrapping (or Registration) process provides sensitive 1224 information about the LMAP system and the organization that operates 1225 it, such as 1227 o Initial Controller IP address or FQDN 1229 o Assigned Controller IP address or FQDN 1231 o Security certificates and credentials 1233 During the Bootstrap process (or Registration process that follows), 1234 the MA receives its MA-ID which is a persistent pseudonym for the 1235 subscriber in the case that the MA is located at a service 1236 demarcation point. Thus, the MA-ID is considered sensitive 1237 information, because it could provide the link between subscriber 1238 identification and measurements or observations on traffic. 1240 Also, the Bootstrap or Registration process could assign a Group-ID 1241 to the MA. The specific definition of information represented in a 1242 Group-ID is to be determined, but several examples are envisaged 1243 including use as a pseudonym for a set of subscribers, a class of 1244 service, an access technology, or other important categories. 1245 Assignment of a Group-ID enables anonymization sets to be formed on 1246 the basis of service type/grade/rates. Thus, the mapping between 1247 Group-ID and MA-ID is considered sensitive information. 1249 8.4.2. Controller <-> Measurement Agent 1251 The high-level communication model for interactions between the LMAP 1252 Controller and Measurement Agent is illustrated in Section 5.2. The 1253 primary purpose of this exchange is to authenticate and task a 1254 Measurement Agent with Measurement Instructions, which the 1255 Measurement Agent then acts on autonomously. 1257 Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged 1258 with a capability request, then measurement-related information of 1259 interest such as the parameters, schedule, metrics, and IP addresses 1260 of measurement devices. Thus, the measurement Instruction contains 1261 sensitive information which must be secured. For example, the fact 1262 that an ISP is running additional measurements beyond the set 1263 reported externally is sensitive information, as are the additional 1264 measurements themselves. The schedule/timing of specific 1265 measurements is also sensitive, because an attacker intending to bias 1266 the results without being detected can use this information to great 1267 advantage. 1269 An organization operating the Controller having no service 1270 relationship with a user who hosts the measurement agent *could* gain 1271 real-name mapping to public IP address through user participation in 1272 an LMAP system (this applies to the Measurement Collection protocol, 1273 as well). 1275 8.4.3. Collector <-> Measurement Agent 1277 The high-level communication model for interactions between the LMAP 1278 Measurement Agent and Collector is illustrated in Section 5.4. The 1279 primary purpose of this exchange is to authenticate and collect 1280 results from a Measurement Agent, which it has measured autonomously 1281 and stored. 1283 Beyond the Controller-MA exchange, the new and highly-sensitive 1284 information exposed in the Collector-MA exchange is the measurement 1285 results. Organizations collecting LMAP measurements have the 1286 responsibility for Data Control. Thus, the results and other 1287 information communicated in the Collector protocol must be secured. 1289 8.4.4. Active Measurement Peer <-> Measurement Agent 1291 Although the specification of the mechanisms for measurement is 1292 beyond the LMAP scope, the high-level communications model below 1293 illustrates measurement information and results flowing between 1294 active measurement devices as a potential privacy issue. The primary 1295 purpose of this exchange is to execute measurements and store the 1296 results. 1298 We note the potential for additional observers in the figures below 1299 by indicating the possible presence of a NAT, which has additional 1300 significance to the protocols and direction of initiation. 1302 _________________ _________________ 1303 | | | | 1304 | Meas Peer |=========== NAT ? ==========| Meas Agent | 1305 |_________________| |_________________| 1307 <- Key Negotiation & 1308 Encryption Setup 1309 Encrypted Channel -> 1310 Established 1311 Announce Capabilities -> 1312 & Status 1313 <- Select Capabilities 1314 ACK -> 1315 <- Measurement Request 1316 (MA+MP IPAddrs,set of 1317 Metrics, Schedule) 1318 ACK -> 1320 Measurement Traffic <> Measurement Traffic 1321 (may/may not be encrypted) (may/may not be encrypted) 1323 <- Stop Tests 1325 Return Results -> 1326 (if applicable) 1327 <- ACK, Close 1329 This exchange primarily exposes the IP addresses of measurement 1330 devices and the inference of measurement participation from such 1331 traffic. There may be sensitive information on key points in a 1332 service provider's network included. There may also be access to 1333 measurement-related information of interest such as the metrics, 1334 schedule, and intermediate results carried in the measurement packets 1335 (usually a set of timestamps). 1337 If the measurement traffic is unencrypted, as found in many systems 1338 today, then both timing and limited results are open to on-path 1339 observers, and this should be avoided when the degradation of secure 1340 measurement is minimal. 1342 8.4.5. Passive Measurement Peer <-> Measurement Agent 1344 Although the specification of the mechanisms for measurement is 1345 beyond the LMAP scope, the high-level communications model below 1346 illustrates passive monitoring and measurement of information flowing 1347 between production network devices as a potential privacy issue. The 1348 primary purpose of this model is to illustrate collection of user 1349 information of interest with the Measurement Agent performing the 1350 monitoring and storage of the results. This particular exchange is 1351 for DNS Response Time, which most frequently uses UDP transport. 1353 _________________ ___________ _____ 1354 | | | | | | 1355 | Meas Peer DNS |=========== NAT ? ==========| Meas Agent|=|User | 1356 |_________________| |___________| |_____| 1358 <- Name Resolution Req 1359 (MA+MP IPAddrs, 1360 Desired Domain Name) 1361 Return Record -> 1363 This exchange primarily exposes the IP addresses of measurement 1364 devices and the intent to communicate with, or access the services of 1365 "Domain Name". There may be information on key points in a service 1366 provider's network, such as the address of one of its DNS servers. 1367 The Measurement Agent may be embedded in the User host, or it may be 1368 located in another device capable of observing user traffic. 1370 In principle, any of the Internet User sensitive information of 1371 interest (listed above) can be collected and stored in the passive 1372 monitoring scenario. Thus, the LMAP Collection of passive 1373 measurements provides the additional sensitive information exposure 1374 to a Collection-path observer, and this information must be secured. 1376 8.4.6. Result Storage and Reporting 1377 Although the mechanisms for communicating results (beyond the initial 1378 Collector) are beyond the LMAP scope, there are potential privacy 1379 issues related to a single organization's storage and reporting of 1380 measurement results. Both storage and reporting functions can help 1381 to preserve privacy by implementing the mitigations described below. 1383 8.5. Threats 1385 This section indicates how each of the threats described in [RFC6973] 1386 apply to the LMAP entities and their communication and storage of 1387 "information of interest". 1389 8.5.1. Surveillance 1391 Section 5.1.1 of [RFC6973] describes Surveillance as the "observation 1392 or monitoring of and individual's communications or activities." 1394 All of passive measurement is surveillance, with inherent risks. 1396 Active measurement methods which avoid periods of user transmission 1397 indirectly produce a record of times when a subscriber or authorized 1398 user has utilized their Internet access service. 1400 Active measurements may also utilize and store a subscriber's 1401 currently assigned IP address when conducting measurements that are 1402 relevant to a specific subscriber. Since the measurements are time- 1403 stamped, the measurement results could provide a record of IP address 1404 assignments over time. 1406 Either of the above pieces of information could be useful in 1407 correlation and identification, described below. 1409 8.5.2. Stored Data Compromise 1411 Section 5.1.2 of [RFC6973] describes Stored Data Compromise as 1412 resulting from inadequate measures to secure stored data from 1413 unauthorized or inappropriate access. For LMAP systems this includes 1414 deleting or modifying collected measurement records, as well as data 1415 theft. 1417 The primary LMAP entity subject to compromise is the results storage 1418 which serves the Collector function (also applicable to temporary 1419 storage on the Collector itself). Extensive security and privacy 1420 threat mitigations are warranted for the storage system. Although 1421 the scope of its measurement and storage is smaller than the 1422 collector's, an individual Measurement Agent stores sensitive 1423 information temporarily, and also needs protections. 1425 The LMAP Controller may have direct access to storage of Service 1426 Parameters, Subscriber information (location, billing, etc.), and 1427 other information which the controlling organization considers 1428 private, and needs protection in this case. 1430 The communications between the local storage of the Collector and 1431 other storage facilities (possibly permanent mass storage), is beyond 1432 the scope of the LMAP work at this time, though this communications 1433 channel will certainly need protection as well as the mass storage 1434 itself. 1436 8.5.3. Correlation and Identification 1438 Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as 1439 combining various pieces of information to obtain desired 1440 characteristics of an individual, and Identification as using this 1441 process to infer identity. 1443 The main risk is that the LMAP system could un-wittingly provide a 1444 key piece of the correlation chain, starting with an unknown 1445 Subscriber's IP address and another piece of information (e.g., 1446 Subscriber X utilized Internet access from 2000 to 2310 UTC, because 1447 the active measurements were deferred, or sent a name resolution for 1448 www.example.com at 2300 UTC). 1450 8.5.4. Secondary Use and Disclosure 1452 Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as 1453 unauthorized utilization of an individual's information for a purpose 1454 the individual did not intend, and Disclosure is when such 1455 information is revealed causing other's notions of the individual to 1456 change, or confidentiality to be violated. 1458 The collection and reporting of passive traffic measurements is a 1459 form of secondary use, and subscribers' permission and measured ISP's 1460 permission should be obtained before measurement. Although user 1461 traffic is only indirectly involved, active measurement results 1462 provide limited information about the subscriber/ISP and may 1463 constitute secondary use. Use of the measurements in unauthorized 1464 marketing campaigns would qualify as Secondary Use. 1466 8.6. Mitigations 1468 This section examines the mitigations listed in section 6 of 1469 [RFC6973] and their applicability to LMAP systems. Note that each 1470 section in [RFC6973] identifies the threat categories that each 1471 technique mitigates. 1473 8.6.1. Data Minimization 1475 Section 6.1 of [RFC6973] encourages collecting and storing the 1476 minimal information needed to perform a task. 1478 There are two levels of information needed for LMAP results to be 1479 useful for a specific task: Network Operator and User 1480 troubleshooting, and General results reporting. 1482 The minimal supporting information for general results is conducive 1483 to protection of sensitive information, as long as the results can be 1484 aggregated into large categories (e.g., the month of March, all 1485 subscribers West of the Mississippi River). In this case, all 1486 individual identifications (including IP address of the MA) can be 1487 excluded, and only the results applicable to the desired measurement 1488 path are provided.. However, this implies a filtering process to 1489 reduce the information fields allocated to this task, because greater 1490 detail was needed to conduct the measurements in the first place. 1492 For a Network Operator and User troubleshooting a performance issue 1493 or failure, potentially all the network information (e.g., IP 1494 addresses, equipment IDs, location), measurement schedule, service 1495 configuration, measurement results and other information may assist 1496 in the process. This includes the information needed to conduct the 1497 measurements, and represents a need where the maximum relevant 1498 information is desirable, therefore the greatest protections should 1499 be applied. 1501 We note that a user may give temporary permission for passive 1502 measurements to enable detailed troubleshooting, but withhold 1503 permission for passive measurements in general. Here the greatest 1504 breadth of sensitive information is potentially exposed, and the 1505 maximum privacy protection must be provided. 1507 For MAs with access to the sensitive information of users (e.g., 1508 within a home or a personal host/handset), it is desirable for the 1509 results collection to minimize the data reported, but also to balance 1510 this desire with the needs of troubleshooting when a service 1511 subscription exists between the user and organization operating the 1512 measurements. 1514 For passive measurements where the MA reports flow information to the 1515 Collector, the Collector may perform pre-storage minimization and 1516 other mitigations (below) to help preserve privacy. 1518 8.6.2. Anonymity 1519 Section 6.1.1 of [RFC6973] describes a way in which anonymity is 1520 achieved: "there must exist a set of individuals that appear to have 1521 the same attributes as the individual", defined as an "anonymity 1522 set". 1524 Experimental Methods for anonymization of user identifiable data 1525 applicable to passive measurement have been identified in [RFC6235]. 1526 However, the findings of several of the same authors is that "there 1527 is increasing evidence that anonymization applied to network trace or 1528 flow data on its own is insufficient for many data protection 1529 applications as in [Bur10]." 1531 Essentially, the details of passive flow measurements can only be 1532 accessed by closed organizations, and unknown injection attacks are 1533 always less expensive than the protections from them. However, some 1534 forms of summarized passive measurement may protect the user's 1535 sensitive information sufficiently well, and so each metric must be 1536 evaluated in the light of privacy. 1538 The methods in [RFC6235] could be applied more successfully in active 1539 measurement, where there are protections from injection attack. The 1540 successful attack would require breaking the integrity protection of 1541 the LMAP reporting protocol and injecting measurement results (known 1542 fingerprint, see section 3.2 of [RFC6973]) for inclusion with the 1543 shared and anonymized results, then fingerprinting those records to 1544 ascertain the anonymization process. 1546 Beside anonymization of measured results for a specific user or 1547 provider, the value of sensitive information can be further diluted 1548 by summarizing the results over many individuals or areas served by 1549 the provider. There is an opportunity enabled by forming anonymity 1550 sets [RFC6973] based on the reference path measurement points in [I-D 1551 .ietf-ippm-lmap-path]. For example, all measurements from the 1552 Subscriber device can be identified as "mp000", instead of using the 1553 IP address or other device information. The same anonymization 1554 applies to the Internet Service Provider, where their Internet 1555 gateway would be referred to as "mp190". 1557 8.6.3. Pseudonymity 1559 Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, 1560 are a possible mitigation to revealing one's true identity, since 1561 there is no requirement to use real names in almost all protocols. 1563 A pseudonym for a measurement device's IP address could be an LMAP- 1564 unique equipment ID. However, this would likely be a permanent 1565 handle for the device, and long-term use weakens a pseudonym's power 1566 to obscure identity. 1568 8.6.4. Other Mitigations 1570 Sections 6.2 and 6.3 of [RFC6973] describe User Participation and 1571 Security, respectively. 1573 Where LMAP measurements involve devices on the Subscriber's premises 1574 or Subscriber-owned equipment, it is essential to secure the 1575 Subscriber's permission with regard to the specific information that 1576 will be collected. The informed consent of the Subscriber (and, if 1577 different, the end user) is needed, including the specific purpose of 1578 the measurements. The approval process could involve showing the 1579 Subscriber their measured information and results before instituting 1580 periodic collection, or before all instances of collection, with the 1581 option to cancel collection temporarily or permanently. 1583 It should also be clear who is legally responsible for data 1584 protection (privacy); in some jurisdictions this role is called the 1585 'data controller'. It is good practice to time limit the storage of 1586 personal information. 1588 Although the details of verification would be impenetrable to most 1589 subscribers, the MA could be architected as an "app" with open 1590 source-code, pre-download and embedded terms of use and agreement on 1591 measurements, and protection from code modifications usually provided 1592 by the app-stores. Further, the app itself could provide data 1593 reduction and temporary storage mitigations as appropriate and 1594 certified through code review. 1596 LMAP protocols, devices, and the information they store clearly need 1597 to be secure from unauthorized access. This is the hand-off between 1598 privacy and security considerations, found elsewhere in this memo. 1599 The Data Controller has the (legal) responsibility to maintain data 1600 protections described in the Subscriber's agreement and agreements 1601 with other organizations. 1603 Another standard method for de-personalising data is to blur it by 1604 adding synthetic data, data-swapping, or perturbing the values in 1605 ways that can be reversed or corrected. 1607 9. IANA Considerations 1609 There are no IANA considerations in this memo. 1611 10. Acknowledgments 1613 This document is a merger of three individual drafts: draft-eardley- 1614 lmap-terminology-02, draft-akhter-lmap-framework-00, and draft- 1615 eardley-lmap-framework-02. 1617 Thanks to numerous people for much discussion, directly and on the 1618 LMAP list. This document tries to capture the current conclusions. 1619 Thanks to Juergen Schoenwaelder for his detailed review of the 1620 terminology. 1622 Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on 1623 the Leone research project, which receives funding from the European 1624 Union Seventh Framework Programme [FP7/2007-2013] under grant 1625 agreement number 317647. 1627 11. History 1629 First WG version, copy of draft-folks-lmap-framework-00. 1631 11.1. From -00 to -01 1633 o new sub-section of possible use of Group-IDs for privacy 1635 o tweak to definition of Control protocol 1637 o fix typo in figure in S5.4 1639 11.2. From -01 to -02 1641 o change to INFORMATIONAL track (previous version had typo'd 1642 Standards track) 1644 o new definitions for Capabilities Information and Failure 1645 Information 1647 o clarify that diagrams show LMAP-level information flows. 1648 Underlying protocol could do other interactions, eg to get through 1649 NAT or for Collector to pull a Report 1651 o add hint that after a re-boot should pause random time before re- 1652 register (to avoid mass calling event) 1654 o delete the open issue "what happens if a Controller fails" (normal 1655 methods can handle) 1657 o add some extra words about multiple Tasks in one Schedule 1658 o clarify that new Schedule replaces (rather than adds to) and old 1659 one. similarly for new configuration of Measurement Tasks or 1660 Report Channels. 1662 o clarify suppression is temporary stop; send a new Schedule to 1663 permanently stop Tasks 1665 o alter suppression so it is ACKed 1667 o add un-suppress message 1669 o expand the text on error reporting, to mention Reporting failures 1670 (as well as failures to action or execute Measurement Task & 1671 Schedule) 1673 o add some text about how to have Tasks running indefinitely 1675 o add that optionally a Report is not sent when there are no 1676 Measurement Results 1678 o add that a Measurement Task may create more than one Measurement 1679 Result 1681 o clarify /amend /expand that Reports include the "raw" Measurement 1682 Results - any pre-processing is left for lmap2.0 1684 o add some cautionary words about what if the Collector unexpectedly 1685 doesn't hear from a MA 1687 o add some extra words about the potential impact of Measurement 1688 Tasks 1690 o clarified varous aspects of the privacy section 1692 o updated references 1694 o minor tweaks 1696 12. Informative References 1698 [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, 1699 "The Role of Network Trace Anonymization Under Attack", 1700 January 2010. 1702 [Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM- 1703 evolved UMTS core network", 1704 http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011. 1706 [I-D.ietf-lmap-use-cases] 1707 Linsner, M., Eardley, P., and T. Burbridge, "Large-Scale 1708 Broadband Measurement Use Cases", draft-ietf-lmap-use- 1709 cases-00 (work in progress), October 2013. 1711 [I-D.bagnulo-ippm-new-registry-independent] 1712 Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and 1713 A. Morton, "A registry for commonly used metrics. 1714 Independent registries", draft-bagnulo-ippm-new-registry- 1715 independent-01 (work in progress), July 2013. 1717 [I-D.ietf-homenet-arch] 1718 Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, 1719 "IPv6 Home Networking Architecture Principles", draft- 1720 ietf-homenet-arch-11 (work in progress), October 2013. 1722 [RFC6419] Wasserman, M. and P. Seite, "Current Practices for 1723 Multiple-Interface Hosts", RFC 6419, November 2011. 1725 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 1726 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 1727 2013. 1729 [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming 1730 Shim Protocol for IPv6", RFC 5533, June 2009. 1732 [I-D.burbridge-lmap-information-model] 1733 Burbridge, T., Eardley, P., Bagnulo, M., and J. 1734 Schoenwaelder, "Information Model for Large-Scale 1735 Measurement Platforms (LMAP)", draft-burbridge-lmap- 1736 information-model-01 (work in progress), October 2013. 1738 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization 1739 Support", RFC 6235, May 2011. 1741 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 1742 Morris, J., Hansen, M., and R. Smith, "Privacy 1743 Considerations for Internet Protocols", RFC 6973, July 1744 2013. 1746 Authors' Addresses 1747 Philip Eardley 1748 British Telecom 1749 Adastral Park, Martlesham Heath 1750 Ipswich 1751 ENGLAND 1753 Email: philip.eardley@bt.com 1755 Al Morton 1756 AT&T Labs 1757 200 Laurel Avenue South 1758 Middletown, NJ 1759 USA 1761 Email: acmorton@att.com 1763 Marcelo Bagnulo 1764 Universidad Carlos III de Madrid 1765 Av. Universidad 30 1766 Leganes, Madrid 28911 1767 SPAIN 1769 Phone: 34 91 6249500 1770 Email: marcelo@it.uc3m.es 1771 URI: http://www.it.uc3m.es 1773 Trevor Burbridge 1774 British Telecom 1775 Adastral Park, Martlesham Heath 1776 Ipswich 1777 ENGLAND 1779 Email: trevor.burbridge@bt.com 1781 Paul Aitken 1782 Cisco Systems, Inc. 1783 96 Commercial Street 1784 Edinburgh, Scotland EH6 6LX 1785 UK 1787 Email: paitken@cisco.com 1788 Aamer Akhter 1789 Cisco Systems, Inc. 1790 7025 Kit Creek Road 1791 RTP, NC 27709 1792 USA 1794 Email: aakhter@cisco.com