idnits 2.17.1 draft-ietf-lmap-framework-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 13, 2014) is 3629 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 240 -- Looks like a reference, but probably isn't: '180' on line 240 == Unused Reference: 'Q1741' is defined on line 2346, but no explicit reference was found in the text == Outdated reference: A later version (-06) exists of draft-ietf-lmap-use-cases-03 == Outdated reference: A later version (-17) exists of draft-ietf-homenet-arch-13 == Outdated reference: A later version (-18) exists of draft-ietf-lmap-information-model-00 == Outdated reference: A later version (-07) exists of draft-ietf-ippm-lmap-path-02 Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Eardley 3 Internet-Draft BT 4 Intended status: Informational A. Morton 5 Expires: November 14, 2014 AT&T Labs 6 M. Bagnulo 7 UC3M 8 T. Burbridge 9 BT 10 P. Aitken 11 A. Akhter 12 Cisco Systems 13 May 13, 2014 15 A framework for large-scale measurement platforms (LMAP) 16 draft-ietf-lmap-framework-05 18 Abstract 20 Measuring broadband service on a large scale requires a description 21 of the logical architecture and standardisation of the key protocols 22 that coordinate interactions between the components. The document 23 presents an overall framework for large-scale measurements. It also 24 defines terminology for LMAP (large-scale measurement platforms). 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on November 14, 2014. 43 Copyright Notice 45 Copyright (c) 2014 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Outline of an LMAP-based measurement system . . . . . . . . . 5 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 11 64 4.1. Measurement system is under the direction of a single 65 organisation . . . . . . . . . . . . . . . . . . . . . . 12 66 4.2. Each MA may only have a single Controller at any point in 67 time . . . . . . . . . . . . . . . . . . . . . . . . . . 12 68 5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 12 69 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 13 70 5.2. Configuration Protocol . . . . . . . . . . . . . . . . . 14 71 5.3. Control Protocol . . . . . . . . . . . . . . . . . . . . 15 72 5.3.1. Instruction . . . . . . . . . . . . . . . . . . . . . 15 73 5.3.2. Capabilities and Failure information . . . . . . . . 18 74 5.4. Operation of Measurement Tasks . . . . . . . . . . . . . 20 75 5.4.1. Starting and Stopping Measurement Tasks . . . . . . . 20 76 5.4.2. Overlapping Measurement Tasks . . . . . . . . . . . . 21 77 5.5. Report Protocol . . . . . . . . . . . . . . . . . . . . . 21 78 5.5.1. Reporting of Subscriber's service parameters . . . . 22 79 5.6. Operation of LMAP over the underlying packet transfer 80 mechanism . . . . . . . . . . . . . . . . . . . . . . . . 23 81 5.7. Items beyond the scope of the initial LMAP work . . . . . 24 82 5.7.1. End-user-controlled measurement system . . . . . . . 25 83 6. Deployment considerations . . . . . . . . . . . . . . . . . . 25 84 6.1. Controller and the measurement system . . . . . . . . . . 26 85 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 27 86 6.2.1. Measurement Agent on a networked device . . . . . . . 27 87 6.2.2. Measurement Agent embedded in site gateway . . . . . 27 88 6.2.3. Measurement Agent embedded behind site NAT /Firewall 27 89 6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 28 90 6.2.5. Measurement Agent embedded in ISP Network . . . . . . 28 91 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 29 92 7. Security considerations . . . . . . . . . . . . . . . . . . . 29 93 8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 31 94 8.1. Categories of Entities with Information of Interest . . . 31 95 8.2. Examples of Sensitive Information . . . . . . . . . . . . 32 96 8.3. Key Distinction Between Active and Passive Measurement 97 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 33 98 8.4. Privacy analysis of the Communications Models . . . . . . 34 99 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 34 100 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 35 101 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 36 102 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 36 103 8.4.5. Passive Measurement Agent . . . . . . . . . . . . . . 37 104 8.4.6. Storage and Reporting of Measurement Results . . . . 38 105 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 38 106 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 39 107 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 39 108 8.5.3. Correlation and Identification . . . . . . . . . . . 40 109 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 40 110 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 40 111 8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 41 112 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 42 113 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 42 114 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 43 115 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 116 10. Appendix: Deployment examples . . . . . . . . . . . . . . . . 44 117 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 47 118 12. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 119 12.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 48 120 12.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 48 121 12.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 49 122 12.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 50 123 12.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 50 124 13. Informative References . . . . . . . . . . . . . . . . . . . 51 125 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 127 1. Introduction 129 There is a desire to be able to coordinate the execution of broadband 130 measurements and the collection of measurement results across a large 131 scale set of diverse devices. These devices could be software based 132 agents on PCs, embedded agents in consumer devices (e.g. blu-ray 133 players), service provider controlled devices such as set-top players 134 and home gateways, or simply dedicated probes. It is expected that 135 such a system could easily comprise 100,000 devices. Measurement 136 devices may also be embedded on a device that is part of an ISP's 137 network, such as a DSLAM, router, Carrier Grade NAT or ISP Gateway. 138 Such a scale presents unique problems in coordination, execution and 139 measurement result collection. Several use cases have been proposed 140 for large-scale measurements including: 142 o Operators: to help plan their network and identify faults 143 o Regulators: to benchmark several network operators and support 144 public policy development 146 Further details of the use cases can be found in 147 [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for 148 these, as well as other use cases, such as to help end users run 149 diagnostic checks like a network speed test. 151 The LMAP Framework has three basic elements: Measurement Agents, 152 Controllers and Collectors. 154 Measurement Agents (MAs) initiate the actual measurements, which are 155 called Measurement Tasks in the LMAP terminology. In principle, 156 there are no restrictions on the type of device in which the MA 157 function resides. 159 The Controller instructs one or more MAs and communicates the set of 160 Measurement Tasks an MA should perform and when. For example it may 161 instruct a MA at a home gateway: "Measure the 'UDP latency' with 162 www.example.org; repeat every hour at xx.05". The Controller also 163 manages a MA by instructing it how to report the Measurement Results, 164 for example: "Report results once a day in a batch at 4am". We refer 165 to these as the Measurement Schedule and Report Schedule. 167 The Collector accepts Reports from the MAs with the Results from 168 their Measurement Tasks. Therefore the MA is a device that gets 169 Instructions from the Controller, initiates the Measurement Tasks, 170 and reports to the Collector. The communications between these three 171 LMAP functions are structured according to a Control Protocol and a 172 Report Protocol. 174 The desirable features for a large-scale measurement systems we are 175 designing for are: 177 o Standardised - in terms of the Measurement Tasks that they 178 perform, the components, the data models and protocols for 179 transferring information between the components. Amongst other 180 things, standardisation enables meaningful comparisons of 181 measurements made of the same metric at different times and 182 places, and provides the operator of a measurement system with a 183 criteria for evaluation of the different solutions that can be 184 used for various purposes including buying decisions (such as 185 buying the various components from different vendors). Today's 186 systems are proprietary in some or all of these aspects. 188 o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement 189 Agents in every home gateway and edge device such as set-top-boxes 190 and tablet computers, and located throughout the Internet as well 192 [I-D.ietf-ippm-lmap-path]. It is expected that a measurement 193 system could easily encompass a few hundred thousand or even 194 millions of Measurement Agents. Existing systems have up to a few 195 thousand MAs (without judging how much further they could scale). 197 o Diversity - a measurement system should handle different types of 198 Measurement Agents - for example Measurement Agents may come from 199 different vendors, be in wired and wireless networks, have 200 different Measurement Task capabilities and be on devices with 201 IPv4 or IPv6 addresses. 203 2. Outline of an LMAP-based measurement system 205 Figure 1 shows the main components of a measurement system, and the 206 interactions of those components. Some of the components are outside 207 the scope of initial LMAP work. In this section we provide an 208 overview of the whole measurement system and we introduce the main 209 terms needed for the LMAP framework. The new terms are capitalised. 210 In the next section we provide a terminology section with a 211 compilation of all the LMAP terms and their definition. Section 4 212 onwards considers the LMAP components in more detail. 214 Other LMAP specifications will define an information model, the 215 associated data models, and select/extend one or more protocols for 216 the secure communication: firstly, a Control Protocol, from a 217 Controller to instruct Measurement Agents what performance metrics to 218 measure, when to measure them, how/when to report the measurement 219 results to a Collector; secondly, a Report Protocol, for a 220 Measurement Agent to report the results to the Collector. 222 The MA performs Measurement Tasks. The MAs are pieces of code that 223 can be executed in specialised hardware (hardware probe) or on a 224 general-purpose device (like a PC or mobile phone). A device with a 225 Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL, 226 fibre; and non-physical interfaces such as PPPoE or IPsec) and the 227 Measurement Tasks may specify any one of these. Measurement Tasks 228 may be Active (the MA generates Measurement Traffic and measures some 229 metric associated with its transfer), Passive (the MA observes 230 traffic), or some hybrid form of the two. 232 The Controller manages a MA through use of the Control Protocol, 233 which transfer the Instruction to the MA. This describes the 234 Measurement Tasks the MA should perform and when. For example the 235 Controller may instruct a MA at a home gateway: "Count the number of 236 TCP SYN packets observed in a 1 minute interval; repeat every hour at 237 xx.05 + Unif[0,180] seconds". The Measurement Schedule determines 238 when the Measurement Tasks are executed. The Controller also manages 239 a MA by instructing it how to report the Measurement Results, for 240 example: "Report results once a day in a batch at 4am + Unif[0,180] 241 seconds; if the end user is active then delay the report 5 minutes". 242 The Report Schedule determines when the Reports are uploaded to the 243 Collector. The Measurement Schedule and Report Schedule can define 244 one-off (non-recurring) actions ("Do measurement now", "Report as 245 soon as possible"), as well as recurring ones. 247 The Collector accepts a Report from a MA with the Measurement Results 248 from its Measurement Tasks. It then provides the Results to a 249 repository (see below). 251 Some Measurement Tasks involve several MAs acting in a coordinated 252 fashion. This coordination is achieved by the Controller instructing 253 the multiple MAs in a coherent manner. In some Measurement Tasks the 254 MA(s) is assisted by one or more network entities that are not 255 managed by the Controller. The entities that help the MA in the 256 Measurement Tasks but are not managed by the Controller are called 257 Measurement Peers (MPs). For example consider the case of a "ping" 258 Measurement Task, to measure the round trip delay between the MA and 259 a given ICMP ECHO responder in the Internet. In this case, the 260 responder is the Measurement Peer. The ICMP ECHO request and ICMP 261 ECHO Requests and Replies flowing between the MA and the MP is called 262 Active Measurement Traffic. The Appendix has some other examples of 263 possible arrangements of Measurement Agents and Peers. 265 A Measurement Method defines how to measure a Metric of interest. It 266 is very useful to standardise Measurement Methods, so that it is 267 meaningful to compare measurements of the same Metric made at 268 different times and places. It is also useful to define a registry 269 for commonly-used Metrics [I-D.manyfolks-ippm-metric-registry] so 270 that a Measurement Method can be referred to simply by its identifier 271 in the registry. The Measurement Methods and registry will hopefully 272 be referenced by other standards organisations. 274 A Measurement Task is a specific instantiation of a Measurement 275 Method. It generates a Measurement Result. An Active Measurement 276 Task involves either a Measurement Agent (MA) injecting Active 277 Measurement Traffic into the network destined for a Measurement Peer 278 or for another Measurement Agent, and/or another Measurement Agent 279 (or a Measurement Peer, in response to a packet from a MA) sending 280 Active Measurement Traffic to a MA; one of them measures some 281 parameter associated with the transfer of the packet(s). A Passive 282 Measurement Task involves a MA simply observing traffic - for 283 example, it could count bytes or it might calculate the average loss 284 for a particular flow. 286 In order for a Measurement Agent and a Measurement Peer (or another 287 Measurement Agent) to execute an Active Measurement Task, they 288 exchange Active Measurement Traffic. The protocols used for the 289 Active Measurement Traffic are out of the scope of initial LMAP work; 290 they fall within the scope of other IETF WGs such as IPPM. 292 For Measurement Results to be truly comparable, as might be required 293 by a regulator, not only do the same Measurement Methods need to be 294 used but also the set of Measurement Tasks should follow a similar 295 Measurement Schedule and be of similar number. The details of such a 296 characterisation plan are beyond the scope of work in IETF although 297 certainly facilitated by IETF's work. 299 Messages are transferred over a secure Channel. A Control Channel is 300 between the Controller and a MA; the Control Protocol delivers 301 Instruction Messages to the MA and Capabilities, Failure and logging 302 Information in the reverse direction. A Report Channel is between a 303 MA and Collector, and the Report Protocol delivers Reports to the 304 Collector. 306 Finally we introduce several components that are outside the scope of 307 initial LMAP work and will be provided through existing protocols or 308 applications. They affect how the measurement system uses the 309 Measurement Results and how it decides what set of Measurement Tasks 310 to perform. 312 The MA needs to be bootstrapped with initial details about its 313 Controller, including authentication credentials. The LMAP work 314 considers the bootstrap process, since it affects the Information 315 Model. However, LMAP does not define a bootstrap protocol, since it 316 is likely to be technology specific and could be defined by the 317 Broadband Forum, CableLabs or IEEE depending on the device. Possible 318 protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management 319 Protocol (CWMP) from the Auto Configuration Server (ACS) (as 320 specified in TR-069 [TR-069]). 322 A Subscriber parameter database contains information about the line, 323 such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), 324 the line technology (DSL or fibre), the time zone where the MA is 325 located, and the type of home gateway and MA. These parameters are 326 already gathered and stored by existing operations systems. They may 327 affect the choice of what Measurement Tasks to run and how to 328 interpret the Measurement Results. For example, a download test 329 suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s 330 line. 332 A results repository records all Measurement Results in an equivalent 333 form, for example an SQL database, so that they can easily be 334 accessed by the data analysis tools. 336 The data analysis tools receive the results from the Collector or via 337 the Results repository. They might visualise the data or identify 338 which component or link is likely to be the cause of a fault or 339 degradation. This information could help the Controller decide what 340 follow-up Measurement Task to perform in order to diagnose a fault. 341 The data analysis tools also need to understand the Subscriber's 342 service information, for example the broadband contract. 344 ^ 345 | 346 Active +-------------+ IPPM 347 +---------------+ Measurement | Measurement | Scope 348 | Measurement |<------------>| Peer | | 349 | Agent | Traffic +-------------+ v 350 +------->| | ^ 351 | +---------------+ | 352 | ^ | | 353 | Instruction | | Report | 354 | | +-----------------+ | 355 | | | | 356 | | v LMAP 357 | +------------+ +------------+ Scope 358 | | Controller | | Collector | | 359 | +------------+ +------------+ v 360 | ^ ^ | ^ 361 | | | | | 362 | | +----------+ | | 363 | | | v | 364 +------------+ +----------+ +--------+ +----------+ | 365 |Bootstrapper| |Subscriber|--->| data |<---|repository| Out 366 +------------+ |parameter | |analysis| +----------+ of 367 |database | | tools | Scope 368 +----------+ +--------+ | 369 | 370 v 372 Figure 1: Schematic of main elements of an LMAP-based 373 measurement system 374 (showing the elements in and out of the scope of initial LMAP work) 376 3. Terminology 378 This section defines terminology for LMAP. Please note that defined 379 terms are capitalized. 381 Active Measurement Method: A generalisation of an Active Measurement 382 Task. 384 Active Measurement Task: A Measurement Task in which a Measurement 385 Agent creates or receives Active Measurement Traffic, by coordinating 386 with one or more other Measurement Agents or Measurement Peers using 387 protocols outside the initial LMAP work scope. 389 Active Measurement Traffic: the packet(s) generated in order to 390 execute an Active Measurement Task. 392 Bootstrap: A process that integrates a Measurement Agent into a 393 measurement system. 395 Capabilities: Information about the performance measurement 396 capabilities of the MA, in particular the Measurement Methods that it 397 can perform, and the device hosting the MA, for example its interface 398 type and speed, but not dynamic information. 400 Channel: A bi-directional logical connection that is defined by a 401 specific Controller and MA, or Collector and MA, plus associated 402 security. 404 Collector: A function that receives a Report from a Measurement 405 Agent. 407 Configuration Protocol: The protocol delivering information, from a 408 Controller to a Measurement Agent, that updates the information 409 obtained during Bootstrapping. 411 Controller: A function that provides a Measurement Agent with its 412 Instruction. 414 Control Channel: a Channel between a Controller and a MA over which 415 Instruction Messages and Capabilities and Failure information are 416 sent. 418 Control Protocol: The protocol delivering Instruction(s) from a 419 Controller to a Measurement Agent. It also delivers Failure 420 Information and Capabilities Information from the Measurement Agent 421 to the Controller. 423 Cycle-ID: A tag that is sent by the Controller in an Instruction and 424 echoed by the MA in its Report. The same Cycle-ID is used by several 425 MAs that use the same Measurement Method with the same Input 426 Parameters. Hence the Cycle-ID allows the Collector to easily 427 identify Measurement Results that should be comparable. 429 Data Model: The implementation of an Information Model in a 430 particular data modelling language [RFC3444]. 432 Environmental Constraint: A parameter that is measured as part of the 433 Measurement Task, its value determining whether the rest of the 434 Measurement Task proceeds. 436 Failure Information: Information about the MA's failure to action or 437 execute an Instruction, whether concerning Measurement Tasks or 438 Reporting. 440 Group-ID: An identifier of a group of MAs. 442 Information Model: The protocol-neutral definition of the semantics 443 of the Instructions, the Report, the status of the different elements 444 of the measurement system as well of the events in the system 445 [RFC3444]. 447 Input Parameter: A parameter whose value is left open by the 448 Measurement Method and is set to a specific value in a Measurement 449 Task. Altering the value of an Input Parameter does not change the 450 fundamental nature of the Measurement Method. 452 Instruction: The description of Measurement Tasks for a MA to perform 453 and the details of the Report for it to send. It is the collective 454 description of the Measurement Task configurations, the configuration 455 of the Measurement Schedules, the configuration of the Report 456 Channel(s), the configuration of Report Schedule(s), and the details 457 of any suppression. 459 Instruction Message: The message that carries an Instruction from a 460 Controller to a Measurement Agent. 462 Measurement Agent (MA): The function that receives Instruction 463 Messages from a Controller and operates the Instruction by executing 464 Measurement Tasks (using protocols outside the initial LMAP work 465 scope and perhaps in concert with one or more other Measurement 466 Agents or Measurement Peers) and (if part of the Instruction) by 467 reporting Measurement Results to a Collector or Collectors. 469 Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that 470 identifies a particular MA and is configured as part of the 471 Bootstrapping process. 473 Measurement Method: The process for assessing the value of a Metric; 474 the process of measuring some performance or reliability parameter 475 associated with the transfer of traffic; the generalisation of a 476 Measurement Task. 478 Measurement Peer (MP): The function that assists a Measurement Agent 479 with Measurement Tasks and does not have an interface to the 480 Controller or Collector. 482 Measurement Result: The output of a single Measurement Task (the 483 value obtained for the parameter of interest or Metric). 485 Measurement Schedule: The schedule for performing Measurement Tasks. 487 Measurement Task: The act that consists of the single operation of 488 the Measurement Method at a particular time and with all its Input 489 Parameters set to specific values. 491 Metric: The quantity related to the performance and reliability of 492 the network that we'd like to know the value of, and that is 493 carefully specified. 495 Passive Measurement Method (Task): A Measurement Method (Task) in 496 which a Measurement Agent observes existing traffic but does not 497 inject Active Measurement Traffic. 499 Report: The set of Measurement Results and other associated 500 information (as defined by the Instruction). The Report is sent by a 501 Measurement Agent to a Collector. 503 Report Channel: a communications channel between a MA and a 504 Collector, which is defined by a specific MA, Collector, Report 505 Schedule and associated security, and over which Reports are sent. 507 Report Protocol: The protocol delivering Report(s) from a Measurement 508 Agent to a Collector. 510 Report Schedule: the schedule for sending Reports to a Collector. 512 Subscriber: An entity (associated with one or more users) that is 513 engaged in a subscription with a service provider. 515 Suppression: the temporary cessation of Active Measurement Tasks. 517 4. Constraints 519 The LMAP framework makes some important assumptions, which constrain 520 the scope of the initial LMAP work. 522 4.1. Measurement system is under the direction of a single organisation 524 In the LMAP framework, the measurement system is under the direction 525 of a single organisation that is responsible for any impact that its 526 measurements have on a user's quality of experience and privacy. 527 Clear responsibility is critical given that a misbehaving large-scale 528 measurement system could potentially harm user experience, user 529 privacy and network security. 531 However, the components of an LMAP measurement system can be deployed 532 in administrative domains that are not owned by the measuring 533 organisation. Thus, the system of functions deployed by a single 534 organisation constitutes a single LMAP domain which may span 535 ownership or other administrative boundaries. 537 4.2. Each MA may only have a single Controller at any point in time 539 A MA is instructed by one Controller and is in one measurement 540 system. The constraint avoids different Controllers giving a MA 541 conflicting instructions and so means that the MA does not have to 542 manage contention between multiple Measurement (or Report) Schedules. 543 This simplifies the design of MAs (critical for a large-scale 544 infrastructure) and allows a Measurement Schedule to be tested on 545 specific types of MA before deployment to ensure that the end user 546 experience is not impacted (due to CPU, memory or broadband-product 547 constraints). 549 An operator may have several Controllers, perhaps with a Controller 550 for different types of MA (home gateways, tablets) or location 551 (Ipswich, Edinburgh). 553 5. LMAP Protocol Model 555 A protocol model [RFC4101] presents an architectural model for how 556 the protocol operates and needs to answer three basic questions: 558 1. What problem is the protocol trying to achieve? 560 2. What messages are being transmitted and what do they mean? 562 3. What are the important, but unobvious, features of the protocol? 564 An LMAP system goes through the following phases: 566 o a bootstrapping process before the MA can take part in the other 567 three phases 569 o a Control Protocol, which delivers Instruction Messages from a 570 Controller to a MA, detailing what Measurement Tasks the MA should 571 perform and when, and how it should report the Measurement 572 Results. It also delivers Capabilities, Failure and logging 573 Information from a MA to its Controller. 575 o the actual Measurement Tasks, which measure some performance or 576 reliability parameter(s) associated with the transfer of packets. 577 The LMAP work does not define Measurement Methods, these are 578 define elsewhere (e.g. IPPM). 580 o a Report Protocol, which delivers Reports from a MA to a 581 Collector. The Report contains the Measurement Results. 583 The diagrams show the various LMAP messages and uses the following 584 convention: 586 o (optional): indicated by round brackets 588 o [potentially repeated]: indicated by square brackets 590 The protocol model is closely related to the Information Model 591 [I-D.ietf-lmap-information-model], which is the abstract definition 592 of the information carried by the protocol model. The purpose of 593 both is to provide a protocol and device independent view, which can 594 be implemented via specific protocols. LMAP defines a specific 595 Control Protocol and Report Protocol, but others could be defined by 596 other standards bodies or be proprietary. However it is important 597 that they all implement the same Information Model and protocol 598 model, in order to ease the definition, operation and 599 interoperability of large-scale measurement systems. 601 5.1. Bootstrapping process 603 The primary purpose of bootstrapping is to enable a MA to be 604 integrated into a measurement system. The MA retrieves information 605 about itself (like its identity in the measurement system) and about 606 the Controller, the Controller learns information about the MA, and 607 they learn about security information to communicate (such as 608 certificates and credentials). 610 Whilst this memo considers the bootstrapping process, it is beyond 611 the scope of initial LMAP work to define a bootstrap mechanism, as it 612 depends on the type of device and access. 614 As a result of the bootstrapping process the MA learns information 615 with the following aims ([I-D.ietf-lmap-information-model] defines 616 the consequent list of information elements): 618 o its identifier, either its MA-ID or a device identifier such as 619 its MAC 621 o (optionally) a Group-ID. A Group-ID would be shared by several 622 MAs and could be useful for privacy reasons. For instance, 623 reporting the Group-ID and not the MA-ID could hinder tracking of 624 a mobile device 626 o the Control Channel, which is defined by: 628 * the address which identifies the Control Channel, such as the 629 Controller's FQDN (Fully Qualified Domain Name) [RFC1035]) 631 * security information (for example to enable the MA to decrypt 632 the Instruction Message and encrypt messages sent to the 633 Controller) 635 The details of the bootstrapping process are device /access specific. 636 For example, the information could be in the firmware, manually 637 configured or transferred via a protocol like TR-069 [TR-069]. There 638 may be a multi-stage process where the MA contacts the device at a 639 'hard-coded' address, which replies with the bootstrapping 640 information. 642 The MA must learn its MA-ID before getting an Instruction, either 643 during Bootstrapping or via the Configuration Protocol. 645 5.2. Configuration Protocol 647 The Configuration Protocol allows the Controller to update the MA 648 about some or all of the information that it obtained during the 649 bootstrapping process: the MA-ID, the (optional) Group-ID and the 650 Control Channel. The measurement system might use Configuration for 651 several reasons. For example, the bootstrapping process could 'hard 652 code' the MA with details of an initial Controller, and then the 653 initial Controller could configure the MA with details about the 654 Controller that sends Instruction Messages. (Note that a MA only has 655 one Control Channel, and so is associated with only one Controller, 656 at any moment.) 658 Note that an implementation may choose to combine Configuration 659 information and an Instruction Message into a single message. 661 +-----------------+ +-------------+ 662 | | | Measurement | 663 | Controller |======================================| Agent | 664 +-----------------+ +-------------+ 666 Configuration information: -> 667 (MA-ID), 668 (Group-ID), 669 (Control Channel) 670 <- Response(details) 672 5.3. Control Protocol 674 The primary purpose of the Control Protocol is to allow the 675 Controller to configure a Measurement Agent with an Instruction about 676 what Measurement Tasks to do, when to do them, and how to report the 677 Measurement Results (Section 5.2.1). The Measurement Agent then acts 678 on the Instruction autonomously. The Control Protocol also enables 679 the MA to inform the Controller about its Capabilities and any 680 Failure and logging Information (Section 5.3.2). 682 5.3.1. Instruction 684 The Instruction is the description of the Measurement Tasks for a 685 Measurement Agent to do and the details of the Measurement Reports 686 for it to send. In order to update the Instruction the Controller 687 uses the Control Protocol to send an Instruction Message over the 688 Control Channel. 690 +-----------------+ +-------------+ 691 | | | Measurement | 692 | Controller |======================================| Agent | 693 +-----------------+ +-------------+ 695 Instruction: -> 696 [(Measurement Task configuration( 697 [Input Parameter], 698 (interface), 699 (Cycle-ID))), 700 (Report Channel), 701 (Measurement Schedule), 702 (Report Schedule), 703 (Suppression information)] 704 <- Response(details) 706 The Instruction defines information with the following aims 707 ([I-D.ietf-lmap-information-model] defines the consequent list of 708 information elements): 710 o the Measurement Task configurations, each of which needs: 712 * the Metric, specified as a URI to a registry entry; it includes 713 the specification of a Measurement Method. The registry could 714 be defined by the IETF [I-D.manyfolks-ippm-metric-registry], 715 locally by the operator of the measurement system or perhaps by 716 another standards organisation. 718 * any Input Parameters that need to be set for the Measurement 719 Method, such as the address of the Measurement Peer (or other 720 Measurement Agent) that are involved in an Active Measurement 721 Task 723 * if the device with the MA has multiple interfaces, then the 724 interface to use (if not defined, then the default interface is 725 used) 727 o configuration of the Measurement Schedules, each of which needs: 729 * the timing of when the Measurement Tasks are to be performed. 730 Possible types of timing are periodic, calendar-based periodic, 731 one-off immediate and one-off at a future time 733 o configuration of the Report Channels, each of which needs: 735 * the address of the Collector, for instance its URL 737 * security for this Report Channel, for example the X.509 738 certificate 740 o configuration of the Report Schedules, each of which needs: 742 * the timing of when reporting is to be performed. For instance, 743 every hour or immediately. 745 o Suppression information, if any (see Section 5.2.1.1) 747 A single Instruction Message may contain some or all of the above 748 parts. The finest level of granularity possible in an Instruction 749 Message is determined by the implementation and operation of the 750 Control Protocol. For example, a single Instruction Message may add 751 or update an individual Measurement Schedule - or it may only update 752 the complete set of Measurement Schedules; a single Instruction 753 Message may update both Measurement Schedules and Measurement Task 754 configurations - or only one at a time; and so on. 756 The MA informs the Controller that it has successfully understood the 757 Instruction Message, or that it cannot action the Instruction - for 758 example, if it doesn't include a parameter that is mandatory for the 759 requested Measurement Method, or it is missing details of the target 760 Collector. 762 The Instruction Message instructs the MA; the Control Protocol does 763 not allow the MA to negotiate, as this would add complexity to the 764 MA, Controller and Control Protocol for little benefit. 766 5.3.1.1. Suppression 768 The Instruction may include Suppression information. Suppression is 769 used if the measurement system wants to eliminate inessential 770 traffic, because there is some unexpected network issue for example. 771 By default, Suppression means that the MA does not begin any new 772 Active Measurement Task. The impact on other Measurement Tasks is 773 not defined by LMAP; since they do not involve the MA creating any 774 Active Measurement Traffic there is no need to suppress them, however 775 it may be simpler for an implementation to do so. Also, by default 776 Suppression starts immediately and continues until an un-suppress 777 message is received. Optionally the Suppression information may 778 include: 780 o a set of Measurement Tasks to suppress; the others are not 781 suppressed. For example, this could be useful if a particular 782 Measurement Task is overloading a Measurement Peer. 784 o a set of Measurement Schedules to suppress; the others are not 785 suppressed. For example, suppose the measurement system has 786 defined two Schedules, one with the most critical Measurement 787 Tasks and the other with less critical ones that create a lot of 788 Active Measurement Traffic, then it may only want to suppress the 789 second. 791 o a start time, at which suppression begins 793 o an end time, at which suppression ends 795 o a demand that the MA ends its on-going Active Measurement Task(s) 796 (and deletes the associated partial Measurement Result(s)). 798 Note that Suppression is not intended to permanently stop a 799 Measurement Task (instead, the Controller should send a new 800 Measurement Schedule), nor to permanently disable a MA (instead, some 801 kind of management action is suggested). 803 +-----------------+ +-------------+ 804 | | | Measurement | 805 | Controller |===================================| Agent | 806 +-----------------+ +-------------+ 808 Suppress: 809 [(Measurement Task), -> 810 (Measurement Schedule), 811 start time, 812 end time, 813 on-going suppressed?] 815 Un-suppress -> 817 5.3.2. Capabilities and Failure information 819 The Control Protocol also enables the MA to inform the Controller 820 about various information, such as its Capabilities and any Failures. 821 It is also possible to use a device-specific mechanism which is 822 beyond the scope of the initial LMAP work. 824 Capabilities are information about the MA that the Controller needs 825 to know in order to correctly instruct the MA, such as: 827 o the Measurement Methods that the MA supports 829 o the interfaces that the MA has 831 o the version of the MA 833 o the version of the hardware, firmware or software of the device 834 with the MA 836 o but not dynamic information like the currently unused CPU, memory 837 or battery life of the device with the MA. 839 Failure information concerns why the MA has been unable to execute a 840 Measurement Task or deliver a Report, for example: 842 o the Measurement Task failed to run properly because the MA 843 (unexpectedly) has no spare CPU cycles 845 o the MA failed record the Measurement Results because it 846 (unexpectedly) is out of spare memory 848 o a Report failed to deliver Measurement Results because the 849 Collector (unexpectedly) is not responding 851 o but not if a Measurement Task correctly doesn't start. For 852 example, the first step of some Measurement Methods is for the MA 853 to check there is no cross-traffic. 855 Logging information concerns how the MA is operating and may help 856 debugging, for example: 858 o the last time the MA ran a Measurement Task 860 o the last time the MA sent a Measurement Report 862 o the last time the MA received an Instruction Message 864 o whether the MA is currently Suppressing Measurement Tasks 866 Capabilities, failure and logging information are sent by the MA, 867 either in response to a request from the Controller (for example, if 868 the Controller forgets what the MA can do or otherwise wants to 869 resynchronize what it knows about the MA), or on its own initiative 870 (for example when the MA first communicates with a Controller or if 871 it becomes capable of a new Measurement Method). Another example of 872 the latter case is if the device with the MA re-boots, then the MA 873 should notify its Controller in case its Instruction needs to be 874 updated; to avoid a "mass calling event" after a widespread power 875 restoration affecting many MAs, it is sensible for an MA to pause for 876 a random delay, perhaps in the range of one minute or so. 878 +-----------------+ +-------------+ 879 | | | Measurement | 880 | Controller |===================================| Agent | 881 +-----------------+ +-------------+ 883 (Instruction: 884 [(Request Capabilities), 885 (Request Failure Information), 886 (Request Logging Information)]) -> 887 <- (Capabilities), 888 (Failure Information), 889 (Logging Information) 891 5.4. Operation of Measurement Tasks 893 This LMAP framework is neutral to what the actual Measurement Task 894 is. It does not define Measurement Methods, these are defined 895 elsewhere (e.g. IPPM). 897 The MA carries out the Measurement Tasks as instructed, unless it 898 gets an updated Instruction. The MA acts autonomously, in terms of 899 operation of the Measurement Tasks and reporting of the Results; it 900 doesn't do a 'safety check' with the Controller to ask whether it 901 should still continue with the requested Measurement Tasks. 903 5.4.1. Starting and Stopping Measurement Tasks 905 This LMAP framework does not define a generic start and stop process, 906 since the correct approach depends on the particular Measurement 907 Task; the details are defined as part of each Measurement Method. 908 This section provides some general hints. The MA does not inform the 909 Controller about Measurement Tasks starting and stopping. 911 Before sending Active Measurement Traffic the MA may run a pre-check. 912 (The pre-check could be defined as a separate, preceding Task or as 913 the first part of a larger Task.) Action could include: 915 o the MA checking that there is no cross-traffic. In other words, a 916 check that the end-user isn't already sending traffic; 918 o the MA checking with the Measurement Peer (or other Measurement 919 Agent involved in the Measurement Task) that it can handle a new 920 Measurement Task (in case, for example, the Measurement Peer is 921 already handling many Measurement Tasks with other MAs); 923 o sending traffic that probes the path to check it isn't overloaded; 925 o checking that the device with the MA has enough resources to 926 execute the Measurement Task reliably. Note that the designer of 927 the measurement system should ensure that the device's 928 capabilities are normally sufficient to comfortably operate the 929 Measurement Tasks. 931 It is possible that similar checks continue during the Measurement 932 Task, especially one that is long-running and/or creates a lot of 933 Active Measurement Traffic, and might lead to it being abandoned 934 whilst in-progress. A Measurement Task could also be abandoned in 935 response to a "suppress" message (see Section 5.2.1). Action could 936 include: 938 o For 'upload' tests, the MA not sending traffic 939 o For 'download' tests, the MA closing the TCP connection or sending 940 a TWAMP Stop control message [RFC5357]. 942 The Controller may want a MA to run the same Measurement Task 943 indefinitely (for example, "run the 'upload speed' Measurement Task 944 once an hour until further notice"). To avoid the MA generating 945 traffic forever after a Controller has permanently failed (or 946 communications with the Controller have failed), the MA can be 947 configured with a time limit; if the MA doesn't hear from the 948 Controller for this length of time, then it stops operating 949 Measurement Tasks. 951 5.4.2. Overlapping Measurement Tasks 953 It is possible that a MA starts a new Measurement Task before another 954 Measurement Task has completed. This may be intentional (the way 955 that the measurement system has designed the Measurement Schedules), 956 but it could also be unintentional - for instance, if a Measurement 957 Task has a 'wait for X' step which pauses for an unexpectedly long 958 time. The operator of the measurement system can handle (or not) 959 overlapping Measurement Tasks in any way they choose - it is a policy 960 or implementation issue and not the concern of LMAP. Some possible 961 approaches are: to configure the MA not to begin the second 962 Measurement Task; to start the second Measurement Task as usual; for 963 the action to be an Input Parameter of the Measurement Task; and so 964 on. 966 It may be important to include in the Measurement Report the fact 967 that the Measurement Task overlapped with another. 969 5.5. Report Protocol 971 The primary purpose of the Report Protocol is to allow a Measurement 972 Agent to report its Measurement Results to a Collector, along with 973 the context in which they were obtained. 975 +-----------------+ +-------------+ 976 | | | Measurement | 977 | Collector |===================================| Agent | 978 +-----------------+ +-------------+ 980 <- Report: 981 [MA-ID &/or Group-ID], 982 [Measurement Result 983 [details of Measurement Task]] 984 ACK -> 985 The Report contains: 987 o the MA-ID or a Group-ID (to anonymise results) 989 o the actual Measurement Results, including the time they were 990 measured 992 o the details of the Measurement Task (to avoid the Collector having 993 to ask the Controller for this information later) 995 o perhaps the Subscriber's service parameters (see Section 5.4.1). 997 The MA sends Reports as defined by the Instruction. It is possible 998 that the Instruction tells the MA to report the same Results to more 999 than one Collector, or to report a different subset of Results to 1000 different Collectors. It is also possible that a Measurement Task 1001 may create two (or more) Measurement Results, which could be reported 1002 differently (for example, one Result could be reported periodically, 1003 whilst the second Result could be an alarm that is created as soon as 1004 the measured value of the Metric crosses a threshold and that is 1005 reported immediately). 1007 Optionally, a Report is not sent when there are no Measurement 1008 Results. 1010 In the initial LMAP Information Model and Report Protocol, for 1011 simplicity we assume that all Measurement Results are reported as-is, 1012 but allow extensibility so that a measurement system (or perhaps a 1013 second phase of LMAP) could allow a MA to: 1015 o label, or perhaps not include, Measurement Results impacted by, 1016 for instance, cross-traffic or the Measurement Peer (or other 1017 Measurement Agent) being busy 1019 o label Measurement Results obtained by a Measurement Task that 1020 overlapped with another 1022 o not report the Measurement Results if the MA believes that they 1023 are invalid 1025 o detail when Suppression started and ended 1027 5.5.1. Reporting of Subscriber's service parameters 1029 The Subscriber's service parameters are information about his/her 1030 broadband contract, line rate and so on. Such information is likely 1031 to be needed to help analyse the Measurement Results, for example to 1032 help decide whether the measured download speed is reasonable. 1034 The information could be transferred directly from the Subscriber 1035 parameter database to the data analysis tools. It may also be 1036 possible to transfer the information via the MA. How (and if) the MA 1037 knows such information is likely to depend on the device type. The 1038 MA could either include the information in a Measurement Report or 1039 separately. 1041 5.6. Operation of LMAP over the underlying packet transfer mechanism 1043 The above sections have described LMAP's protocol model. Other 1044 specifications will define the actual Control and Report Protocols, 1045 possibly operating over an existing protocol, to be selected, for 1046 example REST-style HTTP(S). It is also possible that a different 1047 choice is made for the Control and Report Protocols, for example 1048 NETCONF-YANG and IPFIX respectively. 1050 From an LMAP perspective, the Controller needs to know that the MA 1051 has received the Instruction Message, or at least that it needs to be 1052 re-sent as it may have failed to be delivered. Similarly the MA 1053 needs to know about the delivery of Capabilities and Failure 1054 information to the Controller and Reports to the Collector. How this 1055 is done depends on the design of the Control and Report Protocols and 1056 the underlying packet transfer mechanism. 1058 For the Control Protocol, the underlying packet transfer mechanism 1059 could be: 1061 o a 'push' protocol (that is, from the Controller to the MA) 1063 o a multicast protocol (from the Controller to a group of MAs) 1065 o a 'pull' protocol. The MA periodically checks with Controller if 1066 the Instruction has changed and pulls a new Instruction if 1067 necessary. A pull protocol seems attractive for a MA behind a NAT 1068 (as is typical for a MA on an end-user's device), so that it can 1069 initiate the communications. A pull mechanism is likely to 1070 require the MA to be configured with how frequently it should 1071 check in with the Controller, and perhaps what it should do if the 1072 Controller is unreachable after a certain number of attempts. 1074 o a hybrid protocol. In addition to a pull protocol, the Controller 1075 can also push an alert to the MA that it should immediately pull a 1076 new Instruction. 1078 For the Report Protocol, the underlying packet transfer mechanism 1079 could be: 1081 o a 'push' protocol (that is, from the MA to the Collector) 1082 o perhaps supplemented by the ability for the Collector to 'pull' 1083 Measurement Results from a MA. 1085 5.7. Items beyond the scope of the initial LMAP work 1087 There are several potential interactions between LMAP elements that 1088 are beyond the scope of the initial LMAP work: 1090 1. It does not define a coordination process between MAs. Whilst a 1091 measurement system may define coordinated Measurement Schedules 1092 across its various MAs, there is no direct coordination between 1093 MAs. 1095 2. It does not define interactions between the Collector and 1096 Controller. It is quite likely that there will be such 1097 interactions, optionally intermediated by the data analysis 1098 tools. For example, if there is an "interesting" Measurement 1099 Result then the measurement system may want to trigger extra 1100 Measurement Tasks that explore the potential cause in more 1101 detail; or if the Collector unexpectedly does not hear from a MA, 1102 then the measurement system may want to trigger the Controller to 1103 send a fresh Instruction Message to the MA. 1105 3. It does not define coordination between different measurement 1106 systems. For example, it does not define the interaction of a MA 1107 in one measurement system with a Controller or Collector in a 1108 different measurement system. Whilst it is likely that the 1109 Control and Report Protocols could be re-used or adapted for this 1110 scenario, any form of coordination between different 1111 organisations involves difficult commercial and technical issues 1112 and so, given the novelty of large-scale measurement efforts, any 1113 form of inter-organisation coordination is outside the scope of 1114 the initial LMAP work. Note that a single MA is instructed by a 1115 single Controller and is only in one measurement system. 1117 * An interesting scenario is where a home contains two 1118 independent MAs, for example one controlled by a regulator and 1119 one controlled by an ISP. Then the Active Measurement Traffic 1120 of one MA is treated by the other MA just like any other end- 1121 user traffic. 1123 4. It does not consider how to prevent a malicious party "gaming the 1124 system". For example, where a regulator is running a measurement 1125 system in order to benchmark operators, a malicious operator 1126 could try to identify the broadband lines that the regulator was 1127 measuring and prioritise that traffic. It is assumed this is a 1128 policy issue and would be dealt with through a code of conduct 1129 for instance. 1131 5. It does not define how to analyse Measurement Results, including 1132 how to interpret missing Results. 1134 6. It does not specifically define a end-user-controlled measurement 1135 system, see sub-section 5.6.1. 1137 5.7.1. End-user-controlled measurement system 1139 This framework concentrates on the cases where an ISP or a regulator 1140 runs the measurement system. However, we expect that LMAP 1141 functionality will also be used in the context of an end-user- 1142 controlled measurement system. There are at least two ways this 1143 could happen (they have various pros and cons): 1145 1. an end-user could somehow request the ISP- (or regulator-) run 1146 measurement system to test his/her line. The ISP (or regulator) 1147 Controller would then send an Instruction to the MA in the usual 1148 LMAP way. Note that a user can't directly initiate a Measurement 1149 Task on an ISP- (or regulator-) controlled MA. 1151 2. an end-user could deploy their own measurement system, with their 1152 own MA, Controller and Collector. For example, the user could 1153 implement all three functions onto the same end-user-owned end 1154 device, perhaps by downloading the functions from the ISP or 1155 regulator. Then the LMAP Control and Report Protocols do not 1156 need to be used, but using LMAP's Information Model would still 1157 be beneficial. The Measurement Peer (or other MA involved in the 1158 Measurement Task) could be in the home gateway or outside the 1159 home network; in the latter case the Measurement Peer is highly 1160 likely to be run by a different organisation, which raises extra 1161 privacy considerations. 1163 In both cases there will be some way for the end-user to initiate the 1164 Measurement Task(s). The mechanism is outside the scope of the 1165 initial LMAP work, but could include the user clicking a button on a 1166 GUI or sending a text message. Presumably the user will also be able 1167 to see the Measurement Results, perhaps summarised on a webpage. It 1168 is suggested that these interfaces conform to the LMAP guidance on 1169 privacy in Section 8. 1171 6. Deployment considerations 1173 The Appendix has some examples of possible deployment arrangements of 1174 Measurement Agents and Peers. 1176 6.1. Controller and the measurement system 1178 The Controller should understand both the MA's LMAP Capabilities (for 1179 instance what Measurement Methods it can perform) and about the MA's 1180 other capabilities like processing power and memory. This allows the 1181 Controller to make sure that the Measurement Schedule of Measurement 1182 Tasks and the Reporting Schedule are sensible for each MA that it 1183 Instructs. 1185 An Instruction is likely to include several Measurement Tasks. 1186 Typically these run at different times, but it is also possible for 1187 them to run at the same time. Some Tasks may be compatible, in that 1188 they do not affect each other's Results, whilst with others great 1189 care would need to be taken. 1191 The Controller should ensure that the Active Measurement Tasks do not 1192 have an adverse effect on the end user. Tasks, especially those that 1193 generate a substantial amount of traffic, will often include a pre- 1194 check that the user isn't already sending traffic (Section 5.3). 1195 Another consideration is whether Active Measurement Traffic will 1196 impact a Subscriber's bill or traffic cap. 1198 The different elements of the Instruction can be updated 1199 independently. For example, the Measurement Tasks could be 1200 configured with different Input Parameters whilst keeping the same 1201 Measurement Schedule. In general this should not create any issues, 1202 since Measurement Methods should be defined so their fundamental 1203 nature does not change for a new value of Input Parameter. There 1204 could be a problem if, for example, a Measurement Task involving a 1205 1kB file upload could be changed into a 1GB file upload. 1207 A measurement system may have multiple Controllers (but note the 1208 overriding principle that a single MA is instructed by a single 1209 Controller at any point in time (Section 4.2)). For example, there 1210 could be different Controllers for different types of MA (home 1211 gateways, tablets) or locations (Ipswich, Edinburgh), for load 1212 balancing or to cope with failure of one Controller. 1214 The measurement system also needs to consider carefully how to 1215 interpret missing Results; for example, if the missing Results are 1216 ignored and the lack of a Report is caused by its broadband being 1217 broken, then the estimate of overall performance, averaged across all 1218 MAs, would be too optimistic. 1220 6.2. Measurement Agent 1222 The Measurement Agent could take a number of forms: a dedicated 1223 probe, software on a PC, embedded into an appliance, or even embedded 1224 into a gateway. A single site (home, branch office etc.) that is 1225 participating in a measurement could make use of one or multiple 1226 Measurement Agents or Measurement Peers in a single measurement. 1228 The Measurement Agent could be deployed in a variety of locations. 1229 Not all deployment locations are available to every kind of 1230 Measurement Agent. There are also a variety of limitations and 1231 trade-offs depending on the final placement. The next sections 1232 outline some of the locations a Measurement Agent may be deployed. 1233 This is not an exhaustive list and combinations may also apply. 1235 6.2.1. Measurement Agent on a networked device 1237 A MA may be embedded on a device that is directly connected to the 1238 network, such as a MA on a smartphone. Other examples include a MA 1239 downloaded and installed on a subscriber's laptop computer or tablet 1240 when the network service is provided on wired or other wireless radio 1241 technologies, such as Wi-Fi. 1243 6.2.2. Measurement Agent embedded in site gateway 1245 A Measurement Agent embedded with the site gateway, for example a 1246 home router or the edge router of a branch office in a managed 1247 service environment, is one of better places the Measurement Agent 1248 could be deployed. All site-to-ISP traffic would traverse through 1249 the gateway and passive measurements could easily be performed. 1250 Similarly, due to this user traffic visibility, an Active Measurement 1251 Task could be rescheduled so as not to compete with user traffic. 1252 Generally NAT and firewall services are built into the gateway, 1253 allowing the Measurement Agent the option to offer its Controller- 1254 facing management interface outside of the NAT/firewall. This 1255 placement of the management interface allows the Controller to 1256 unilaterally contact the Measurement Agent for instructions. 1257 However, a Measurement Agent on a site gateway (whether end-user 1258 service-provider owned) will generally not be directly available for 1259 over the top providers, the regulator, end users or enterprises. 1261 6.2.3. Measurement Agent embedded behind site NAT /Firewall 1263 The Measurement Agent could also be embedded behind a NAT, a 1264 firewall, or both. In this case the Controller may not be able to 1265 unilaterally contact the Measurement Agent unless either static port 1266 forwarding or firewall pin holing is configured. Configuring port 1267 forwarding could use protocols such as PCP [RFC6887], TR-069 1269 [TR-069]or UPnP [UPnP]. To prop open the firewall, the Measurement 1270 Agent could send keepalives towards the Controller (and perhaps use 1271 these also as a network reachability test). 1273 6.2.4. Multi-homed Measurement Agent 1275 If the device with the Measurement Agent is single homed then there 1276 is no confusion about what interface to measure. Similarly, if the 1277 MA is at the gateway and the gateway only has a single WAN-side and a 1278 single LAN-side interface, there is little confusion - for an Active 1279 Measurement Task, the location of the other MA or Measurement Peer 1280 determines whether the WAN or LAN is measured. 1282 However, the device with the Measurement Agent may be multi-homed. 1283 For example, a home or campus may be connected to multiple broadband 1284 ISPs, such as a wired and wireless broadband provider, perhaps for 1285 redundancy or load- sharing. It may also be helpful to think of dual 1286 stack IPv4 and IPv6 broadband devices as multi-homed. More 1287 generally, Section 3.2 of [I-D.ietf-homenet-arch] describes dual- 1288 stack and multi-homing topologies that might be encountered in a home 1289 network, [RFC6419] provides the current practices of multi-interfaces 1290 hosts, and the Multiple Interfaces (mif) working group covers cases 1291 where hosts are either directly attached to multiple networks 1292 (physical or virtual) or indirectly (multiple default routers, etc.). 1293 In these cases, there needs to be clarity on which network 1294 connectivity option is being measured. 1296 One possibility is to have a Measurement Agent per interface. Then 1297 the Controller's choice of MA determines which interface is measured. 1298 However, if a MA can measure any of the interfaces, then the 1299 Controller defines in the Instruction which interface the MA should 1300 use for a Measurement Task; if the choice of interface is not defined 1301 then the MA uses the default one. Explicit definition is preferred 1302 if the measurement system wants to measure the performance of a 1303 particular network, whereas using the default is better if the 1304 measurement system wants to include the impact of the MA's interface 1305 selection algorithm. In any case, the Measurement Result should 1306 include the network that was measured. 1308 6.2.5. Measurement Agent embedded in ISP Network 1310 A MA may be embedded on a device that is part of an ISP's network, 1311 such as a router or switch. Usually the network devices with an 1312 embedded MA will be strategically located, such as a Carrier Grade 1313 NAT or ISP Gateway. [I-D.ietf-ippm-lmap-path] gives many examples 1314 where a MA might be located within a network to provide an 1315 intermediate measurement point on the end-to-end path. Other 1316 examples include a network device whose primary role is to host MA 1317 functions and the necessary measurement protocol. 1319 6.3. Measurement Peer 1321 A Measurement Peer participates in Active Measurement Tasks. It may 1322 have specific functionality to enable it to participate in a 1323 particular Measurement Method. On the other hand, other Measurement 1324 Methods may require no special functionality, for example if the 1325 Measurement Agent sends a ping to example.com then the server at 1326 example.com plays the role of a Measurement Peer. 1328 A device may participate in some Measurement Tasks as a Measurement 1329 Agent and in others as a Measurement Peer. 1331 Measurement Schedules should account for limited resources in a 1332 Measurement Peer when instructing a MA to execute measurements with a 1333 Measurement Peer. In some measurement protocols, such as [RFC4656] 1334 and [RFC5357], the Measurement Peer can reject a measurement session 1335 or refuse a control connection prior to setting-up a measurement 1336 session and so protect itself from resource exhaustion. This is a 1337 valuable capability because the MP may be used by more than one 1338 organisation. 1340 7. Security considerations 1342 The security of the LMAP framework should protect the interests of 1343 the measurement operator(s), the network user(s) and other actors who 1344 could be impacted by a compromised measurement deployment. The 1345 measurement system must secure the various components of the system 1346 from unauthorised access or corruption. Much of the general advice 1347 contained in section 6 of [RFC4656] is applicable here. 1349 We assume that each Measurement Agent (MA) will receive its 1350 Instructions from a single organisation, which operates the 1351 Controller. These Instructions must be authenticated (to ensure that 1352 they come from the trusted Controller), checked for integrity (to 1353 ensure no-one has tampered with them) and not vulnerable to replay 1354 attacks. If a malicious party can gain control of the MA they can 1355 use it to launch DoS attacks at targets, reduce the end user's 1356 quality of experience and corrupt the Measurement Results that are 1357 reported to the Collector. By altering the Measurement Tasks and/or 1358 the address that Results are reported to, they can also compromise 1359 the confidentiality of the network user and the MA environment (such 1360 as information about the location of devices or their traffic). The 1361 Instruction messages also need to be encrypted to maintain 1362 confidentiality, as the information might be useful to an attacker. 1364 The process to upgrade the firmware in an MA is outside the scope of 1365 the initial LMAP work, similar to the protocol to bootstrap the MAs 1366 (as specified in the charter). However, systems which provide remote 1367 upgrade must secure authorised access and integrity of the process. 1369 Reporting by the MA must also be secured to maintain confidentiality. 1370 The results must be encrypted such that only the authorised Collector 1371 can decrypt the results to prevent the leakage of confidential or 1372 private information. In addition it must be authenticated that the 1373 results have come from the expected MA and that they have not been 1374 tampered with. It must not be possible to fool a MA into injecting 1375 falsified data into the measurement platform or to corrupt the 1376 results of a real MA. The results must also be held and processed 1377 securely after collection and analysis. 1379 Reporting by the MA must be encrypted to maintain confidentiality, to 1380 prevent the leakage of confidential or private information. 1381 Reporting must also be authenticated (to ensure that it comes from a 1382 trusted MA) and not vulnerable to tampering (which can be ensured 1383 through integrity and replay checks). It must not be possible to 1384 fool a MA into injecting falsified data and the results must also be 1385 held and processed securely after collection and analysis See section 1386 8.5.2 below for additional considerations on stored data compromise, 1387 and section 8.6 on potential mitigations for compromise. 1389 Since Collectors will be contacted repeatedly by MAs using the 1390 Collection Protocol to convey their recent results, a successful 1391 attack to exhaust the communication resources would prevent a 1392 critical operation: reporting. Therefore, all LMAP Collectors should 1393 implement technical mechanisms to: 1395 o limit the number of reporting connections from a single MA 1396 (simultaneous, and connections per unit time). 1398 o limit the transmission rate from a single MA. 1400 o limit the memory/storage consumed by a single MA's reports. 1402 o efficiently reject reporting connections from unknown sources. 1404 o separate resources if multiple authentication strengths are used, 1405 where the resources should be separated according to each class of 1406 strength. 1408 o limit iteration counters to generate keys with both a lower and 1409 upper limit, to prevent an attacking system from requesting the 1410 maximum and causing the Controller to stall on the process (see 1411 section 6 of [RFC5357]). 1413 Many of the above considerations are applicable to a "pull" model, 1414 where the MA must contact the Controller because NAT or other network 1415 aspect prevents Controllers from contacting MAs directly. 1417 Availability should also be considered. While the loss of some MAs 1418 may not be considered critical, the unavailability of the Collector 1419 could mean that valuable business data or data critical to a 1420 regulatory process is lost. Similarly, the unavailability of a 1421 Controller could mean that the MAs do not operate a correct 1422 Measurement Schedule. 1424 The security mechanisms described above may not be strictly necessary 1425 if the network's design ensures the LMAP components and their 1426 communications are already secured, for example potentially if they 1427 are all part of an ISP's dedicated management network. 1429 A malicious party could "game the system". For example, where a 1430 regulator is running a measurement system in order to benchmark 1431 operators, an operator could try to identify the broadband lines that 1432 the regulator was measuring and prioritise that traffic. Normally, 1433 this potential issue is handled by a code of conduct. It is outside 1434 the scope of the initial LMAP work to consider the issue. 1436 8. Privacy Considerations for LMAP 1438 The LMAP work considers privacy as a core requirement and will ensure 1439 that by default the Control and Report Protocols operate in a 1440 privacy-sensitive manner and that privacy features are well-defined. 1442 This section provides a set of privacy considerations for LMAP. This 1443 section benefits greatly from the timely publication of [RFC6973]. 1444 Privacy and security (Section 7) are related. In some jurisdictions 1445 privacy is called data protection. 1447 We begin with a set of assumptions related to protecting the 1448 sensitive information of individuals and organisations participating 1449 in LMAP-orchestrated measurement and data collection. 1451 8.1. Categories of Entities with Information of Interest 1453 LMAP protocols need to protect the sensitive information of the 1454 following entities, including individuals and organisations who 1455 participate in measurement and collection of results. 1457 o Individual Internet users: Persons who utilise Internet access 1458 services for communications tasks, according to the terms of 1459 service of a service agreement. Such persons may be a service 1460 Subscriber, or have been given permission by the Subscriber to use 1461 the service. 1463 o Internet service providers: Organisations who offer Internet 1464 access service subscriptions, and thus have access to sensitive 1465 information of individuals who choose to use the service. These 1466 organisations desire to protect their Subscribers and their own 1467 sensitive information which may be stored in the process of 1468 performing Measurement Tasks and collecting and Results. 1470 o Regulators: Public authorities responsible for exercising 1471 supervision of the electronic communications sector, and which may 1472 have access to sensitive information of individuals who 1473 participate in a measurement campaign. Similarly, regulators 1474 desire to protect the participants and their own sensitive 1475 information. 1477 o Other LMAP system operators: Organisations who operate measurement 1478 systems or participate in measurements in some way. 1480 Although privacy is a protection extended to individuals, we include 1481 discussion of ISPs and other LMAP system operators in this section. 1482 These organisations have sensitive information involved in the LMAP 1483 system, and many of the same dangers and mitigations are applicable. 1484 Further, the ISPs store information on their Subscribers beyond that 1485 used in the LMAP system (for instance billing information), and there 1486 should be a benefit in considering all the needs and potential 1487 solutions coherently. 1489 8.2. Examples of Sensitive Information 1491 This section gives examples of sensitive information which may be 1492 measured or stored in a measurement system, and which is to be kept 1493 private by default in the LMAP core protocols. 1495 Examples of Subscriber or authorised Internet user sensitive 1496 information: 1498 o Sub-IP layer addresses and names (MAC address, base station ID, 1499 SSID) 1501 o IP address in use 1503 o Personal Identification (real name) 1505 o Location (street address, city) 1507 o Subscribed service parameters 1508 o Contents of traffic (activity, DNS queries, destinations, 1509 equipment types, account info for other services, etc.) 1511 o Status as a study volunteer and Schedule of (Active) Measurement 1512 Tasks 1514 Examples of Internet Service Provider sensitive information: 1516 o Measurement device identification (equipment ID and IP address) 1518 o Measurement Instructions (choice of measurements) 1520 o Measurement Results (some may be shared, others may be private) 1522 o Measurement Schedule (exact times) 1524 o Network topology (locations, connectivity, redundancy) 1526 o Subscriber billing information, and any of the above Subscriber 1527 information known to the provider. 1529 o Authentication credentials (such as certificates) 1531 Other organisations will have some combination of the lists above. 1532 The LMAP system would not typically expose all of the information 1533 above, but could expose a combination of items which could be 1534 correlated with other pieces collected by an attacker (as discussed 1535 in the section on Threats below). 1537 8.3. Key Distinction Between Active and Passive Measurement Tasks 1539 Passive and Active Measurement Tasks raise different privacy issues. 1541 Passive Measurement Tasks are conducted on one or more user's 1542 traffic, such that sensitive information is present and stored in the 1543 measurement system (however briefly this storage may be). We note 1544 that some authorities make a distinction on time of storage, and 1545 information that is kept only temporarily to perform a communications 1546 function is not subject to regulation (for example, active queue 1547 management, deep packet inspection). Passive Measurement Tasks could 1548 reveal all the websites a Subscriber visits and the applications and/ 1549 or services they use. 1551 Active Measurement Tasks are conducted on traffic which is created 1552 specifically for the purpose. Even if a user host generates Active 1553 Measurement Traffic, there is limited sensitive information about the 1554 Subscriber present and stored in the measurement system compared to 1555 the passive case, as follows: 1557 o IP address in use (and possibly sub-IP addresses and names) 1559 o Status as a study volunteer and Schedule of Active Measurement 1560 Tasks 1562 On the other hand, for a service provider the sensitive information 1563 like Measurement Results is the same for Passive and Active 1564 Measurement Tasks. 1566 From the Subscriber perspective, both Active and Passive Measurement 1567 Tasks potentially expose the description of Internet access service 1568 and specific service parameters, such as subscribed rate and type of 1569 access. 1571 8.4. Privacy analysis of the Communications Models 1573 This section examines each of the protocol exchanges described at a 1574 high level in Section 5 and some example Measurement Tasks, and 1575 identifies specific sensitive information which must be secured 1576 during communication for each case. With the protocol-related 1577 sensitive information identified, we can better consider the threats 1578 described in the following section. 1580 From the privacy perspective, all entities participating in LMAP 1581 protocols can be considered "observers" according to the definition 1582 in [RFC6973]. Their stored information potentially poses a threat to 1583 privacy, especially if one or more of these functional entities has 1584 been compromised. Likewise, all devices on the paths used for 1585 control, reporting, and measurement are also observers. 1587 8.4.1. MA Bootstrapping 1589 Section 5.1 provides the communication model for the Bootstrapping 1590 process. 1592 Although the specification of mechanisms for Bootstrapping the MA are 1593 beyond the initial LMAP work scope, designers should recognize that 1594 the Bootstrapping process is extremely powerful and could cause an MA 1595 to join a new or different LMAP system with a different Controller 1596 and Collector, or simply install new Measurement Methods (for example 1597 to passively record DNS queries). A Bootstrap attack could result in 1598 a breach of the LMAP system with significant sensitive information 1599 exposure depending on the capabilities of the MA, so sufficient 1600 security protections are warranted. 1602 The Bootstrapping process provides sensitive information about the 1603 LMAP system and the organisation that operates it, such as 1604 o Initial Controller IP address or FQDN 1606 o Assigned Controller IP address or FQDN 1608 o Security certificates and credentials 1610 During the Bootstrap process for an MA located at a single 1611 subscriber's service demarcation point, the MA receives a MA-ID which 1612 is a persistent pseudonym for the Subscriber. Thus, the MA-ID is 1613 considered sensitive information because it could provide the link 1614 between Subscriber identification and Measurements Results. 1616 Also, the Bootstrap process could assign a Group-ID to the MA. The 1617 specific definition of information represented in a Group-ID is to be 1618 determined, but several examples are envisaged including use as a 1619 pseudonym for a set of Subscribers, a class of service, an access 1620 technology, or other important categories. Assignment of a Group-ID 1621 enables anonymisation sets to be formed on the basis of service type/ 1622 grade/rates. Thus, the mapping between Group-ID and MA-ID is 1623 considered sensitive information. 1625 8.4.2. Controller <-> Measurement Agent 1627 The high-level communication model for interactions between the LMAP 1628 Controller and Measurement Agent is illustrated in Section 5.2. The 1629 primary purpose of this exchange is to authenticate and task a 1630 Measurement Agent with Measurement Instructions, which the 1631 Measurement Agent then acts on autonomously. 1633 Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged 1634 with a capability request, then measurement-related information of 1635 interest such as the parameters, schedule, metrics, and IP addresses 1636 of measurement devices. Thus, the measurement Instruction contains 1637 sensitive information which must be secured. For example, the fact 1638 that an ISP is running additional measurements beyond the set 1639 reported externally is sensitive information, as are the additional 1640 Measurements Tasks themselves. The Measurement Schedule is also 1641 sensitive, because an attacker intending to bias the results without 1642 being detected can use this information to great advantage. 1644 An organisation operating the Controller having no service 1645 relationship with a user who hosts the Measurement Agent *could* gain 1646 real-name mapping to a public IP address through user participation 1647 in an LMAP system (this applies to the Measurement Collection 1648 protocol, as well). 1650 8.4.3. Collector <-> Measurement Agent 1652 The high-level communication model for interactions between the 1653 Measurement Agent and Collector is illustrated in Section 5.4. The 1654 primary purpose of this exchange is to authenticate and collect 1655 Measurement Results from a MA, which the MA has measured autonomously 1656 and stored. 1658 The Measurement Results are the additional sensitive information 1659 included in the Collector-MA exchange. Organisations collecting LMAP 1660 measurements have the responsibility for data control. Thus, the 1661 Results and other information communicated in the Collector protocol 1662 must be secured. 1664 8.4.4. Measurement Peer <-> Measurement Agent 1666 Although the specification of the mechanisms for an Active 1667 Measurement Task is beyond the scope of the initial LMAP work, it 1668 raises potential privacy issues. The high-level communications model 1669 below illustrates the various exchanges to execute Active Measurement 1670 Tasks and store the Results. 1672 We note the potential for additional observers in the figures below 1673 by indicating the possible presence of a NAT, which has additional 1674 significance to the protocols and direction of initiation. 1676 The various messages are optional, depending on the nature of the 1677 Active Measurement Task. It may involve sending Active Measurement 1678 Traffic from the Measurement Peer to MA, MA to Measurement Peer, or 1679 both. 1681 _________________ _________________ 1682 | | | | 1683 |Measurement Peer |=========== NAT ? ==========|Measurement Agent| 1684 |_________________| |_________________| 1686 <- (Key Negotiation & 1687 Encryption Setup) 1688 (Encrypted Channel -> 1689 Established) 1690 (Announce capabilities -> 1691 & status) 1692 <- (Select capabilities) 1693 ACK -> 1694 <- (Measurement Request 1695 (MA+MP IPAddrs,set of 1696 Metrics, Schedule)) 1697 ACK -> 1699 Active Measurement Traffic <> Active Measurement Traffic 1700 (may/may not be encrypted) (may/may not be encrypted) 1702 <- (Stop Measurement Task) 1704 Measurement Results -> 1705 (if applicable) 1706 <- ACK, Close 1708 This exchange primarily exposes the IP addresses of measurement 1709 devices and the inference of measurement participation from such 1710 traffic. There may be sensitive information on key points in a 1711 service provider's network included. There may also be access to 1712 measurement-related information of interest such as the Metrics, 1713 Schedule, and intermediate results carried in the Active Measurement 1714 Traffic (usually a set of timestamps). 1716 If the Active Measurement Traffic is unencrypted, as found in many 1717 systems today, then both timing and limited results are open to on- 1718 path observers. 1720 8.4.5. Passive Measurement Agent 1722 Although the specification of the mechanisms for a Passive 1723 Measurement Task is beyond the scope of the initial LMAP work, it 1724 raises potential privacy issues. 1726 The high-level communications model below illustrates the collection 1727 of user information of interest with the Measurement Agent performing 1728 the monitoring and storage of the Results. This particular exchange 1729 is for passive measurement of DNS Response Time, which most 1730 frequently uses UDP transport. 1732 _________________ ____________ 1733 | | | | 1734 | DNS Server |=========== NAT ? ==========*=======| User client| 1735 |_________________| ^ |____________| 1736 ______|_______ 1737 | | 1738 | Measurement | 1739 | Agent | 1740 |______________| 1742 <- Name Resolution Req 1743 (MA+MP IPAddrs, 1744 Desired Domain Name) 1745 Return Record -> 1747 This exchange primarily exposes the IP addresses of measurement 1748 devices and the intent to communicate with or access the services of 1749 "Domain Name". There may be information on key points in a service 1750 provider's network, such as the address of one of its DNS servers. 1751 The Measurement Agent may be embedded in the user host, or it may be 1752 located in another device capable of observing user traffic. 1754 In principle, any of the user sensitive information of interest 1755 (listed above) can be collected and stored in the passive monitoring 1756 scenario and so must be secured. 1758 It would also be possible for a Measurement Agent to source the DNS 1759 query itself. But then, as with any active measurement task, there 1760 are few privacy concerns. 1762 8.4.6. Storage and Reporting of Measurement Results 1764 Although the mechanisms for communicating results (beyond the initial 1765 Collector) are beyond the initial LMAP work scope, there are 1766 potential privacy issues related to a single organisation's storage 1767 and reporting of Measurement Results. Both storage and reporting 1768 functions can help to preserve privacy by implementing the 1769 mitigations described below. 1771 8.5. Threats 1773 This section indicates how each of the threats described in [RFC6973] 1774 apply to the LMAP entities and their communication and storage of 1775 "information of interest". Denial of Service (DOS) and other attacks 1776 described in the Security section represent threats as well, and 1777 these attacks are more effective when sensitive information 1778 protections have been compromised. 1780 8.5.1. Surveillance 1782 Section 5.1.1 of [RFC6973] describes Surveillance as the "observation 1783 or monitoring of and individual's communications or activities." 1784 Hence all Passive Measurement Tasks are a form of surveillance, with 1785 inherent risks. 1787 Active Measurement Methods which avoid periods of user transmission 1788 indirectly produce a record of times when a subscriber or authorised 1789 user has used their network access service. 1791 Active Measurement Methods may also utilise and store a Subscriber's 1792 currently assigned IP address when conducting measurements that are 1793 relevant to a specific Subscriber. Since the Measurement Results are 1794 time-stamped, they could provide a record of IP address assignments 1795 over time. 1797 Either of the above pieces of information could be useful in 1798 correlation and identification, described below. 1800 8.5.2. Stored Data Compromise 1802 Section 5.1.2 of [RFC6973] describes Stored Data Compromise as 1803 resulting from inadequate measures to secure stored data from 1804 unauthorised or inappropriate access. For LMAP systems this includes 1805 deleting or modifying collected measurement records, as well as data 1806 theft. 1808 The primary LMAP entity subject to compromise is the repository, 1809 which stores the Measurement Results; extensive security and privacy 1810 threat mitigations are warranted. The Collector and MA also store 1811 sensitive information temporarily, and need protection. The 1812 communications between the local storage of the Collector and the 1813 repository is beyond the scope of the initial LMAP work, though this 1814 communications channel will certainly need protection as well as the 1815 mass storage itself. 1817 The LMAP Controller may have direct access to storage of Subscriber 1818 information (location, billing, service parameters, etc.) and other 1819 information which the controlling organisation considers private, and 1820 again needs protection. 1822 Note that there is tension between the desire to store all raw 1823 results in the LMAP Collector (for reproducibility and custom 1824 analysis), and the need to protect the privacy of measurement 1825 participants. Many of the compromise mitigations described in 1826 section 8.6 below are most efficient when deployed at the MA, 1827 therefore minimizing the risks with stored results. 1829 8.5.3. Correlation and Identification 1831 Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as 1832 combining various pieces of information to obtain desired 1833 characteristics of an individual, and Identification as using this 1834 process to infer identity. 1836 The main risk is that the LMAP system could unwittingly provide a key 1837 piece of the correlation chain, starting with an unknown Subscriber's 1838 IP address and another piece of information. For example, a 1839 Subscriber utilised Internet access from 2000 to 2310 UTC, because 1840 the Active Measurement Tasks were deferred, or sent a name resolution 1841 for www.example.com at 2300 UTC. 1843 8.5.4. Secondary Use and Disclosure 1845 Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as 1846 unauthorised utilisation of an individual's information for a purpose 1847 the individual did not intend, and Disclosure is when such 1848 information is revealed causing other's notions of the individual to 1849 change, or confidentiality to be violated. 1851 Passive Measurement Tasks are a form of Secondary Use, and the 1852 Subscribers' permission should be obtained beforehand. It may be 1853 necessary to obtain the measured ISP's permission to conduct 1854 measurements, for example when required by the terms and conditions 1855 of the service agreement, and notification is considered good 1856 measurement practice. Although user traffic is only indirectly 1857 involved, the Measurement Results from Active Measurement Tasks 1858 provide some limited information about the Subscriber or ISP and 1859 could result in Secondary Uses. For example, the use of the Results 1860 in unauthorised marketing campaigns would qualify as Secondary Use. 1861 Secondary use may break national laws and regulations, and may 1862 violate individual's expectations or desires. 1864 8.6. Mitigations 1866 This section examines the mitigations listed in section 6 of 1867 [RFC6973] and their applicability to LMAP systems. Note that each 1868 section in [RFC6973] identifies the threat categories that each 1869 technique mitigates. 1871 8.6.1. Data Minimisation 1873 Section 6.1 of [RFC6973] encourages collecting and storing the 1874 minimal information needed to perform a task. 1876 There are two levels of information detail needed for LMAP results to 1877 be useful for a specific task: troubleshooting and general results 1878 reporting, as explained in the paragraphs below. 1880 For general results, the results can be aggregated into large 1881 categories (the month of March, all subscribers West of the 1882 Mississippi River). In this case, all individual identifications 1883 (including IP address of the MA) can be excluded, and only relevant 1884 results are provided. However, this implies a filtering process to 1885 reduce the information fields, because greater detail was needed to 1886 conduct the Measurement Tasks in the first place. 1888 For troubleshooting, so that a network operator or end user can 1889 identify a performance issue or failure, potentially all the network 1890 information (IP addresses, equipment IDs, location), Measurement 1891 Schedule, service configuration, Measurement Results, and other 1892 information may assist in the process. This includes the information 1893 needed to conduct the Measurements Tasks, and represents a need where 1894 the maximum relevant information is desirable, therefore the greatest 1895 protections should be applied. This level of detail is greater than 1896 needed for general results. 1898 We note that a user may give temporary permission for Passive 1899 Measurement Tasks to enable detailed troubleshooting, but withhold 1900 permission for them in general. Here the greatest breadth of 1901 sensitive information is potentially exposed, and the maximum privacy 1902 protection must be provided. 1904 For MAs with access to the sensitive information of users (e.g., 1905 within a home or a personal host/handset), it is desirable for the 1906 results collection to minimise the data reported, but also to balance 1907 this desire with the needs of troubleshooting when a service 1908 subscription exists between the user and organisation operating the 1909 measurements. 1911 For passive measurements where the MA reports flow information to the 1912 Collector, the Collector may perform pre-storage minimisation and 1913 other mitigations (below) to help preserve privacy. 1915 8.6.2. Anonymity 1917 Section 6.1.1 of [RFC6973] describes a way in which anonymity is 1918 achieved: "there must exist a set of individuals that appear to have 1919 the same attributes as the individual", defined as an "anonymity 1920 set". 1922 Experimental methods for anonymisation of user identifiable data 1923 applicable to Passive Measurement Methods have been identified in 1924 [RFC6235]. However, the findings of several of the same authors is 1925 that "there is increasing evidence that anonymisation applied to 1926 network trace or flow data on its own is insufficient for many data 1927 protection applications as in [Bur10]." 1929 Essentially, the details of passive measurement tasks can only be 1930 accessed by closed organisations, and unknown injection attacks are 1931 always less expensive than the protections from them. However, some 1932 forms of summary may protect the user's sensitive information 1933 sufficiently well, and so each Metric must be evaluated in the light 1934 of privacy. 1936 The methods in [RFC6235] could be applied more successfully in Active 1937 Measurement Methods, where there are protections from injection 1938 attack. The successful attack would require breaking the integrity 1939 protection of the LMAP Reporting Protocol and injecting Measurement 1940 Results (known fingerprint, see section 3.2 of [RFC6973]) for 1941 inclusion with the shared and anonymised results, then fingerprinting 1942 those records to ascertain the anonymisation process. 1944 Beside anonymisation of measured Results for a specific user or 1945 provider, the value of sensitive information can be further diluted 1946 by summarising the results over many individuals or areas served by 1947 the provider. There is an opportunity enabled by forming anonymity 1948 sets [RFC6973] based on the reference path measurement points in 1949 [I-D.ietf-ippm-lmap-path]. For example, all measurements from the 1950 Subscriber device can be identified as "mp000", instead of using the 1951 IP address or other device information. The same anonymisation 1952 applies to the Internet Service Provider, where their Internet 1953 gateway would be referred to as "mp190". 1955 8.6.3. Pseudonymity 1957 Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, 1958 are a possible mitigation to revealing one's true identity, since 1959 there is no requirement to use real names in almost all protocols. 1961 A pseudonym for a measurement device's IP address could be an LMAP- 1962 unique equipment ID. However, this would likely be a permanent 1963 handle for the device, and long-term use weakens a pseudonym's power 1964 to obscure identity. 1966 8.6.4. Other Mitigations 1968 Data can be de-personalised by blurring it, for example by adding 1969 synthetic data, data-swapping, or perturbing the values in ways that 1970 can be reversed or corrected. 1972 Sections 6.2 and 6.3 of [RFC6973] describe User Participation and 1973 Security, respectively. 1975 Where LMAP measurements involve devices on the Subscriber's premises 1976 or Subscriber-owned equipment, it is essential to secure the 1977 Subscriber's permission with regard to the specific information that 1978 will be collected. The informed consent of the Subscriber (and, if 1979 different, the end user) may be needed, including the specific 1980 purpose of the measurements. The approval process could involve 1981 showing the Subscriber their measured information and results before 1982 instituting periodic collection, or before all instances of 1983 collection, with the option to cancel collection temporarily or 1984 permanently. 1986 It should also be clear who is legally responsible for data 1987 protection (privacy); in some jurisdictions this role is called the 1988 'data controller'. It is always good practice to limit the time of 1989 personal information storage. 1991 Although the details of verification would be impenetrable to most 1992 subscribers, the MA could be architected as an "app" with open 1993 source-code, pre-download and embedded terms of use and agreement on 1994 measurements, and protection from code modifications usually provided 1995 by the app-stores. Further, the app itself could provide data 1996 reduction and temporary storage mitigations as appropriate and 1997 certified through code review. 1999 LMAP protocols, devices, and the information they store clearly need 2000 to be secure from unauthorised access. This is the hand-off between 2001 privacy and security considerations (Section 7). The Data Controller 2002 has the (legal) responsibility to maintain data protections described 2003 in the Subscriber's agreement and agreements with other 2004 organisations. 2006 9. IANA Considerations 2008 There are no IANA considerations in this memo. 2010 10. Appendix: Deployment examples 2012 In this section we describe some deployment scenarios that are 2013 feasible within the LMAP framework defined in this document. 2015 The LMAP framework defines two types of components involved in the 2016 actual measurement task, namely the Measurement Agent (MA) and the 2017 Measurement Peer (MP). The fundamental difference conveyed in the 2018 definition of these terms is that the MA has a interface with the 2019 Controller/Collector while the MP does not. The MP is broadly 2020 defined as a function that assists the MA in the Measurement Task but 2021 has no interface with the Controller/Collector. There are many 2022 elements in the network that can fall into this broad definition of 2023 MP. We believe that the MP terminology is useful to allow us to 2024 refer an element of the network that plays a role that is 2025 conceptually important to understand and describe the measurement 2026 task being performed. We next illustrate these concepts by 2027 describing several deployment scenarios. 2029 A very simple example of a Measurement Peer is a web server that the 2030 MA is downloading a web page from (such as www.example.com) in order 2031 to perform a speed test. The web server is a MP and from its 2032 perspective, the MA is just another client; the MP doesn't have a 2033 specific function for assisting measurements. This is described in 2034 the figure A1. 2036 ^ 2037 +----------------+ Web Traffic +----------------+ IPPM 2038 | Web Client |<------------>| MP: Web Server | Scope 2039 | | +----------------+ | 2040 ...|................|....................................V... 2041 | LMAP interface | ^ 2042 +----------------+ | 2043 ^ | | 2044 Instruction | | Report | 2045 | +-----------------+ | 2046 | | | 2047 | v LMAP 2048 +------------+ +------------+ Scope 2049 | Controller | | Collector | | 2050 +------------+ +------------+ V 2052 Figure A1: Schematic of LMAP-based measurement system, 2053 with Web server as Measurement Peer 2055 Another case that is slightly different than this would be the one of 2056 a TWAMP-responder. This is also a MP, with a helper function, the 2057 TWAMP server, which is specially deployed to assist the MAs that 2058 perform TWAMP tests. Another example is with a ping server, as 2059 described in Section 2. 2061 A further example is the case of a traceroute like measurement. In 2062 this case, for each packet sent, the router where the TTL expires is 2063 performing the MP function. So for a given Measurement Task, there 2064 is one MA involved and several MPs, one per hop. 2066 In figure A2 we depict the case of an OWAMP responder acting as an 2067 MP. In this case, the helper function in addition reports results 2068 back to the MA. So it has both a data plane and control interface 2069 with the MA. 2071 +----------------+ OWAMP +----------------+ ^ 2072 | OWAMP |<--control--->| MP: | | 2073 | control-client |>test-traffic>| OWAMP server & | IPPM 2074 | fetch-client & |<----fetch----| session-rec'ver| Scope 2075 | session-sender | | | | 2076 | | +----------------+ | 2077 ...|................|....................................v... 2078 | LMAP interface | ^ 2079 +----------------+ | 2080 ^ | | 2081 Instruction | | Report | 2082 | +-----------------+ | 2083 | | | 2084 | v LMAP 2085 +------------+ +------------+ Scope 2086 | Controller | | Collector | | 2087 +------------+ +------------+ v 2088 IPPM 2090 Figure A2: Schematic of LMAP-based measurement system, 2091 with OWAMP server as Measurement Peer 2093 However, it is also possible to use two Measurement Agents when 2094 performing one way Measurement Tasks, as described in figure A3 2095 below. In this case, MA1 generates the traffic and MA2 receives the 2096 traffic and send the reports to the Collector. Note that both MAs 2097 are instructed by the Controller. MA1 receives an Instruction to 2098 send the traffic and MA2 receives an Instruction to measured the 2099 received traffic and send Reports to the Collector. 2101 +----------------+ +----------------+ ^ 2102 | MA1 | | MA2 | IPPM 2103 | iperf -u sender|-UDP traffic->| iperf -u recvr | Scope 2104 | | | | v 2105 ...|................|..............|................|....v... 2106 | LMAP interface | | LMAP interface | ^ 2107 +----------------+ +----------------+ | 2108 ^ ^ | | 2109 Instruction | Instruction{Report} | | Report | 2110 {task, | +-------------------+ | | 2111 schedule} | | | | 2112 | | v LMAP 2113 +------------+ +------------+ Scope 2114 | Controller | | Collector | | 2115 +------------+ +------------+ v 2116 IPPM 2118 Figure A3: Schematic of LMAP-based measurement system, 2119 with two Measurement Agents cooperating to measure UDP traffic 2121 Next, we consider Passive Measurement Tasks. Traffic generated in 2122 one point in the network flowing towards a given destination and the 2123 traffic is passively observed in some point along the path. One way 2124 to implement this is that the endpoints generating and receiving the 2125 traffic are not instructed by the Controller; hence they are MPs. 2126 The MA is located along the path with a passive monitor function that 2127 measures the traffic. The MA is instructed by the Controller to 2128 monitor that particular traffic and to send the Report to the 2129 Collector. It is depicted in figure A4 below. 2131 +-----+ +----------------+ +------+ ^ 2132 | MP | | Passive Monitor| | MP | IPPM 2133 | |<--|----------------|---traffic--->| | Scope 2134 +-----+ | | +------+ | 2135 .......|................|.........................v........... 2136 | LMAP interface | ^ 2137 +----------------+ | 2138 ^ | | 2139 Instruction | | Report | 2140 | +-----------------+ | 2141 | | | 2142 | v LMAP 2143 +------------+ +------------+ Scope 2144 | Controller | | Collector | | 2145 +------------+ +------------+ v 2147 Figure A4: Schematic of LMAP-based measurement system, 2148 with a Measurement Agent passively monitoring traffic 2150 Finally, we should consider the case of a router or a switch along 2151 the measurement path. This certainly performs an important role in 2152 the measurement - if packets are not forwarded, the measurement task 2153 will not work. Whilst it doesn't has an interface with the 2154 Controller or Collector, and so fits into the definition of MP, 2155 usually it is not particularly useful to highlight it as a MP. 2157 11. Acknowledgments 2159 This document is a merger of three individual drafts: draft-eardley- 2160 lmap-terminology-02, draft-akhter-lmap-framework-00, and draft- 2161 eardley-lmap-framework-02. 2163 Thanks to Juergen Schoenwaelder for his detailed review of the 2164 terminology. Thanks to Charles Cook for a very detailed review of 2165 -02. 2167 Thanks to numerous people for much discussion, directly and on the 2168 LMAP list (apologies to those unintentionally omitted): Alan Clark, 2169 Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian 2170 Trammell, Charles Cook, Dave Thorne, Frode Soerensen, Greg Mirsky, 2171 Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit, 2172 Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Lingli 2173 Deng, Michael Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, 2174 Steve Miller, Ted Lemon, Timothy Carey, Vaibhav Bajpai, William 2175 Lupton. 2177 Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on 2178 the Leone research project, which receives funding from the European 2179 Union Seventh Framework Programme [FP7/2007-2013] under grant 2180 agreement number 317647. 2182 12. History 2184 First WG version, copy of draft-folks-lmap-framework-00. 2186 12.1. From -00 to -01 2188 o new sub-section of possible use of Group-IDs for privacy 2190 o tweak to definition of Control protocol 2192 o fix typo in figure in S5.4 2194 12.2. From -01 to -02 2196 o change to INFORMATIONAL track (previous version had typo'd 2197 Standards track) 2199 o new definitions for Capabilities Information and Failure 2200 Information 2202 o clarify that diagrams show LMAP-level information flows. 2203 Underlying protocol could do other interactions, eg to get through 2204 NAT or for Collector to pull a Report 2206 o add hint that after a re-boot should pause random time before re- 2207 register (to avoid mass calling event) 2209 o delete the open issue "what happens if a Controller fails" (normal 2210 methods can handle) 2212 o add some extra words about multiple Tasks in one Schedule 2214 o clarify that new Schedule replaces (rather than adds to) and old 2215 one. Similarly for new configuration of Measurement Tasks or 2216 Report Channels. 2218 o clarify suppression is temporary stop; send a new Schedule to 2219 permanently stop Tasks 2221 o alter suppression so it is ACKed 2223 o add un-suppress message 2224 o expand the text on error reporting, to mention Reporting failures 2225 (as well as failures to action or execute Measurement Task & 2226 Schedule) 2228 o add some text about how to have Tasks running indefinitely 2230 o add that optionally a Report is not sent when there are no 2231 Measurement Results 2233 o add that a Measurement Task may create more than one Measurement 2234 Result 2236 o clarify /amend /expand that Reports include the "raw" Measurement 2237 Results - any pre-processing is left for lmap2.0 2239 o add some cautionary words about what if the Collector unexpectedly 2240 doesn't hear from a MA 2242 o add some extra words about the potential impact of Measurement 2243 Tasks 2245 o clarified various aspects of the privacy section 2247 o updated references 2249 o minor tweaks 2251 12.3. From -02 to -03 2253 o alignment with the Information Model [burbridge-lmap-information- 2254 model] as this is agreed as a WG document 2256 o One-off and periodic Measurement Schedules are kept separate, so 2257 that they can be updated independently 2259 o Measurement Suppression in a separate sub-section. Can now 2260 optionally include particular Measurement Tasks &/or Schedules to 2261 suppress, and start/stop time 2263 o for clarity, concept of Channel split into Control, Report and MA- 2264 to-Controller Channels 2266 o numerous editorial changes, mainly arising from a very detailed 2267 review by Charles Cook 2269 o 2271 12.4. From -03 to -04 2273 o updates following the WG Last Call, with the proposed consensus on 2274 the various issues as detailed in http://tools.ietf.org/agenda/89/ 2275 slides/slides-89-lmap-2.pdf. In particular: 2277 o tweaked definitions, especially of Measurement Agent and 2278 Measurement Peer 2280 o Instruction - left to each implementation & deployment of LMAP to 2281 decide on the granularity at which an Instruction Message works 2283 o words added about overlapping Measurement Tasks (measurement 2284 system can handle any way they choose; Report should mention if 2285 the Task overlapped with another) 2287 o Suppression: no defined impact on Passive Measurement Task; extra 2288 option to suppress on-going Active Measurement Tasks; suppression 2289 doesn't go to Measurement Peer, since they don't understand 2290 Instructions 2292 o new concept of Data Transfer Task (and therefore adjustment of the 2293 Channel concept) 2295 o enhancement of Results with Subscriber's service parameters - 2296 could be useful, don't define how but can be included in Report to 2297 various other sections 2299 o various other smaller improvements, arising from the WGLC 2301 o Appendix added with examples of Measurement Agents and Peers in 2302 various deployment scenarios. To help clarify what these terms 2303 mean. 2305 12.5. From -04 to -05 2307 o clarified various scoping comments by using the phrase "scope of 2308 initial LMAP work" (avoiding "scope of LMAP WG" since this may 2309 change in the future) 2311 o added a Configuration Protocol - allows the Controller to update 2312 the MA about information that it obtained during the bootstrapping 2313 process (for consistency with Information Model) 2315 o Removed over-detailed information about the relationship between 2316 the different items in Instruction, as this seems more appropriate 2317 for the information model. Clarified that the lists given are 2318 about the aims and not a list of information elements (these will 2319 be defined in draft-ietf-information-model). 2321 o the Measurement Method, specified as a URI to a registry entry - 2322 rather than a URN 2324 o MA configured with time limit after which, if it hasn't heard from 2325 Controller, then it stops running Measurement Tasks (rather than 2326 this being part of a Schedule) 2328 o clarified there is no distinction between how capabilities, 2329 failure and logging information are transferred (all can be when 2330 requested by Controller or by MA on its own initiative). 2332 o removed mention of Data Transfer Tasks. This abstraction is left 2333 to the information model i-d 2335 o added Deployment sub-section about Measurement Agent embedded in 2336 ISP Network 2338 o various other smaller improvements, arising from the 2nd WGLC 2340 13. Informative References 2342 [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, 2343 "The Role of Network Trace anonymisation Under Attack", 2344 January 2010. 2346 [Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM- 2347 evolved UMTS core network", 2348 http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011. 2350 [TR-069] TR-069, , "CPE WAN Management Protocol", 2351 http://www.broadband-forum.org/technical/trlist.php, 2352 November 2013. 2354 [UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP 2355 Device Control Protocols specifications", 2356 http://upnp.org/sdcps-and-certification/standards/, 2011. 2358 [RFC1035] Mockapetris, P., "Domain names - implementation and 2359 specification", STD 13, RFC 1035, November 1987. 2361 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, 2362 June 2005. 2364 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2365 Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2366 2005. 2368 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 2369 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 2370 RFC 5357, October 2008. 2372 [I-D.ietf-lmap-use-cases] 2373 Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, 2374 "Large-Scale Broadband Measurement Use Cases", draft-ietf- 2375 lmap-use-cases-03 (work in progress), April 2014. 2377 [I-D.manyfolks-ippm-metric-registry] 2378 Bagnulo, M., Claise, B., Eardley, P., and A. Morton, 2379 "Registry for Performance Metrics", draft-manyfolks-ippm- 2380 metric-registry-00 (work in progress), February 2014. 2382 [I-D.ietf-homenet-arch] 2383 Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, 2384 "IPv6 Home Networking Architecture Principles", draft- 2385 ietf-homenet-arch-13 (work in progress), March 2014. 2387 [RFC6419] Wasserman, M. and P. Seite, "Current Practices for 2388 Multiple-Interface Hosts", RFC 6419, November 2011. 2390 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 2391 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2392 2013. 2394 [I-D.ietf-lmap-information-model] 2395 Burbridge, T., Eardley, P., Bagnulo, M., and J. 2396 Schoenwaelder, "Information Model for Large-Scale 2397 Measurement Platforms (LMAP)", draft-ietf-lmap- 2398 information-model-00 (work in progress), February 2014. 2400 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization 2401 Support", RFC 6235, May 2011. 2403 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 2404 Morris, J., Hansen, M., and R. Smith, "Privacy 2405 Considerations for Internet Protocols", RFC 6973, July 2406 2013. 2408 [I-D.ietf-ippm-lmap-path] 2409 Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and 2410 A. Morton, "A Reference Path and Measurement Points for 2411 LMAP", draft-ietf-ippm-lmap-path-02 (work in progress), 2412 February 2014. 2414 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 2415 Zekauskas, "A One-way Active Measurement Protocol 2416 (OWAMP)", RFC 4656, September 2006. 2418 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 2419 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 2420 RFC 5357, October 2008. 2422 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2423 Information Models and Data Models", RFC 3444, January 2424 2003. 2426 Authors' Addresses 2428 Philip Eardley 2429 BT 2430 Adastral Park, Martlesham Heath 2431 Ipswich 2432 ENGLAND 2434 Email: philip.eardley@bt.com 2436 Al Morton 2437 AT&T Labs 2438 200 Laurel Avenue South 2439 Middletown, NJ 2440 USA 2442 Email: acmorton@att.com 2444 Marcelo Bagnulo 2445 Universidad Carlos III de Madrid 2446 Av. Universidad 30 2447 Leganes, Madrid 28911 2448 SPAIN 2450 Phone: 34 91 6249500 2451 Email: marcelo@it.uc3m.es 2452 URI: http://www.it.uc3m.es 2453 Trevor Burbridge 2454 BT 2455 Adastral Park, Martlesham Heath 2456 Ipswich 2457 ENGLAND 2459 Email: trevor.burbridge@bt.com 2461 Paul Aitken 2462 Cisco Systems, Inc. 2463 96 Commercial Street 2464 Edinburgh, Scotland EH6 6LX 2465 UK 2467 Email: paitken@cisco.com 2469 Aamer Akhter 2470 Cisco Systems, Inc. 2471 7025 Kit Creek Road 2472 RTP, NC 27709 2473 USA 2475 Email: aakhter@cisco.com