idnits 2.17.1 draft-ietf-lmap-framework-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 13, 2014) is 3604 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 241 -- Looks like a reference, but probably isn't: '180' on line 241 == Outdated reference: A later version (-06) exists of draft-ietf-lmap-use-cases-03 == Outdated reference: A later version (-17) exists of draft-ietf-homenet-arch-16 == Outdated reference: A later version (-18) exists of draft-ietf-lmap-information-model-00 == Outdated reference: A later version (-07) exists of draft-ietf-ippm-lmap-path-03 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Eardley 3 Internet-Draft BT 4 Intended status: Informational A. Morton 5 Expires: December 15, 2014 AT&T Labs 6 M. Bagnulo 7 UC3M 8 T. Burbridge 9 BT 10 P. Aitken 11 A. Akhter 12 Cisco Systems 13 June 13, 2014 15 A framework for large-scale measurement platforms (LMAP) 16 draft-ietf-lmap-framework-06 18 Abstract 20 Measuring broadband service on a large scale requires a description 21 of the logical architecture and standardisation of the key protocols 22 that coordinate interactions between the components. The document 23 presents an overall framework for large-scale measurements. It also 24 defines terminology for LMAP (large-scale measurement platforms). 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on December 15, 2014. 43 Copyright Notice 45 Copyright (c) 2014 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Outline of an LMAP-based measurement system . . . . . . . . . 5 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 11 64 4.1. Measurement system is under the direction of a single 65 organisation . . . . . . . . . . . . . . . . . . . . . . 11 66 4.2. Each MA may only have a single Controller at any point in 67 time . . . . . . . . . . . . . . . . . . . . . . . . . . 11 68 5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 12 69 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 13 70 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 14 71 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 14 72 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 15 73 5.2.3. Capabilities and Failure information . . . . . . . . 18 74 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 20 75 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 20 76 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 21 77 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 22 78 5.4.1. Reporting of Subscriber's service parameters . . . . 23 79 5.5. Operation of LMAP over the underlying packet transfer 80 mechanism . . . . . . . . . . . . . . . . . . . . . . . . 23 81 5.6. Items beyond the scope of the initial LMAP work . . . . . 24 82 5.6.1. End-user-controlled measurement system . . . . . . . 25 83 6. Deployment considerations . . . . . . . . . . . . . . . . . . 26 84 6.1. Controller and the measurement system . . . . . . . . . . 26 85 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 27 86 6.2.1. Measurement Agent on a networked device . . . . . . . 27 87 6.2.2. Measurement Agent embedded in site gateway . . . . . 27 88 6.2.3. Measurement Agent embedded behind site NAT /Firewall 28 89 6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 28 90 6.2.5. Measurement Agent embedded in ISP Network . . . . . . 29 91 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 29 92 7. Security considerations . . . . . . . . . . . . . . . . . . . 29 93 8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 31 94 8.1. Categories of Entities with Information of Interest . . . 32 95 8.2. Examples of Sensitive Information . . . . . . . . . . . . 33 96 8.3. Different privacy issues raised by different sorts of 97 Measurement Methods . . . . . . . . . . . . . . . . . . . 34 98 8.4. Privacy analysis of the Communications Models . . . . . . 34 99 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 35 100 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 35 101 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 36 102 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 36 103 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 37 104 8.4.6. Storage and Reporting of Measurement Results . . . . 38 105 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 38 106 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 39 107 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 39 108 8.5.3. Correlation and Identification . . . . . . . . . . . 40 109 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 40 110 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 40 111 8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 41 112 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 41 113 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 42 114 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 43 115 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43 116 10. Appendix: Deployment examples . . . . . . . . . . . . . . . . 44 117 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 47 118 12. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 119 12.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 48 120 12.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 48 121 12.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 49 122 12.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 50 123 12.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 50 124 12.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 51 125 13. Informative References . . . . . . . . . . . . . . . . . . . 51 126 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 128 1. Introduction 130 There is a desire to be able to coordinate the execution of broadband 131 measurements and the collection of measurement results across a large 132 scale set of diverse devices. These devices could be software based 133 agents on PCs, embedded agents in consumer devices (e.g. blu-ray 134 players), service provider controlled devices such as set-top players 135 and home gateways, or simply dedicated probes. It is expected that 136 such a system could easily comprise 100,000 devices. Measurement 137 devices may also be embedded on a device that is part of an ISP's 138 network, such as a DSLAM, router, Carrier Grade NAT or ISP Gateway. 139 Such a scale presents unique problems in coordination, execution and 140 measurement result collection. Several use cases have been proposed 141 for large-scale measurements including: 143 o Operators: to help plan their network and identify faults 144 o Regulators: to benchmark several network operators and support 145 public policy development 147 Further details of the use cases can be found in 148 [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for 149 these, as well as other use cases, such as to help end users run 150 diagnostic checks like a network speed test. 152 The LMAP Framework has three basic elements: Measurement Agents, 153 Controllers and Collectors. 155 Measurement Agents (MAs) initiate the actual measurements, which are 156 called Measurement Tasks in the LMAP terminology. In principle, 157 there are no restrictions on the type of device in which the MA 158 function resides. 160 The Controller instructs one or more MAs and communicates the set of 161 Measurement Tasks an MA should perform and when. For example it may 162 instruct a MA at a home gateway: "Measure the 'UDP latency' with 163 www.example.org; repeat every hour at xx.05". The Controller also 164 manages a MA by instructing it how to report the Measurement Results, 165 for example: "Report results once a day in a batch at 4am". We refer 166 to these as the Measurement Schedule and Report Schedule. 168 The Collector accepts Reports from the MAs with the Results from 169 their Measurement Tasks. Therefore the MA is a device that gets 170 Instructions from the Controller, initiates the Measurement Tasks, 171 and reports to the Collector. The communications between these three 172 LMAP functions are structured according to a Control Protocol and a 173 Report Protocol. 175 The desirable features for a large-scale measurement systems we are 176 designing for are: 178 o Standardised - in terms of the Measurement Tasks that they 179 perform, the components, the data models and protocols for 180 transferring information between the components. Amongst other 181 things, standardisation enables meaningful comparisons of 182 measurements made of the same metric at different times and 183 places, and provides the operator of a measurement system with a 184 criteria for evaluation of the different solutions that can be 185 used for various purposes including buying decisions (such as 186 buying the various components from different vendors). Today's 187 systems are proprietary in some or all of these aspects. 189 o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement 190 Agents in every home gateway and edge device such as set-top-boxes 191 and tablet computers, and located throughout the Internet as well 193 [I-D.ietf-ippm-lmap-path]. It is expected that a measurement 194 system could easily encompass a few hundred thousand or even 195 millions of Measurement Agents. Existing systems have up to a few 196 thousand MAs (without judging how much further they could scale). 198 o Diversity - a measurement system should handle different types of 199 Measurement Agents - for example Measurement Agents may come from 200 different vendors, be in wired and wireless networks, be able to 201 execute different sorts of Measurement Task and be on devices with 202 IPv4 or IPv6 addresses. 204 2. Outline of an LMAP-based measurement system 206 Figure 1 shows the main components of a measurement system, and the 207 interactions of those components. Some of the components are outside 208 the scope of initial LMAP work. In this section we provide an 209 overview of the whole measurement system and we introduce the main 210 terms needed for the LMAP framework. The new terms are capitalised. 211 In the next section we provide a terminology section with a 212 compilation of all the LMAP terms and their definition. Section 4 213 onwards considers the LMAP components in more detail. 215 Other LMAP specifications will define an information model, the 216 associated data models, and select/extend one or more protocols for 217 the secure communication: firstly, a Control Protocol, from a 218 Controller to instruct Measurement Agents what performance metrics to 219 measure, when to measure them, how/when to report the measurement 220 results to a Collector; secondly, a Report Protocol, for a 221 Measurement Agent to report the results to the Collector. 223 The MA performs Measurement Tasks. The MAs are pieces of code that 224 can be executed in specialised hardware (hardware probe) or on a 225 general-purpose device (like a PC or mobile phone). The MA may 226 generate Measurement Traffic and measure some metric associated with 227 its transfer, or the MA may observe existing traffic, or there may be 228 some kind of hybrid of these two possibilities. A device with a 229 Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL, 230 fibre; and non-physical interfaces such as PPPoE or IPsec) and the 231 Measurement Tasks may specify any one of these. 233 The Controller manages a MA through use of the Control Protocol, 234 which transfer the Instruction to the MA. This describes the 235 Measurement Tasks the MA should perform and when. For example the 236 Controller may instruct a MA at a home gateway: "Count the number of 237 TCP SYN packets observed in a 1 minute interval; repeat every hour at 238 xx.05 + Unif[0,180] seconds". The Measurement Schedule determines 239 when the Measurement Tasks are executed. The Controller also manages 240 a MA by instructing it how to report the Measurement Results, for 241 example: "Report results once a day in a batch at 4am + Unif[0,180] 242 seconds; if the end user is active then delay the report 5 minutes". 243 The Report Schedule determines when the Reports are uploaded to the 244 Collector. The Measurement Schedule and Report Schedule can define 245 one-off (non-recurring) actions ("Do measurement now", "Report as 246 soon as possible"), as well as recurring ones. 248 The Collector accepts a Report from a MA with the Measurement Results 249 from its Measurement Tasks. It then provides the Results to a 250 repository (see below). 252 A Measurement Method defines how to measure a Metric of interest. It 253 is very useful to standardise Measurement Methods, so that it is 254 meaningful to compare measurements of the same Metric made at 255 different times and places. It is also useful to define a registry 256 for commonly-used Metrics [I-D.manyfolks-ippm-metric-registry] so 257 that a Metric with its associated Measurement Method can be referred 258 to simply by its identifier in the registry. The Measurement Methods 259 and registry will hopefully be referenced by other standards 260 organisations. 262 Broadly speaking there are two types of Measurement Method. It may 263 involve a single MA simply observing existing traffic - for example, 264 the Measurement Agent could count bytes or calculate the average loss 265 for a particular flow. On the other hand, a Measurement Method may 266 involve multiple network entities, which perform different roles. 267 For example, a "ping" Measurement Method, to measure the round trip 268 delay , would consist of an MA sending an ICMP ECHO request to a 269 responder in the Internet. In LMAP terms, the responder is termed a 270 Measurement Peer (MP), meaning that it helps the MA but is not 271 managed by the Controller. Other Measurement Methods involve a 272 second MA, with the Controller instructing the MAs in a coordinated 273 manner. Traffic generated specifically as part of the Measurement 274 Method is termed Measurement Traffic; in the ping example, it is the 275 ICMP ECHO Requests and Replies. The protocols used for the 276 Measurement Traffic are out of the scope of initial LMAP work, and 277 fall within the scope of other IETF WGs such as IPPM. The 278 Appendix has some other examples of possible arrangements of 279 Measurement Agents and Peers. 281 A Measurement Task is the action performed by a particular MA at a 282 particular time, as the specific instance of its role in a 283 Measurement Method. LMAP is mainly concerned with Measurement Tasks, 284 for instance in terms of its Information Model and Protocols. 286 For Measurement Results to be truly comparable, as might be required 287 by a regulator, not only do the same Measurement Methods need to be 288 used to assess Metrics, but also the set of Measurement Tasks should 289 follow a similar Measurement Schedule and be of similar number. The 290 details of such a characterisation plan are beyond the scope of work 291 in IETF although certainly facilitated by IETF's work. 293 Messages are transferred over a secure Channel. A Control Channel is 294 between the Controller and a MA; the Control Protocol delivers 295 Instruction Messages to the MA and Capabilities, Failure and Logging 296 Information in the reverse direction. A Report Channel is between a 297 MA and Collector, and the Report Protocol delivers Reports to the 298 Collector. 300 Finally we introduce several components that are outside the scope of 301 initial LMAP work and will be provided through existing protocols or 302 applications. They affect how the measurement system uses the 303 Measurement Results and how it decides what set of Measurement Tasks 304 to perform. 306 The MA needs to be bootstrapped with initial details about its 307 Controller, including authentication credentials. The LMAP work 308 considers the bootstrap process, since it affects the Information 309 Model. However, LMAP does not define a bootstrap protocol, since it 310 is likely to be technology specific and could be defined by the 311 Broadband Forum, CableLabs or IEEE depending on the device. Possible 312 protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management 313 Protocol (CWMP) from the Auto Configuration Server (ACS) (as 314 specified in TR-069 [TR-069]). 316 A Subscriber parameter database contains information about the line, 317 such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), 318 the line technology (DSL or fibre), the time zone where the MA is 319 located, and the type of home gateway and MA. These parameters are 320 already gathered and stored by existing operations systems. They may 321 affect the choice of what Measurement Tasks to run and how to 322 interpret the Measurement Results. For example, a download test 323 suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s 324 line. 326 A results repository records all Measurement Results in an equivalent 327 form, for example an SQL database, so that they can easily be 328 accessed by the data analysis tools. 330 The data analysis tools receive the results from the Collector or via 331 the Results repository. They might visualise the data or identify 332 which component or link is likely to be the cause of a fault or 333 degradation. This information could help the Controller decide what 334 follow-up Measurement Task to perform in order to diagnose a fault. 335 The data analysis tools also need to understand the Subscriber's 336 service information, for example the broadband contract. 338 ^ 339 | 340 +-------------+ IPPM 341 +---------------+ Measurement | Measurement | Scope 342 | Measurement |<------------>| Peer | | 343 | Agent | Traffic +-------------+ v 344 +------->| | ^ 345 | +---------------+ | 346 | ^ | | 347 | Instruction | | Report | 348 | | +-----------------+ | 349 | | | | 350 | | v LMAP 351 | +------------+ +------------+ Scope 352 | | Controller | | Collector | | 353 | +------------+ +------------+ v 354 | ^ ^ | ^ 355 | | | | | 356 | | +----------+ | | 357 | | | v | 358 +------------+ +----------+ +--------+ +----------+ | 359 |Bootstrapper| |Subscriber|--->| data |<---|repository| Out 360 +------------+ |parameter | |analysis| +----------+ of 361 |database | | tools | Scope 362 +----------+ +--------+ | 363 | 364 v 366 Figure 1: Schematic of main elements of an LMAP-based 367 measurement system 368 (showing the elements in and out of the scope of initial LMAP work) 370 3. Terminology 372 This section defines terminology for LMAP. Please note that defined 373 terms are capitalized. 375 Bootstrap: A process that integrates a Measurement Agent into a 376 measurement system. 378 Capabilities: Information about the performance measurement 379 capabilities of the MA, in particular the Measurement Method roles 380 and measurement protocol roles that it can perform, and the device 381 hosting the MA, for example its interface type and speed, but not 382 dynamic information. 384 Channel: A bi-directional logical connection that is defined by a 385 specific Controller and MA, or Collector and MA, plus associated 386 security. 388 Collector: A function that receives a Report from a Measurement 389 Agent. 391 Controller: A function that provides a Measurement Agent with its 392 Instruction. 394 Control Channel: a Channel between a Controller and a MA over which 395 Instruction Messages and Capabilities, Failure and Logging 396 Information are sent. 398 Control Protocol: The protocol delivering Instruction(s) from a 399 Controller to a Measurement Agent. It also delivers Capabilities, 400 Failure and Logging Information from the Measurement Agent to the 401 Controller. 403 Cycle-ID: A tag that is sent by the Controller in an Instruction and 404 echoed by the MA in its Report. The same Cycle-ID is used by several 405 MAs that use the same Measurement Method for a Metric with the same 406 Input Parameters. Hence the Cycle-ID allows the Collector to easily 407 identify Measurement Results that should be comparable. 409 Data Model: The implementation of an Information Model in a 410 particular data modelling language [RFC3444]. 412 Environmental Constraint: A parameter that is measured as part of the 413 Measurement Task, its value determining whether the rest of the 414 Measurement Task proceeds. 416 Failure Information: Information about the MA's failure to action or 417 execute an Instruction, whether concerning Measurement Tasks or 418 Reporting. 420 Group-ID: An identifier of a group of MAs. 422 Information Model: The protocol-neutral definition of the semantics 423 of the Instructions, the Report, the status of the different elements 424 of the measurement system as well of the events in the system 425 [RFC3444]. 427 Input Parameter: A parameter whose value is left open by the Metric 428 and its Measurement Method and is set to a specific value in a 429 Measurement Task. Altering the value of an Input Parameter does not 430 change the fundamental nature of the Measurement Task. 432 Instruction: The description of Measurement Tasks for a MA to perform 433 and the details of the Report for it to send. It is the collective 434 description of the Measurement Task configurations, the configuration 435 of the Measurement Schedules, the configuration of the Report 436 Channel(s), the configuration of Report Schedule(s), and the details 437 of any suppression. 439 Instruction Message: The message that carries an Instruction from a 440 Controller to a Measurement Agent. 442 Logging Information: Information about the operation of the 443 Measurement Agent and which may be useful for debugging. 445 Measurement Agent (MA): The function that receives Instruction 446 Messages from a Controller and operates the Instruction by executing 447 Measurement Tasks (using protocols outside the initial LMAP work 448 scope and perhaps in concert with one or more other Measurement 449 Agents or Measurement Peers) and (if part of the Instruction) by 450 reporting Measurement Results to a Collector or Collectors. 452 Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that 453 identifies a particular MA and is configured as part of the 454 Bootstrapping process. 456 Measurement Method: The process for assessing the value of a Metric; 457 the process of measuring some performance or reliability parameter 458 associated with the transfer of traffic; where this process involves 459 multiple MAs or MPs, each may perform different roles. 461 Measurement Peer (MP): The function that assists a Measurement Agent 462 with Measurement Tasks and does not have an interface to the 463 Controller or Collector. 465 Measurement Result: The output of a single Measurement Task (the 466 value obtained for the parameter of interest or Metric). 468 Measurement Schedule: The schedule for performing Measurement Tasks. 470 Measurement Task: The action performed by a particular Measurement 471 Agent that consists of the single assessment of a Metric through 472 operation of a Measurement Method role at a particular time, with all 473 of the role's Input Parameters set to specific values. 475 Measurement Traffic: the packet(s) generated by some types of 476 Measurement Method that involve measuring some parameter associated 477 with the transfer of the packet(s). 479 Metric: The quantity related to the performance and reliability of 480 the network that we'd like to know the value of, and that is 481 carefully specified. 483 Report: The set of Measurement Results and other associated 484 information (as defined by the Instruction). The Report is sent by a 485 Measurement Agent to a Collector. 487 Report Channel: a communications channel between a MA and a 488 Collector, which is defined by a specific MA, Collector, Report 489 Schedule and associated security, and over which Reports are sent. 491 Report Protocol: The protocol delivering Report(s) from a Measurement 492 Agent to a Collector. 494 Report Schedule: the schedule for sending Reports to a Collector. 496 Subscriber: An entity (associated with one or more users) that is 497 engaged in a subscription with a service provider. 499 Suppression: the temporary cessation of Measurement Tasks. 501 4. Constraints 503 The LMAP framework makes some important assumptions, which constrain 504 the scope of the initial LMAP work. 506 4.1. Measurement system is under the direction of a single organisation 508 In the LMAP framework, the measurement system is under the direction 509 of a single organisation that is responsible for any impact that its 510 measurements have on a user's quality of experience and privacy. 511 Clear responsibility is critical given that a misbehaving large-scale 512 measurement system could potentially harm user experience, user 513 privacy and network security. 515 However, the components of an LMAP measurement system can be deployed 516 in administrative domains that are not owned by the measuring 517 organisation. Thus, the system of functions deployed by a single 518 organisation constitutes a single LMAP domain which may span 519 ownership or other administrative boundaries. 521 4.2. Each MA may only have a single Controller at any point in time 523 A MA is instructed by one Controller and is in one measurement 524 system. The constraint avoids different Controllers giving a MA 525 conflicting instructions and so means that the MA does not have to 526 manage contention between multiple Measurement (or Report) Schedules. 528 This simplifies the design of MAs (critical for a large-scale 529 infrastructure) and allows a Measurement Schedule to be tested on 530 specific types of MA before deployment to ensure that the end user 531 experience is not impacted (due to CPU, memory or broadband-product 532 constraints). 534 An operator may have several Controllers, perhaps with a Controller 535 for different types of MA (home gateways, tablets) or location 536 (Ipswich, Edinburgh). 538 5. LMAP Protocol Model 540 A protocol model [RFC4101] presents an architectural model for how 541 the protocol operates and needs to answer three basic questions: 543 1. What problem is the protocol trying to achieve? 545 2. What messages are being transmitted and what do they mean? 547 3. What are the important, but unobvious, features of the protocol? 549 An LMAP system goes through the following phases: 551 o a bootstrapping process before the MA can take part in the other 552 three phases 554 o a Control Protocol, which delivers Instruction Messages from a 555 Controller to a MA, detailing what Measurement Tasks the MA should 556 perform and when, and how it should report the Measurement 557 Results. It also delivers Capabilities, Failure and logging 558 Information from a MA to its Controller. Finally, it allows the 559 Controller to update the MA's configuration. 561 o the actual Measurement Tasks, which measure some performance or 562 reliability parameter(s) associated with the transfer of packets. 563 The LMAP work does not define Metrics and Measurement Methods, 564 these are define elsewhere (e.g. IPPM). 566 o a Report Protocol, which delivers Reports from a MA to a 567 Collector. The Report contains the Measurement Results. 569 The diagrams show the various LMAP messages and uses the following 570 convention: 572 o (optional): indicated by round brackets 574 o [potentially repeated]: indicated by square brackets 575 The protocol model is closely related to the Information Model 576 [I-D.ietf-lmap-information-model], which is the abstract definition 577 of the information carried by the protocol model. The purpose of 578 both is to provide a protocol and device independent view, which can 579 be implemented via specific protocols. LMAP defines a specific 580 Control Protocol and Report Protocol, but others could be defined by 581 other standards bodies or be proprietary. However it is important 582 that they all implement the same Information Model and protocol 583 model, in order to ease the definition, operation and 584 interoperability of large-scale measurement systems. 586 5.1. Bootstrapping process 588 The primary purpose of bootstrapping is to enable a MA to be 589 integrated into a measurement system. The MA retrieves information 590 about itself (like its identity in the measurement system) and about 591 the Controller, the Controller learns information about the MA, and 592 they learn about security information to communicate (such as 593 certificates and credentials). 595 Whilst this memo considers the bootstrapping process, it is beyond 596 the scope of initial LMAP work to define a bootstrap mechanism, as it 597 depends on the type of device and access. 599 As a result of the bootstrapping process the MA learns information 600 with the following aims ([I-D.ietf-lmap-information-model] defines 601 the consequent list of information elements): 603 o its identifier, either its MA-ID or a device identifier such as 604 its MAC 606 o (optionally) a Group-ID. A Group-ID would be shared by several 607 MAs and could be useful for privacy reasons. For instance, 608 reporting the Group-ID and not the MA-ID could hinder tracking of 609 a mobile device 611 o the Control Channel, which is defined by: 613 * the address which identifies the Control Channel, such as the 614 Controller's FQDN (Fully Qualified Domain Name) [RFC1035]) 616 * security information (for example to enable the MA to decrypt 617 the Instruction Message and encrypt messages sent to the 618 Controller) 620 The details of the bootstrapping process are device /access specific. 621 For example, the information could be in the firmware, manually 622 configured or transferred via a protocol like TR-069 [TR-069]. There 623 may be a multi-stage process where the MA contacts the device at a 624 'hard-coded' address, which replies with the bootstrapping 625 information. 627 The MA must learn its MA-ID before getting an Instruction, either 628 during Bootstrapping or via configuration (Section 5.2.1). 630 5.2. Control Protocol 632 The primary purpose of the Control Protocol is to allow the 633 Controller to configure a Measurement Agent with an Instruction about 634 what Measurement Tasks to do, when to do them, and how to report the 635 Measurement Results (Section 5.2.2). The Measurement Agent then acts 636 on the Instruction autonomously. The Control Protocol also enables 637 the MA to inform the Controller about its Capabilities and any 638 Failure and logging Information (Section 5.2.2). Finally, the 639 Control Protocol allows the Controller to update the MA's 640 configuration. 642 5.2.1. Configuration 644 Configuration allows the Controller to update the MA about some or 645 all of the information that it obtained during the bootstrapping 646 process: the MA-ID, the (optional) Group-ID and the Control Channel. 647 The measurement system might use Configuration for several reasons. 648 For example, the bootstrapping process could 'hard code' the MA with 649 details of an initial Controller, and then the initial Controller 650 could configure the MA with details about the Controller that sends 651 Instruction Messages. (Note that a MA only has one Control Channel, 652 and so is associated with only one Controller, at any moment.) 654 Note that an implementation may choose to combine Configuration 655 information and an Instruction Message into a single message. 657 +-----------------+ +-------------+ 658 | | | Measurement | 659 | Controller |======================================| Agent | 660 +-----------------+ +-------------+ 662 Configuration information: -> 663 (MA-ID), 664 (Group-ID), 665 (Control Channel) 666 <- Response(details) 668 5.2.2. Instruction 670 The Instruction is the description of the Measurement Tasks for a 671 Measurement Agent to do and the details of the Measurement Reports 672 for it to send. In order to update the Instruction the Controller 673 uses the Control Protocol to send an Instruction Message over the 674 Control Channel. 676 +-----------------+ +-------------+ 677 | | | Measurement | 678 | Controller |======================================| Agent | 679 +-----------------+ +-------------+ 681 Instruction: -> 682 [(Measurement Task configuration( 683 [Input Parameter], 684 (interface), 685 (Cycle-ID))), 686 (Report Channel), 687 (Measurement Schedule), 688 (Report Schedule), 689 (Suppression information)] 690 <- Response(details) 692 The Instruction defines information with the following aims 693 ([I-D.ietf-lmap-information-model] defines the consequent list of 694 information elements): 696 o the Measurement Task configurations, each of which needs: 698 * the Metric, specified as a URI to a registry entry; it includes 699 the specification of a Measurement Method. The registry could 700 be defined by the IETF [I-D.manyfolks-ippm-metric-registry], 701 locally by the operator of the measurement system or perhaps by 702 another standards organisation. 704 * the Measurement Method role. For some Measurement Methods, 705 different parties play different roles; for example (figure A3 706 in the Appendix) an iperf sender and receiver. Each Metric and 707 its associated Measurement Method will describe all measurement 708 roles involved in the process. Thus, the Measurement Method 709 role is an Input Parameter. 711 * a boolean flag (supppress or do-not-suppress) indicating how 712 such a Measurement Task is impacted by a Suppression message 713 (see Section 5.2.2.1). Thus, the flag is an Input Parameter. 715 * any Input Parameters that need to be set for the Metric and the 716 Measurement Method, such as the address of a Measurement Peer 717 (or other Measurement Agent) that may be involved in a 718 Measurement Task, and for the measurement protocol used, such 719 as protocol role(s). 721 * if the device with the MA has multiple interfaces, then the 722 interface to use (if not defined, then the default interface is 723 used) 725 o configuration of the Measurement Schedules, each of which needs: 727 * the timing of when the Measurement Tasks are to be performed. 728 Possible types of timing are periodic, calendar-based periodic, 729 one-off immediate and one-off at a future time 731 o configuration of the Report Channels, each of which needs: 733 * the address of the Collector, for instance its URL 735 * security for this Report Channel, for example the X.509 736 certificate 738 o configuration of the Report Schedules, each of which needs: 740 * the timing of when reporting is to be performed. For instance, 741 every hour or immediately. 743 o Suppression information, if any (see Section 5.2.1.1) 745 A single Instruction Message may contain some or all of the above 746 parts. The finest level of granularity possible in an Instruction 747 Message is determined by the implementation and operation of the 748 Control Protocol. For example, a single Instruction Message may add 749 or update an individual Measurement Schedule - or it may only update 750 the complete set of Measurement Schedules; a single Instruction 751 Message may update both Measurement Schedules and Measurement Task 752 configurations - or only one at a time; and so on. 754 The MA informs the Controller that it has successfully understood the 755 Instruction Message, or that it cannot action the Instruction - for 756 example, if it doesn't include a parameter that is mandatory for the 757 requested Metric and Measurement Method, or it is missing details of 758 the target Collector. 760 The Instruction Message instructs the MA; the Control Protocol does 761 not allow the MA to negotiate, as this would add complexity to the 762 MA, Controller and Control Protocol for little benefit. 764 5.2.2.1. Suppression 766 The Instruction may include Suppression information. The purpose of 767 Suppression is to enable the Controller to instruct the MA not to 768 perform Measurement Tasks. It is used if the measurement system 769 wants to eliminate inessential traffic, because there is some 770 unexpected network issue for example. 772 The Suppression information may include any of the following optional 773 fields: 775 o a set of Measurement Tasks to suppress; the others are not 776 suppressed. For example, this could be useful if a particular 777 Measurement Task is overloading a Measurement Peer. 779 o a set of Measurement Schedules to suppress; the others are not 780 suppressed. For example, suppose the measurement system has 781 defined two Schedules, one with the most critical Measurement 782 Tasks and the other with less critical ones that create a lot of 783 Active Measurement Traffic, then it may only want to suppress the 784 second. 786 o if the Suppression information includes neither a set of 787 Measurement Tasks nor a set of Measurement Schedules, then the MA 788 does not begin new Measurement Tasks that have the boolean flag 789 set to "suppress"; however, the MA does begin new Measurement 790 Tasks that have the flag set to "do-not-suppress". 792 o a start time, at which suppression begins. If absent, then 793 Suppression begins immediately. 795 o an end time, at which suppression ends. If absent, then 796 Suppression continues until the MA receives an un-Suppress 797 message. 799 o a demand that the MA ends its on-going Active Measurement Task(s) 800 immediately (and deletes the associated partial Measurement 801 Result(s)). If absent, the MA completes on-going Measurement 802 Tasks. 804 So the default action (if none of the optional fields is set) is that 805 the MA does not begin any new Measurement Task with the "suppress" 806 flag. 808 An un-Suppress message instructs the MA no longer to suppress, 809 meaning that the MA once again begins new Measurement Tasks, 810 according to its Measurement Schedule. 812 Note that Suppression is not intended to permanently stop a 813 Measurement Task (instead, the Controller should send a new 814 Measurement Schedule), nor to permanently disable a MA (instead, some 815 kind of management action is suggested). 817 +-----------------+ +-------------+ 818 | | | Measurement | 819 | Controller |===================================| Agent | 820 +-----------------+ +-------------+ 822 Suppress: 823 [(Measurement Task), -> 824 (Measurement Schedule), 825 start time, 826 end time, 827 on-going suppressed?] 829 Un-suppress -> 831 5.2.3. Capabilities and Failure information 833 The Control Protocol also enables the MA to inform the Controller 834 about various information, such as its Capabilities and any Failures. 835 It is also possible to use a device-specific mechanism which is 836 beyond the scope of the initial LMAP work. 838 Capabilities are information about the MA that the Controller needs 839 to know in order to correctly instruct the MA, such as: 841 o the Measurement Method (roles) that the MA supports 843 o the measurement protocol types and roles that the MA supports 845 o the interfaces that the MA has 847 o the version of the MA 849 o the version of the hardware, firmware or software of the device 850 with the MA 852 o but not dynamic information like the currently unused CPU, memory 853 or battery life of the device with the MA. 855 Failure information concerns why the MA has been unable to execute a 856 Measurement Task or deliver a Report, for example: 858 o the Measurement Task failed to run properly because the MA 859 (unexpectedly) has no spare CPU cycles 861 o the MA failed record the Measurement Results because it 862 (unexpectedly) is out of spare memory 864 o a Report failed to deliver Measurement Results because the 865 Collector (unexpectedly) is not responding 867 o but not if a Measurement Task correctly doesn't start. For 868 example, the first step of some Measurement Methods is for the MA 869 to check there is no cross-traffic. 871 Logging information concerns how the MA is operating and may help 872 debugging, for example: 874 o the last time the MA ran a Measurement Task 876 o the last time the MA sent a Measurement Report 878 o the last time the MA received an Instruction Message 880 o whether the MA is currently Suppressing Measurement Tasks 882 Capabilities, failure and logging information are sent by the MA, 883 either in response to a request from the Controller (for example, if 884 the Controller forgets what the MA can do or otherwise wants to 885 resynchronize what it knows about the MA), or on its own initiative 886 (for example when the MA first communicates with a Controller or if 887 it becomes capable of a new Measurement Method). Another example of 888 the latter case is if the device with the MA re-boots, then the MA 889 should notify its Controller in case its Instruction needs to be 890 updated; to avoid a "mass calling event" after a widespread power 891 restoration affecting many MAs, it is sensible for an MA to pause for 892 a random delay, perhaps in the range of one minute or so. 894 +-----------------+ +-------------+ 895 | | | Measurement | 896 | Controller |===================================| Agent | 897 +-----------------+ +-------------+ 899 (Instruction: 900 [(Request Capabilities), 901 (Request Failure Information), 902 (Request Logging Information)]) -> 903 <- (Capabilities), 904 (Failure Information), 905 (Logging Information) 907 5.3. Operation of Measurement Tasks 909 This LMAP framework is neutral to what the actual Measurement Task 910 is. It does not define Metrics and Measurement Methods, these are 911 defined elsewhere (e.g. IPPM). 913 The MA carries out the Measurement Tasks as instructed, unless it 914 gets an updated Instruction. The MA acts autonomously, in terms of 915 operation of the Measurement Tasks and reporting of the Results; it 916 doesn't do a 'safety check' with the Controller to ask whether it 917 should still continue with the requested Measurement Tasks. 919 5.3.1. Starting and Stopping Measurement Tasks 921 This LMAP framework does not define a generic start and stop process, 922 since the correct approach depends on the particular Measurement 923 Task; the details are defined as part of each Measurement Method. 924 This section provides some general hints. The MA does not inform the 925 Controller about Measurement Tasks starting and stopping. 927 Before sending Measurement Traffic the MA may run a pre-check. (The 928 pre-check could be defined as a separate, preceding Task or as the 929 first part of a larger Task.) Action could include: 931 o the MA checking that there is no cross-traffic. In other words, a 932 check that the end-user isn't already sending traffic; 934 o the MA checking with the Measurement Peer (or other Measurement 935 Agent involved in the Measurement Task) that it can handle a new 936 Measurement Task (in case, for example, the Measurement Peer is 937 already handling many Measurement Tasks with other MAs); 939 o sending traffic that probes the path to check it isn't overloaded; 940 o checking that the device with the MA has enough resources to 941 execute the Measurement Task reliably. Note that the designer of 942 the measurement system should ensure that the device's 943 capabilities are normally sufficient to comfortably operate the 944 Measurement Tasks. 946 It is possible that similar checks continue during the Measurement 947 Task, especially one that is long-running and/or creates a lot of 948 Measurement Traffic, and might lead to it being abandoned whilst in- 949 progress. A Measurement Task could also be abandoned in response to 950 a "suppress" message (see Section 5.2.1). Action could include: 952 o For 'upload' tests, the MA not sending traffic 954 o For 'download' tests, the MA closing the TCP connection or sending 955 a TWAMP Stop control message [RFC5357]. 957 The Controller may want a MA to run the same Measurement Task 958 indefinitely (for example, "run the 'upload speed' Measurement Task 959 once an hour until further notice"). To avoid the MA generating 960 traffic forever after a Controller has permanently failed (or 961 communications with the Controller have failed), the MA can be 962 configured with a time limit; if the MA doesn't hear from the 963 Controller for this length of time, then it stops operating 964 Measurement Tasks. 966 5.3.2. Overlapping Measurement Tasks 968 It is possible that a MA starts a new Measurement Task before another 969 Measurement Task has completed. This may be intentional (the way 970 that the measurement system has designed the Measurement Schedules), 971 but it could also be unintentional - for instance, if a Measurement 972 Task has a 'wait for X' step which pauses for an unexpectedly long 973 time. The operator of the measurement system can handle (or not) 974 overlapping Measurement Tasks in any way they choose - it is a policy 975 or implementation issue and not the concern of LMAP. Some possible 976 approaches are: to configure the MA not to begin the second 977 Measurement Task; to start the second Measurement Task as usual; for 978 the action to be an Input Parameter of the Measurement Task; and so 979 on. 981 It may be important to include in the Measurement Report the fact 982 that the Measurement Task overlapped with another. 984 5.4. Report Protocol 986 The primary purpose of the Report Protocol is to allow a Measurement 987 Agent to report its Measurement Results to a Collector, along with 988 the context in which they were obtained. 990 +-----------------+ +-------------+ 991 | | | Measurement | 992 | Collector |===================================| Agent | 993 +-----------------+ +-------------+ 995 <- Report: 996 [MA-ID &/or Group-ID], 997 [Measurement Result], 998 [details of Measurement Task] 999 ACK -> 1001 The Report contains: 1003 o the MA-ID or a Group-ID (to anonymise results) 1005 o the actual Measurement Results, including the time they were 1006 measured 1008 o the details of the Measurement Task (to avoid the Collector having 1009 to ask the Controller for this information later) 1011 o perhaps the Subscriber's service parameters (see Section 5.4.1). 1013 The MA sends Reports as defined by the Instruction. It is possible 1014 that the Instruction tells the MA to report the same Results to more 1015 than one Collector, or to report a different subset of Results to 1016 different Collectors. It is also possible that a Measurement Task 1017 may create two (or more) Measurement Results, which could be reported 1018 differently (for example, one Result could be reported periodically, 1019 whilst the second Result could be an alarm that is created as soon as 1020 the measured value of the Metric crosses a threshold and that is 1021 reported immediately). 1023 Optionally, a Report is not sent when there are no Measurement 1024 Results. 1026 In the initial LMAP Information Model and Report Protocol, for 1027 simplicity we assume that all Measurement Results are reported as-is, 1028 but allow extensibility so that a measurement system (or perhaps a 1029 second phase of LMAP) could allow a MA to: 1031 o label, or perhaps not include, Measurement Results impacted by, 1032 for instance, cross-traffic or the Measurement Peer (or other 1033 Measurement Agent) being busy 1035 o label Measurement Results obtained by a Measurement Task that 1036 overlapped with another 1038 o not report the Measurement Results if the MA believes that they 1039 are invalid 1041 o detail when Suppression started and ended 1043 5.4.1. Reporting of Subscriber's service parameters 1045 The Subscriber's service parameters are information about his/her 1046 broadband contract, line rate and so on. Such information is likely 1047 to be needed to help analyse the Measurement Results, for example to 1048 help decide whether the measured download speed is reasonable. 1050 The information could be transferred directly from the Subscriber 1051 parameter database to the data analysis tools. It may also be 1052 possible to transfer the information via the MA. How (and if) the MA 1053 knows such information is likely to depend on the device type. The 1054 MA could either include the information in a Measurement Report or 1055 separately. 1057 5.5. Operation of LMAP over the underlying packet transfer mechanism 1059 The above sections have described LMAP's protocol model. Other 1060 specifications will define the actual Control and Report Protocols, 1061 possibly operating over an existing protocol, to be selected, for 1062 example REST-style HTTP(S). It is also possible that a different 1063 choice is made for the Control and Report Protocols, for example 1064 NETCONF-YANG and IPFIX respectively. 1066 From an LMAP perspective, the Controller needs to know that the MA 1067 has received the Instruction Message, or at least that it needs to be 1068 re-sent as it may have failed to be delivered. Similarly the MA 1069 needs to know about the delivery of Capabilities and Failure 1070 information to the Controller and Reports to the Collector. How this 1071 is done depends on the design of the Control and Report Protocols and 1072 the underlying packet transfer mechanism. 1074 For the Control Protocol, the underlying packet transfer mechanism 1075 could be: 1077 o a 'push' protocol (that is, from the Controller to the MA) 1078 o a multicast protocol (from the Controller to a group of MAs) 1080 o a 'pull' protocol. The MA periodically checks with Controller if 1081 the Instruction has changed and pulls a new Instruction if 1082 necessary. A pull protocol seems attractive for a MA behind a NAT 1083 (as is typical for a MA on an end-user's device), so that it can 1084 initiate the communications. A pull mechanism is likely to 1085 require the MA to be configured with how frequently it should 1086 check in with the Controller, and perhaps what it should do if the 1087 Controller is unreachable after a certain number of attempts. 1089 o a hybrid protocol. In addition to a pull protocol, the Controller 1090 can also push an alert to the MA that it should immediately pull a 1091 new Instruction. 1093 For the Report Protocol, the underlying packet transfer mechanism 1094 could be: 1096 o a 'push' protocol (that is, from the MA to the Collector) 1098 o perhaps supplemented by the ability for the Collector to 'pull' 1099 Measurement Results from a MA. 1101 5.6. Items beyond the scope of the initial LMAP work 1103 There are several potential interactions between LMAP elements that 1104 are beyond the scope of the initial LMAP work: 1106 1. It does not define a coordination process between MAs. Whilst a 1107 measurement system may define coordinated Measurement Schedules 1108 across its various MAs, there is no direct coordination between 1109 MAs. 1111 2. It does not define interactions between the Collector and 1112 Controller. It is quite likely that there will be such 1113 interactions, optionally intermediated by the data analysis 1114 tools. For example, if there is an "interesting" Measurement 1115 Result then the measurement system may want to trigger extra 1116 Measurement Tasks that explore the potential cause in more 1117 detail; or if the Collector unexpectedly does not hear from a MA, 1118 then the measurement system may want to trigger the Controller to 1119 send a fresh Instruction Message to the MA. 1121 3. It does not define coordination between different measurement 1122 systems. For example, it does not define the interaction of a MA 1123 in one measurement system with a Controller or Collector in a 1124 different measurement system. Whilst it is likely that the 1125 Control and Report Protocols could be re-used or adapted for this 1126 scenario, any form of coordination between different 1127 organisations involves difficult commercial and technical issues 1128 and so, given the novelty of large-scale measurement efforts, any 1129 form of inter-organisation coordination is outside the scope of 1130 the initial LMAP work. Note that a single MA is instructed by a 1131 single Controller and is only in one measurement system. 1133 * An interesting scenario is where a home contains two 1134 independent MAs, for example one controlled by a regulator and 1135 one controlled by an ISP. Then the Measurement Traffic of one 1136 MA is treated by the other MA just like any other end-user 1137 traffic. 1139 4. It does not consider how to prevent a malicious party "gaming the 1140 system". For example, where a regulator is running a measurement 1141 system in order to benchmark operators, a malicious operator 1142 could try to identify the broadband lines that the regulator was 1143 measuring and prioritise that traffic. It is assumed this is a 1144 policy issue and would be dealt with through a code of conduct 1145 for instance. 1147 5. It does not define how to analyse Measurement Results, including 1148 how to interpret missing Results. 1150 6. It does not specifically define a end-user-controlled measurement 1151 system, see sub-section 5.6.1. 1153 5.6.1. End-user-controlled measurement system 1155 This framework concentrates on the cases where an ISP or a regulator 1156 runs the measurement system. However, we expect that LMAP 1157 functionality will also be used in the context of an end-user- 1158 controlled measurement system. There are at least two ways this 1159 could happen (they have various pros and cons): 1161 1. an end-user could somehow request the ISP- (or regulator-) run 1162 measurement system to test his/her line. The ISP (or regulator) 1163 Controller would then send an Instruction to the MA in the usual 1164 LMAP way. Note that a user can't directly initiate a Measurement 1165 Task on an ISP- (or regulator-) controlled MA. 1167 2. an end-user could deploy their own measurement system, with their 1168 own MA, Controller and Collector. For example, the user could 1169 implement all three functions onto the same end-user-owned end 1170 device, perhaps by downloading the functions from the ISP or 1171 regulator. Then the LMAP Control and Report Protocols do not 1172 need to be used, but using LMAP's Information Model would still 1173 be beneficial. The Measurement Peer (or other MA involved in the 1174 Measurement Task) could be in the home gateway or outside the 1175 home network; in the latter case the Measurement Peer is highly 1176 likely to be run by a different organisation, which raises extra 1177 privacy considerations. 1179 In both cases there will be some way for the end-user to initiate the 1180 Measurement Task(s). The mechanism is outside the scope of the 1181 initial LMAP work, but could include the user clicking a button on a 1182 GUI or sending a text message. Presumably the user will also be able 1183 to see the Measurement Results, perhaps summarised on a webpage. It 1184 is suggested that these interfaces conform to the LMAP guidance on 1185 privacy in Section 8. 1187 6. Deployment considerations 1189 The Appendix has some examples of possible deployment arrangements of 1190 Measurement Agents and Peers. 1192 6.1. Controller and the measurement system 1194 The Controller should understand both the MA's LMAP Capabilities (for 1195 instance what Metrics and Measurement Methods it can perform) and 1196 about the MA's other capabilities like processing power and memory. 1197 This allows the Controller to make sure that the Measurement Schedule 1198 of Measurement Tasks and the Reporting Schedule are sensible for each 1199 MA that it Instructs. 1201 An Instruction is likely to include several Measurement Tasks. 1202 Typically these run at different times, but it is also possible for 1203 them to run at the same time. Some Tasks may be compatible, in that 1204 they do not affect each other's Results, whilst with others great 1205 care would need to be taken. 1207 The Controller should ensure that the Measurement Tasks do not have 1208 an adverse effect on the end user. Tasks, especially those that 1209 generate a substantial amount of traffic, will often include a pre- 1210 check that the user isn't already sending traffic (Section 5.3). 1211 Another consideration is whether Measurement Traffic will impact a 1212 Subscriber's bill or traffic cap. 1214 The different elements of the Instruction can be updated 1215 independently. For example, the Measurement Tasks could be 1216 configured with different Input Parameters whilst keeping the same 1217 Measurement Schedule. In general this should not create any issues, 1218 since Metrics and their associated Measurement Methods should be 1219 defined so their fundamental nature does not change for a new value 1220 of Input Parameter. There could be a problem if, for example, a 1221 Measurement Task involving a 1kB file upload could be changed into a 1222 1GB file upload. 1224 A measurement system may have multiple Controllers (but note the 1225 overriding principle that a single MA is instructed by a single 1226 Controller at any point in time (Section 4.2)). For example, there 1227 could be different Controllers for different types of MA (home 1228 gateways, tablets) or locations (Ipswich, Edinburgh), for load 1229 balancing or to cope with failure of one Controller. 1231 The measurement system also needs to consider carefully how to 1232 interpret missing Results; for example, if the missing Results are 1233 ignored and the lack of a Report is caused by its broadband being 1234 broken, then the estimate of overall performance, averaged across all 1235 MAs, would be too optimistic. 1237 6.2. Measurement Agent 1239 The Measurement Agent could take a number of forms: a dedicated 1240 probe, software on a PC, embedded into an appliance, or even embedded 1241 into a gateway. A single site (home, branch office etc.) that is 1242 participating in a measurement could make use of one or multiple 1243 Measurement Agents or Measurement Peers in a single measurement. 1245 The Measurement Agent could be deployed in a variety of locations. 1246 Not all deployment locations are available to every kind of 1247 Measurement Agent. There are also a variety of limitations and 1248 trade-offs depending on the final placement. The next sections 1249 outline some of the locations a Measurement Agent may be deployed. 1250 This is not an exhaustive list and combinations may also apply. 1252 6.2.1. Measurement Agent on a networked device 1254 A MA may be embedded on a device that is directly connected to the 1255 network, such as a MA on a smartphone. Other examples include a MA 1256 downloaded and installed on a subscriber's laptop computer or tablet 1257 when the network service is provided on wired or other wireless radio 1258 technologies, such as Wi-Fi. 1260 6.2.2. Measurement Agent embedded in site gateway 1262 A Measurement Agent embedded with the site gateway, for example a 1263 home router or the edge router of a branch office in a managed 1264 service environment, is one of better places the Measurement Agent 1265 could be deployed. All site-to-ISP traffic would traverse through 1266 the gateway. So, Measurement Methods that measure user traffic could 1267 easily be performed. Similarly, due to this user traffic visibility, 1268 a Measurement Method that generates Measurement Traffic could ensure 1269 it does not compete with user traffic. Generally NAT and firewall 1270 services are built into the gateway, allowing the Measurement Agent 1271 the option to offer its Controller-facing management interface 1272 outside of the NAT/firewall. This placement of the management 1273 interface allows the Controller to unilaterally contact the 1274 Measurement Agent for instructions. However, a Measurement Agent on 1275 a site gateway (whether end-user service-provider owned) will 1276 generally not be directly available for over the top providers, the 1277 regulator, end users or enterprises. 1279 6.2.3. Measurement Agent embedded behind site NAT /Firewall 1281 The Measurement Agent could also be embedded behind a NAT, a 1282 firewall, or both. In this case the Controller may not be able to 1283 unilaterally contact the Measurement Agent unless either static port 1284 forwarding or firewall pin holing is configured. Configuring port 1285 forwarding could use protocols such as PCP [RFC6887], TR-069 1286 [TR-069]or UPnP [UPnP]. To prop open the firewall, the Measurement 1287 Agent could send keepalives towards the Controller (and perhaps use 1288 these also as a network reachability test). 1290 6.2.4. Multi-homed Measurement Agent 1292 If the device with the Measurement Agent is single homed then there 1293 is no confusion about what interface to measure. Similarly, if the 1294 MA is at the gateway and the gateway only has a single WAN-side and a 1295 single LAN-side interface, there is little confusion - for 1296 Measurement Methods that generate Measurement Traffic, the location 1297 of the other MA or Measurement Peer determines whether the WAN or LAN 1298 is measured. 1300 However, the device with the Measurement Agent may be multi-homed. 1301 For example, a home or campus may be connected to multiple broadband 1302 ISPs, such as a wired and wireless broadband provider, perhaps for 1303 redundancy or load- sharing. It may also be helpful to think of dual 1304 stack IPv4 and IPv6 broadband devices as multi-homed. More 1305 generally, Section 3.2 of [I-D.ietf-homenet-arch] describes dual- 1306 stack and multi-homing topologies that might be encountered in a home 1307 network, [RFC6419] provides the current practices of multi-interfaces 1308 hosts, and the Multiple Interfaces (mif) working group covers cases 1309 where hosts are either directly attached to multiple networks 1310 (physical or virtual) or indirectly (multiple default routers, etc.). 1311 In these cases, there needs to be clarity on which network 1312 connectivity option is being measured. 1314 One possibility is to have a Measurement Agent per interface. Then 1315 the Controller's choice of MA determines which interface is measured. 1316 However, if a MA can measure any of the interfaces, then the 1317 Controller defines in the Instruction which interface the MA should 1318 use for a Measurement Task; if the choice of interface is not defined 1319 then the MA uses the default one. Explicit definition is preferred 1320 if the measurement system wants to measure the performance of a 1321 particular network, whereas using the default is better if the 1322 measurement system wants to include the impact of the MA's interface 1323 selection algorithm. In any case, the Measurement Result should 1324 include the network that was measured. 1326 6.2.5. Measurement Agent embedded in ISP Network 1328 A MA may be embedded on a device that is part of an ISP's network, 1329 such as a router or switch. Usually the network devices with an 1330 embedded MA will be strategically located, such as a Carrier Grade 1331 NAT or ISP Gateway. [I-D.ietf-ippm-lmap-path] gives many examples 1332 where a MA might be located within a network to provide an 1333 intermediate measurement point on the end-to-end path. Other 1334 examples include a network device whose primary role is to host MA 1335 functions and the necessary measurement protocol. 1337 6.3. Measurement Peer 1339 A Measurement Peer participates in some Measurement Methods. It may 1340 have specific functionality to enable it to participate in a 1341 particular Measurement Method. On the other hand, other Measurement 1342 Methods may require no special functionality, for example if the 1343 Measurement Agent sends a ping to example.com then the server at 1344 example.com plays the role of a Measurement Peer. 1346 A device may participate in some Measurement Methods as a Measurement 1347 Agent and in others as a Measurement Peer. 1349 Measurement Schedules should account for limited resources in a 1350 Measurement Peer when instructing a MA to execute measurements with a 1351 Measurement Peer. In some measurement protocols, such as [RFC4656] 1352 and [RFC5357], the Measurement Peer can reject a measurement session 1353 or refuse a control connection prior to setting-up a measurement 1354 session and so protect itself from resource exhaustion. This is a 1355 valuable capability because the MP may be used by more than one 1356 organisation. 1358 7. Security considerations 1360 The security of the LMAP framework should protect the interests of 1361 the measurement operator(s), the network user(s) and other actors who 1362 could be impacted by a compromised measurement deployment. The 1363 measurement system must secure the various components of the system 1364 from unauthorised access or corruption. Much of the general advice 1365 contained in section 6 of [RFC4656] is applicable here. 1367 We assume that each Measurement Agent (MA) will receive its 1368 Instructions from a single organisation, which operates the 1369 Controller. These Instructions must be authenticated (to ensure that 1370 they come from the trusted Controller), checked for integrity (to 1371 ensure no-one has tampered with them) and not vulnerable to replay 1372 attacks. If a malicious party can gain control of the MA they can 1373 use it to launch DoS attacks at targets, reduce the end user's 1374 quality of experience and corrupt the Measurement Results that are 1375 reported to the Collector. By altering the Measurement Tasks and/or 1376 the address that Results are reported to, they can also compromise 1377 the confidentiality of the network user and the MA environment (such 1378 as information about the location of devices or their traffic). The 1379 Instruction messages also need to be encrypted to maintain 1380 confidentiality, as the information might be useful to an attacker. 1382 The process to upgrade the firmware in an MA is outside the scope of 1383 the initial LMAP work, similar to the protocol to bootstrap the MAs 1384 (as specified in the charter). However, systems which provide remote 1385 upgrade must secure authorised access and integrity of the process. 1387 Reporting by the MA must also be secured to maintain confidentiality. 1388 The results must be encrypted such that only the authorised Collector 1389 can decrypt the results to prevent the leakage of confidential or 1390 private information. In addition it must be authenticated that the 1391 results have come from the expected MA and that they have not been 1392 tampered with. It must not be possible to fool a MA into injecting 1393 falsified data into the measurement platform or to corrupt the 1394 results of a real MA. The results must also be held and processed 1395 securely after collection and analysis. 1397 Reporting by the MA must be encrypted to maintain confidentiality, to 1398 prevent the leakage of confidential or private information. 1399 Reporting must also be authenticated (to ensure that it comes from a 1400 trusted MA) and not vulnerable to tampering (which can be ensured 1401 through integrity and replay checks). It must not be possible to 1402 fool a MA into injecting falsified data and the results must also be 1403 held and processed securely after collection and analysis See section 1404 8.5.2 below for additional considerations on stored data compromise, 1405 and section 8.6 on potential mitigations for compromise. 1407 Since Collectors will be contacted repeatedly by MAs using the 1408 Collection Protocol to convey their recent results, a successful 1409 attack to exhaust the communication resources would prevent a 1410 critical operation: reporting. Therefore, all LMAP Collectors should 1411 implement technical mechanisms to: 1413 o limit the number of reporting connections from a single MA 1414 (simultaneous, and connections per unit time). 1416 o limit the transmission rate from a single MA. 1418 o limit the memory/storage consumed by a single MA's reports. 1420 o efficiently reject reporting connections from unknown sources. 1422 o separate resources if multiple authentication strengths are used, 1423 where the resources should be separated according to each class of 1424 strength. 1426 o limit iteration counters to generate keys with both a lower and 1427 upper limit, to prevent an attacking system from requesting the 1428 maximum and causing the Controller to stall on the process (see 1429 section 6 of [RFC5357]). 1431 Many of the above considerations are applicable to a "pull" model, 1432 where the MA must contact the Controller because NAT or other network 1433 aspect prevents Controllers from contacting MAs directly. 1435 Availability should also be considered. While the loss of some MAs 1436 may not be considered critical, the unavailability of the Collector 1437 could mean that valuable business data or data critical to a 1438 regulatory process is lost. Similarly, the unavailability of a 1439 Controller could mean that the MAs do not operate a correct 1440 Measurement Schedule. 1442 The security mechanisms described above may not be strictly necessary 1443 if the network's design ensures the LMAP components and their 1444 communications are already secured, for example potentially if they 1445 are all part of an ISP's dedicated management network. 1447 A malicious party could "game the system". For example, where a 1448 regulator is running a measurement system in order to benchmark 1449 operators, an operator could try to identify the broadband lines that 1450 the regulator was measuring and prioritise that traffic. Normally, 1451 this potential issue is handled by a code of conduct. It is outside 1452 the scope of the initial LMAP work to consider the issue. 1454 8. Privacy Considerations for LMAP 1456 The LMAP work considers privacy as a core requirement and will ensure 1457 that by default the Control and Report Protocols operate in a 1458 privacy-sensitive manner and that privacy features are well-defined. 1460 This section provides a set of privacy considerations for LMAP. This 1461 section benefits greatly from the timely publication of [RFC6973]. 1462 Privacy and security (Section 7) are related. In some jurisdictions 1463 privacy is called data protection. 1465 We begin with a set of assumptions related to protecting the 1466 sensitive information of individuals and organisations participating 1467 in LMAP-orchestrated measurement and data collection. 1469 8.1. Categories of Entities with Information of Interest 1471 LMAP protocols need to protect the sensitive information of the 1472 following entities, including individuals and organisations who 1473 participate in measurement and collection of results. 1475 o Individual Internet users: Persons who utilise Internet access 1476 services for communications tasks, according to the terms of 1477 service of a service agreement. Such persons may be a service 1478 Subscriber, or have been given permission by the Subscriber to use 1479 the service. 1481 o Internet service providers: Organisations who offer Internet 1482 access service subscriptions, and thus have access to sensitive 1483 information of individuals who choose to use the service. These 1484 organisations desire to protect their Subscribers and their own 1485 sensitive information which may be stored in the process of 1486 performing Measurement Tasks and collecting and Results. 1488 o Regulators: Public authorities responsible for exercising 1489 supervision of the electronic communications sector, and which may 1490 have access to sensitive information of individuals who 1491 participate in a measurement campaign. Similarly, regulators 1492 desire to protect the participants and their own sensitive 1493 information. 1495 o Other LMAP system operators: Organisations who operate measurement 1496 systems or participate in measurements in some way. 1498 Although privacy is a protection extended to individuals, we include 1499 discussion of ISPs and other LMAP system operators in this section. 1500 These organisations have sensitive information involved in the LMAP 1501 system, and many of the same dangers and mitigations are applicable. 1502 Further, the ISPs store information on their Subscribers beyond that 1503 used in the LMAP system (for instance billing information), and there 1504 should be a benefit in considering all the needs and potential 1505 solutions coherently. 1507 8.2. Examples of Sensitive Information 1509 This section gives examples of sensitive information which may be 1510 measured or stored in a measurement system, and which is to be kept 1511 private by default in the LMAP core protocols. 1513 Examples of Subscriber or authorised Internet user sensitive 1514 information: 1516 o Sub-IP layer addresses and names (MAC address, base station ID, 1517 SSID) 1519 o IP address in use 1521 o Personal Identification (real name) 1523 o Location (street address, city) 1525 o Subscribed service parameters 1527 o Contents of traffic (activity, DNS queries, destinations, 1528 equipment types, account info for other services, etc.) 1530 o Status as a study volunteer and Schedule of Measurement Tasks 1532 Examples of Internet Service Provider sensitive information: 1534 o Measurement device identification (equipment ID and IP address) 1536 o Measurement Instructions (choice of measurements) 1538 o Measurement Results (some may be shared, others may be private) 1540 o Measurement Schedule (exact times) 1542 o Network topology (locations, connectivity, redundancy) 1544 o Subscriber billing information, and any of the above Subscriber 1545 information known to the provider. 1547 o Authentication credentials (such as certificates) 1549 Other organisations will have some combination of the lists above. 1550 The LMAP system would not typically expose all of the information 1551 above, but could expose a combination of items which could be 1552 correlated with other pieces collected by an attacker (as discussed 1553 in the section on Threats below). 1555 8.3. Different privacy issues raised by different sorts of Measurement 1556 Methods 1558 Measurement Methods raise different privacy issues depending on 1559 whether they measure traffic created specifically for that purpose, 1560 or whether they measure user traffic. 1562 Measurement Tasks conducted on user traffic store sensitive 1563 information, however briefly this storage may be. We note that some 1564 authorities make a distinction on time of storage, and information 1565 that is kept only temporarily to perform a communications function is 1566 not subject to regulation (for example, active queue management, deep 1567 packet inspection). Such Measurement Tasks could reveal all the 1568 websites a Subscriber visits and the applications and/or services 1569 they use. 1571 Other types of Measurement Task are conducted on traffic which is 1572 created specifically for the purpose. Even if a user host generates 1573 Measurement Traffic, there is limited sensitive information about the 1574 Subscriber present and stored in the measurement system: 1576 o IP address in use (and possibly sub-IP addresses and names) 1578 o Status as a study volunteer and Schedule of Measurement Tasks 1580 On the other hand, for a service provider the sensitive information 1581 like Measurement Results is the same for all Measurement Tasks. 1583 From the Subscriber perspective, both types of Measurement Task 1584 potentially expose the description of Internet access service and 1585 specific service parameters, such as subscribed rate and type of 1586 access. 1588 8.4. Privacy analysis of the Communications Models 1590 This section examines each of the protocol exchanges described at a 1591 high level in Section 5 and some example Measurement Tasks, and 1592 identifies specific sensitive information which must be secured 1593 during communication for each case. With the protocol-related 1594 sensitive information identified, we can better consider the threats 1595 described in the following section. 1597 From the privacy perspective, all entities participating in LMAP 1598 protocols can be considered "observers" according to the definition 1599 in [RFC6973]. Their stored information potentially poses a threat to 1600 privacy, especially if one or more of these functional entities has 1601 been compromised. Likewise, all devices on the paths used for 1602 control, reporting, and measurement are also observers. 1604 8.4.1. MA Bootstrapping 1606 Section 5.1 provides the communication model for the Bootstrapping 1607 process. 1609 Although the specification of mechanisms for Bootstrapping the MA are 1610 beyond the initial LMAP work scope, designers should recognize that 1611 the Bootstrapping process is extremely powerful and could cause an MA 1612 to join a new or different LMAP system with a different Controller 1613 and Collector, or simply install new Metrics with associated 1614 Measurement Methods (for example to record DNS queries). A Bootstrap 1615 attack could result in a breach of the LMAP system with significant 1616 sensitive information exposure depending on the capabilities of the 1617 MA, so sufficient security protections are warranted. 1619 The Bootstrapping process provides sensitive information about the 1620 LMAP system and the organisation that operates it, such as 1622 o Initial Controller IP address or FQDN 1624 o Assigned Controller IP address or FQDN 1626 o Security certificates and credentials 1628 During the Bootstrap process for an MA located at a single 1629 subscriber's service demarcation point, the MA receives a MA-ID which 1630 is a persistent pseudonym for the Subscriber. Thus, the MA-ID is 1631 considered sensitive information because it could provide the link 1632 between Subscriber identification and Measurements Results. 1634 Also, the Bootstrap process could assign a Group-ID to the MA. The 1635 specific definition of information represented in a Group-ID is to be 1636 determined, but several examples are envisaged including use as a 1637 pseudonym for a set of Subscribers, a class of service, an access 1638 technology, or other important categories. Assignment of a Group-ID 1639 enables anonymisation sets to be formed on the basis of service 1640 type/grade/rates. Thus, the mapping between Group-ID and MA-ID is 1641 considered sensitive information. 1643 8.4.2. Controller <-> Measurement Agent 1645 The high-level communication model for interactions between the LMAP 1646 Controller and Measurement Agent is illustrated in Section 5.2. The 1647 primary purpose of this exchange is to authenticate and task a 1648 Measurement Agent with Measurement Instructions, which the 1649 Measurement Agent then acts on autonomously. 1651 Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged 1652 with a capability request, then measurement-related information of 1653 interest such as the parameters, schedule, metrics, and IP addresses 1654 of measurement devices. Thus, the measurement Instruction contains 1655 sensitive information which must be secured. For example, the fact 1656 that an ISP is running additional measurements beyond the set 1657 reported externally is sensitive information, as are the additional 1658 Measurements Tasks themselves. The Measurement Schedule is also 1659 sensitive, because an attacker intending to bias the results without 1660 being detected can use this information to great advantage. 1662 An organisation operating the Controller having no service 1663 relationship with a user who hosts the Measurement Agent *could* gain 1664 real-name mapping to a public IP address through user participation 1665 in an LMAP system (this applies to the Measurement Collection 1666 protocol, as well). 1668 8.4.3. Collector <-> Measurement Agent 1670 The high-level communication model for interactions between the 1671 Measurement Agent and Collector is illustrated in Section 5.4. The 1672 primary purpose of this exchange is to authenticate and collect 1673 Measurement Results from a MA, which the MA has measured autonomously 1674 and stored. 1676 The Measurement Results are the additional sensitive information 1677 included in the Collector-MA exchange. Organisations collecting LMAP 1678 measurements have the responsibility for data control. Thus, the 1679 Results and other information communicated in the Collector protocol 1680 must be secured. 1682 8.4.4. Measurement Peer <-> Measurement Agent 1684 A Measurement Method involving a Measurement Peer (or second 1685 Measurement Agent) raises potential privacy issues, although the 1686 specification of the mechanisms is beyond the scope of the initial 1687 LMAP work. The high-level communications model below illustrates the 1688 various exchanges to execute such a Measurement Method and store the 1689 Results. 1691 We note the potential for additional observers in the figures below 1692 by indicating the possible presence of a NAT, which has additional 1693 significance to the protocols and direction of initiation. 1695 The various messages are optional, depending on the nature of the 1696 Measurement Method. It may involve sending Measurement Traffic from 1697 the Measurement Peer to MA, MA to Measurement Peer, or both. 1698 Similarly, a second (or more) MAs may be involved. 1700 _________________ _________________ 1701 | | | | 1702 |Measurement Peer |=========== NAT ? ==========|Measurement Agent| 1703 |_________________| |_________________| 1705 <- (Key Negotiation & 1706 Encryption Setup) 1707 (Encrypted Channel -> 1708 Established) 1709 (Announce capabilities -> 1710 & status) 1711 <- (Select capabilities) 1712 ACK -> 1713 <- (Measurement Request 1714 (MA+MP IPAddrs,set of 1715 Metrics, Schedule)) 1716 ACK -> 1718 Measurement Traffic <> Measurement Traffic 1719 (may/may not be encrypted) (may/may not be encrypted) 1721 <- (Stop Measurement Task) 1723 Measurement Results -> 1724 (if applicable) 1725 <- ACK, Close 1727 This exchange primarily exposes the IP addresses of measurement 1728 devices and the inference of measurement participation from such 1729 traffic. There may be sensitive information on key points in a 1730 service provider's network included. There may also be access to 1731 measurement-related information of interest such as the Metrics, 1732 Schedule, and intermediate results carried in the Measurement Traffic 1733 (usually a set of timestamps). 1735 If the Measurement Traffic is unencrypted, as found in many systems 1736 today, then both timing and limited results are open to on-path 1737 observers. 1739 8.4.5. Measurement Agent 1741 Some Measurement Methods only involve a single Measurement Agent. 1742 They raise potential privacy issues, although the specification of 1743 the mechanisms is beyond the scope of the initial LMAP work. 1745 The high-level communications model below illustrates the collection 1746 of user information of interest with the Measurement Agent performing 1747 the monitoring and storage of the Results. This particular exchange 1748 is for measurement of DNS Response Time, which most frequently uses 1749 UDP transport. 1751 _________________ ____________ 1752 | | | | 1753 | DNS Server |=========== NAT ? ==========*=======| User client| 1754 |_________________| ^ |____________| 1755 ______|_______ 1756 | | 1757 | Measurement | 1758 | Agent | 1759 |______________| 1761 <- Name Resolution Req 1762 (MA+MP IPAddrs, 1763 Desired Domain Name) 1764 Return Record -> 1766 This exchange primarily exposes the IP addresses of measurement 1767 devices and the intent to communicate with or access the services of 1768 "Domain Name". There may be information on key points in a service 1769 provider's network, such as the address of one of its DNS servers. 1770 The Measurement Agent may be embedded in the user host, or it may be 1771 located in another device capable of observing user traffic. 1773 In principle, any of the user sensitive information of interest 1774 (listed above) can be collected and stored in the monitoring scenario 1775 and so must be secured. 1777 It would also be possible for a Measurement Agent to source the DNS 1778 query itself. But then there are few privacy concerns. 1780 8.4.6. Storage and Reporting of Measurement Results 1782 Although the mechanisms for communicating results (beyond the initial 1783 Collector) are beyond the initial LMAP work scope, there are 1784 potential privacy issues related to a single organisation's storage 1785 and reporting of Measurement Results. Both storage and reporting 1786 functions can help to preserve privacy by implementing the 1787 mitigations described below. 1789 8.5. Threats 1791 This section indicates how each of the threats described in [RFC6973] 1792 apply to the LMAP entities and their communication and storage of 1793 "information of interest". Denial of Service (DOS) and other attacks 1794 described in the Security section represent threats as well, and 1795 these attacks are more effective when sensitive information 1796 protections have been compromised. 1798 8.5.1. Surveillance 1800 Section 5.1.1 of [RFC6973] describes Surveillance as the "observation 1801 or monitoring of and individual's communications or activities." 1802 Hence all Measurement Methods that measure user traffic are a form of 1803 surveillance, with inherent risks. 1805 Measurement Methods which avoid periods of user transmission 1806 indirectly produce a record of times when a subscriber or authorised 1807 user has used their network access service. 1809 Measurement Methods may also utilise and store a Subscriber's 1810 currently assigned IP address when conducting measurements that are 1811 relevant to a specific Subscriber. Since the Measurement Results are 1812 time-stamped, they could provide a record of IP address assignments 1813 over time. 1815 Either of the above pieces of information could be useful in 1816 correlation and identification, described below. 1818 8.5.2. Stored Data Compromise 1820 Section 5.1.2 of [RFC6973] describes Stored Data Compromise as 1821 resulting from inadequate measures to secure stored data from 1822 unauthorised or inappropriate access. For LMAP systems this includes 1823 deleting or modifying collected measurement records, as well as data 1824 theft. 1826 The primary LMAP entity subject to compromise is the repository, 1827 which stores the Measurement Results; extensive security and privacy 1828 threat mitigations are warranted. The Collector and MA also store 1829 sensitive information temporarily, and need protection. The 1830 communications between the local storage of the Collector and the 1831 repository is beyond the scope of the initial LMAP work, though this 1832 communications channel will certainly need protection as well as the 1833 mass storage itself. 1835 The LMAP Controller may have direct access to storage of Subscriber 1836 information (location, billing, service parameters, etc.) and other 1837 information which the controlling organisation considers private, and 1838 again needs protection. 1840 Note that there is tension between the desire to store all raw 1841 results in the LMAP Collector (for reproducibility and custom 1842 analysis), and the need to protect the privacy of measurement 1843 participants. Many of the compromise mitigations described in 1844 section 8.6 below are most efficient when deployed at the MA, 1845 therefore minimising the risks with stored results. 1847 8.5.3. Correlation and Identification 1849 Sections 5.2.1 and 5.2.2 of [RFC6973] describe Correlation as 1850 combining various pieces of information to obtain desired 1851 characteristics of an individual, and Identification as using this 1852 combination to infer identity. 1854 The main risk is that the LMAP system could unwittingly provide a key 1855 piece of the correlation chain, starting with an unknown Subscriber's 1856 IP address and another piece of information. For example, a 1857 Subscriber utilised Internet access from 2000 to 2310 UTC, because 1858 the Measurement Tasks were deferred, or sent a name resolution for 1859 www.example.com at 2300 UTC. 1861 8.5.4. Secondary Use and Disclosure 1863 Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as 1864 unauthorised utilisation of an individual's information for a purpose 1865 the individual did not intend, and Disclosure is when such 1866 information is revealed causing other's notions of the individual to 1867 change, or confidentiality to be violated. 1869 Measurement Methods that measure user traffic are a form of Secondary 1870 Use, and the Subscribers' permission should be obtained beforehand. 1871 It may be necessary to obtain the measured ISP's permission to 1872 conduct measurements, for example when required by the terms and 1873 conditions of the service agreement, and notification is considered 1874 good measurement practice. 1876 For Measurement Methods that measure Measurement Traffic the 1877 Measurement Results provide some limited information about the 1878 Subscriber or ISP and could result in Secondary Uses. For example, 1879 the use of the Results in unauthorised marketing campaigns would 1880 qualify as Secondary Use. Secondary use may break national laws and 1881 regulations, and may violate individual's expectations or desires. 1883 8.6. Mitigations 1885 This section examines the mitigations listed in section 6 of 1886 [RFC6973] and their applicability to LMAP systems. Note that each 1887 section in [RFC6973] identifies the threat categories that each 1888 technique mitigates. 1890 8.6.1. Data Minimisation 1892 Section 6.1 of [RFC6973] encourages collecting and storing the 1893 minimal information needed to perform a task. 1895 LMAP results can be useful for general reporting about performance 1896 and for specific troubleshooting. They need different levels of 1897 information detail, as explained in the paragraphs below. 1899 For general results, the results can be aggregated into large 1900 categories (the month of March, all subscribers West of the 1901 Mississippi River). In this case, all individual identifications 1902 (including IP address of the MA) can be excluded, and only relevant 1903 results are provided. However, this implies a filtering process to 1904 reduce the information fields, because greater detail was needed to 1905 conduct the Measurement Tasks in the first place. 1907 For troubleshooting, so that a network operator or end user can 1908 identify a performance issue or failure, potentially all the network 1909 information (IP addresses, equipment IDs, location), Measurement 1910 Schedule, service configuration, Measurement Results, and other 1911 information may assist in the process. This includes the information 1912 needed to conduct the Measurements Tasks, and represents a need where 1913 the maximum relevant information is desirable, therefore the greatest 1914 protections should be applied. This level of detail is greater than 1915 needed for general performance monitoring. 1917 As regards Measurement Methods that measure user traffic, we note 1918 that a user may give temporary permission (to enable detailed 1919 troubleshooting), but withhold permission for them in general. Here 1920 the greatest breadth of sensitive information is potentially exposed, 1921 and the maximum privacy protection must be provided. The Collector 1922 may perform pre-storage minimisation and other mitigations (below) to 1923 help preserve privacy. 1925 For MAs with access to the sensitive information of users (e.g., 1926 within a home or a personal host/handset), it is desirable for the 1927 results collection to minimise the data reported, but also to balance 1928 this desire with the needs of troubleshooting when a service 1929 subscription exists between the user and organisation operating the 1930 measurements. 1932 8.6.2. Anonymity 1934 Section 6.1.1 of [RFC6973] describes a way in which anonymity is 1935 achieved: "there must exist a set of individuals that appear to have 1936 the same attributes as the individual", defined as an "anonymity 1937 set". 1939 Experimental methods for anonymisation of user identifiable data (and 1940 so particularly applicable to Measurement Methods that measure user 1941 traffic) have been identified in [RFC6235]. However, the findings of 1942 several of the same authors is that "there is increasing evidence 1943 that anonymisation applied to network trace or flow data on its own 1944 is insufficient for many data protection applications as in [Bur10]." 1945 Essentially, the details of such Measurement Methods can only be 1946 accessed by closed organisations, and unknown injection attacks are 1947 always less expensive than the protections from them. However, some 1948 forms of summary may protect the user's sensitive information 1949 sufficiently well, and so each Metric must be evaluated in the light 1950 of privacy. 1952 The techniques in [RFC6235] could be applied more successfully in 1953 Measurement Methods that generate Measurement Traffic, where there 1954 are protections from injection attack. The successful attack would 1955 require breaking the integrity protection of the LMAP Reporting 1956 Protocol and injecting Measurement Results (known fingerprint, see 1957 section 3.2 of [RFC6973]) for inclusion with the shared and 1958 anonymised results, then fingerprinting those records to ascertain 1959 the anonymisation process. 1961 Beside anonymisation of measured Results for a specific user or 1962 provider, the value of sensitive information can be further diluted 1963 by summarising the results over many individuals or areas served by 1964 the provider. There is an opportunity enabled by forming anonymity 1965 sets [RFC6973] based on the reference path measurement points in 1966 [I-D.ietf-ippm-lmap-path]. For example, all measurements from the 1967 Subscriber device can be identified as "mp000", instead of using the 1968 IP address or other device information. The same anonymisation 1969 applies to the Internet Service Provider, where their Internet 1970 gateway would be referred to as "mp190". 1972 8.6.3. Pseudonymity 1974 Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, 1975 are a possible mitigation to revealing one's true identity, since 1976 there is no requirement to use real names in almost all protocols. 1978 A pseudonym for a measurement device's IP address could be an LMAP- 1979 unique equipment ID. However, this would likely be a permanent 1980 handle for the device, and long-term use weakens a pseudonym's power 1981 to obscure identity. 1983 8.6.4. Other Mitigations 1985 Data can be de-personalised by blurring it, for example by adding 1986 synthetic data, data-swapping, or perturbing the values in ways that 1987 can be reversed or corrected. 1989 Sections 6.2 and 6.3 of [RFC6973] describe User Participation and 1990 Security, respectively. 1992 Where LMAP measurements involve devices on the Subscriber's premises 1993 or Subscriber-owned equipment, it is essential to secure the 1994 Subscriber's permission with regard to the specific information that 1995 will be collected. The informed consent of the Subscriber (and, if 1996 different, the end user) may be needed, including the specific 1997 purpose of the measurements. The approval process could involve 1998 showing the Subscriber their measured information and results before 1999 instituting periodic collection, or before all instances of 2000 collection, with the option to cancel collection temporarily or 2001 permanently. 2003 It should also be clear who is legally responsible for data 2004 protection (privacy); in some jurisdictions this role is called the 2005 'data controller'. It is always good practice to limit the time of 2006 personal information storage. 2008 Although the details of verification would be impenetrable to most 2009 subscribers, the MA could be architected as an "app" with open 2010 source-code, pre-download and embedded terms of use and agreement on 2011 measurements, and protection from code modifications usually provided 2012 by the app-stores. Further, the app itself could provide data 2013 reduction and temporary storage mitigations as appropriate and 2014 certified through code review. 2016 LMAP protocols, devices, and the information they store clearly need 2017 to be secure from unauthorised access. This is the hand-off between 2018 privacy and security considerations (Section 7). The Data Controller 2019 has the (legal) responsibility to maintain data protections described 2020 in the Subscriber's agreement and agreements with other 2021 organisations. 2023 9. IANA Considerations 2025 There are no IANA considerations in this memo. 2027 10. Appendix: Deployment examples 2029 In this section we describe some deployment scenarios that are 2030 feasible within the LMAP framework defined in this document. 2032 The LMAP framework defines two types of components involved in the 2033 actual measurement task, namely the Measurement Agent (MA) and the 2034 Measurement Peer (MP). The fundamental difference conveyed in the 2035 definition of these terms is that the MA has a interface with the 2036 Controller/Collector while the MP does not. The MP is broadly 2037 defined as a function that assists the MA in the Measurement Task but 2038 has no interface with the Controller/Collector. There are many 2039 elements in the network that can fall into this broad definition of 2040 MP. We believe that the MP terminology is useful to allow us to 2041 refer an element of the network that plays a role that is 2042 conceptually important to understand and describe the measurement 2043 task being performed. We next illustrate these concepts by 2044 describing several deployment scenarios. 2046 A very simple example of a Measurement Peer is a web server that the 2047 MA is downloading a web page from (such as www.example.com) in order 2048 to perform a speed test. The web server is a MP and from its 2049 perspective, the MA is just another client; the MP doesn't have a 2050 specific function for assisting measurements. This is described in 2051 the figure A1. 2053 ^ 2054 +----------------+ Web Traffic +----------------+ IPPM 2055 | Web Client |<------------>| MP: Web Server | Scope 2056 | | +----------------+ | 2057 ...|................|....................................V... 2058 | LMAP interface | ^ 2059 +----------------+ | 2060 ^ | | 2061 Instruction | | Report | 2062 | +-----------------+ | 2063 | | | 2064 | v LMAP 2065 +------------+ +------------+ Scope 2066 | Controller | | Collector | | 2067 +------------+ +------------+ V 2069 Figure A1: Schematic of LMAP-based measurement system, 2070 with Web server as Measurement Peer 2072 Another case that is slightly different than this would be the one of 2073 a TWAMP-responder. This is also a MP, with a helper function, the 2074 TWAMP server, which is specially deployed to assist the MAs that 2075 perform TWAMP tests. Another example is with a ping server, as 2076 described in Section 2. 2078 A further example is the case of a traceroute like measurement. In 2079 this case, for each packet sent, the router where the TTL expires is 2080 performing the MP function. So for a given Measurement Task, there 2081 is one MA involved and several MPs, one per hop. 2083 In figure A2 we depict the case of an OWAMP responder acting as an 2084 MP. In this case, the helper function in addition reports results 2085 back to the MA. So it has both a data plane and control interface 2086 with the MA. 2088 +----------------+ OWAMP +----------------+ ^ 2089 | OWAMP |<--control--->| MP: | | 2090 | control-client |>test-traffic>| OWAMP server & | IPPM 2091 | fetch-client & |<----fetch----| session-rec'ver| Scope 2092 | session-sender | | | | 2093 | | +----------------+ | 2094 ...|................|....................................v... 2095 | LMAP interface | ^ 2096 +----------------+ | 2097 ^ | | 2098 Instruction | | Report | 2099 | +-----------------+ | 2100 | | | 2101 | v LMAP 2102 +------------+ +------------+ Scope 2103 | Controller | | Collector | | 2104 +------------+ +------------+ v 2105 IPPM 2107 Figure A2: Schematic of LMAP-based measurement system, 2108 with OWAMP server as Measurement Peer 2110 However, it is also possible to use two Measurement Agents when 2111 performing one way Measurement Tasks, as described in figure A3 2112 below. In this case, MA1 generates the traffic and MA2 receives the 2113 traffic and send the reports to the Collector. Note that both MAs 2114 are instructed by the Controller. MA1 receives an Instruction to 2115 send the traffic and MA2 receives an Instruction to measured the 2116 received traffic and send Reports to the Collector. 2118 +----------------+ +----------------+ ^ 2119 | MA1 | | MA2 | IPPM 2120 | iperf -u sender|-UDP traffic->| iperf -u recvr | Scope 2121 | | | | v 2122 ...|................|..............|................|....v... 2123 | LMAP interface | | LMAP interface | ^ 2124 +----------------+ +----------------+ | 2125 ^ ^ | | 2126 Instruction | Instruction{Report} | | Report | 2127 {task, | +-------------------+ | | 2128 schedule} | | | | 2129 | | v LMAP 2130 +------------+ +------------+ Scope 2131 | Controller | | Collector | | 2132 +------------+ +------------+ v 2133 IPPM 2135 Figure A3: Schematic of LMAP-based measurement system, 2136 with two Measurement Agents cooperating to measure UDP traffic 2138 Next, we consider Measurement Methods that measure user traffic. 2139 Traffic generated in one point in the network flowing towards a given 2140 destination and the traffic is observed in some point along the path. 2141 One way to implement this is that the endpoints generating and 2142 receiving the traffic are not instructed by the Controller; hence 2143 they are MPs. The MA is located along the path with a monitor 2144 function that measures the traffic. The MA is instructed by the 2145 Controller to monitor that particular traffic and to send the Report 2146 to the Collector. It is depicted in figure A4 below. 2148 +-----+ +----------------+ +------+ ^ 2149 | MP | | MA: Monitor | | MP | IPPM 2150 | |<--|----------------|---traffic--->| | Scope 2151 +-----+ | | +------+ | 2152 .......|................|.........................v........... 2153 | LMAP interface | ^ 2154 +----------------+ | 2155 ^ | | 2156 Instruction | | Report | 2157 | +-----------------+ | 2158 | | | 2159 | v LMAP 2160 +------------+ +------------+ Scope 2161 | Controller | | Collector | | 2162 +------------+ +------------+ v 2164 Figure A4: Schematic of LMAP-based measurement system, 2165 with a Measurement Agent monitoring traffic 2167 Finally, we should consider the case of a router or a switch along 2168 the measurement path. This certainly performs an important role in 2169 the measurement - if packets are not forwarded, the measurement task 2170 will not work. Whilst it doesn't has an interface with the 2171 Controller or Collector, and so fits into the definition of MP, 2172 usually it is not particularly useful to highlight it as a MP. 2174 11. Acknowledgments 2176 This document is a merger of three individual drafts: draft-eardley- 2177 lmap-terminology-02, draft-akhter-lmap-framework-00, and draft- 2178 eardley-lmap-framework-02. 2180 Thanks to Juergen Schoenwaelder for his detailed review of the 2181 terminology. Thanks to Charles Cook for a very detailed review of 2182 -02. 2184 Thanks to numerous people for much discussion, directly and on the 2185 LMAP list (apologies to those unintentionally omitted): Alan Clark, 2186 Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian 2187 Trammell, Charles Cook, Dave Thorne, Frode Soerensen, Greg Mirsky, 2188 Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit, 2189 Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Lingli 2190 Deng, Michael Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, 2191 Steve Miller, Ted Lemon, Timothy Carey, Vaibhav Bajpai, William 2192 Lupton. 2194 Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on 2195 the Leone research project, which receives funding from the European 2196 Union Seventh Framework Programme [FP7/2007-2013] under grant 2197 agreement number 317647. 2199 12. History 2201 First WG version, copy of draft-folks-lmap-framework-00. 2203 12.1. From -00 to -01 2205 o new sub-section of possible use of Group-IDs for privacy 2207 o tweak to definition of Control protocol 2209 o fix typo in figure in S5.4 2211 12.2. From -01 to -02 2213 o change to INFORMATIONAL track (previous version had typo'd 2214 Standards track) 2216 o new definitions for Capabilities Information and Failure 2217 Information 2219 o clarify that diagrams show LMAP-level information flows. 2220 Underlying protocol could do other interactions, eg to get through 2221 NAT or for Collector to pull a Report 2223 o add hint that after a re-boot should pause random time before re- 2224 register (to avoid mass calling event) 2226 o delete the open issue "what happens if a Controller fails" (normal 2227 methods can handle) 2229 o add some extra words about multiple Tasks in one Schedule 2231 o clarify that new Schedule replaces (rather than adds to) and old 2232 one. Similarly for new configuration of Measurement Tasks or 2233 Report Channels. 2235 o clarify suppression is temporary stop; send a new Schedule to 2236 permanently stop Tasks 2238 o alter suppression so it is ACKed 2240 o add un-suppress message 2241 o expand the text on error reporting, to mention Reporting failures 2242 (as well as failures to action or execute Measurement Task & 2243 Schedule) 2245 o add some text about how to have Tasks running indefinitely 2247 o add that optionally a Report is not sent when there are no 2248 Measurement Results 2250 o add that a Measurement Task may create more than one Measurement 2251 Result 2253 o clarify /amend /expand that Reports include the "raw" Measurement 2254 Results - any pre-processing is left for lmap2.0 2256 o add some cautionary words about what if the Collector unexpectedly 2257 doesn't hear from a MA 2259 o add some extra words about the potential impact of Measurement 2260 Tasks 2262 o clarified various aspects of the privacy section 2264 o updated references 2266 o minor tweaks 2268 12.3. From -02 to -03 2270 o alignment with the Information Model [burbridge-lmap-information- 2271 model] as this is agreed as a WG document 2273 o One-off and periodic Measurement Schedules are kept separate, so 2274 that they can be updated independently 2276 o Measurement Suppression in a separate sub-section. Can now 2277 optionally include particular Measurement Tasks &/or Schedules to 2278 suppress, and start/stop time 2280 o for clarity, concept of Channel split into Control, Report and MA- 2281 to-Controller Channels 2283 o numerous editorial changes, mainly arising from a very detailed 2284 review by Charles Cook 2286 o 2288 12.4. From -03 to -04 2290 o updates following the WG Last Call, with the proposed consensus on 2291 the various issues as detailed in 2292 http://tools.ietf.org/agenda/89/slides/slides-89-lmap-2.pdf. In 2293 particular: 2295 o tweaked definitions, especially of Measurement Agent and 2296 Measurement Peer 2298 o Instruction - left to each implementation & deployment of LMAP to 2299 decide on the granularity at which an Instruction Message works 2301 o words added about overlapping Measurement Tasks (measurement 2302 system can handle any way they choose; Report should mention if 2303 the Task overlapped with another) 2305 o Suppression: no defined impact on Passive Measurement Task; extra 2306 option to suppress on-going Active Measurement Tasks; suppression 2307 doesn't go to Measurement Peer, since they don't understand 2308 Instructions 2310 o new concept of Data Transfer Task (and therefore adjustment of the 2311 Channel concept) 2313 o enhancement of Results with Subscriber's service parameters - 2314 could be useful, don't define how but can be included in Report to 2315 various other sections 2317 o various other smaller improvements, arising from the WGLC 2319 o Appendix added with examples of Measurement Agents and Peers in 2320 various deployment scenarios. To help clarify what these terms 2321 mean. 2323 12.5. From -04 to -05 2325 o clarified various scoping comments by using the phrase "scope of 2326 initial LMAP work" (avoiding "scope of LMAP WG" since this may 2327 change in the future) 2329 o added a Configuration Protocol - allows the Controller to update 2330 the MA about information that it obtained during the bootstrapping 2331 process (for consistency with Information Model) 2333 o Removed over-detailed information about the relationship between 2334 the different items in Instruction, as this seems more appropriate 2335 for the information model. Clarified that the lists given are 2336 about the aims and not a list of information elements (these will 2337 be defined in draft-ietf-information-model). 2339 o the Measurement Method, specified as a URI to a registry entry - 2340 rather than a URN 2342 o MA configured with time limit after which, if it hasn't heard from 2343 Controller, then it stops running Measurement Tasks (rather than 2344 this being part of a Schedule) 2346 o clarified there is no distinction between how capabilities, 2347 failure and logging information are transferred (all can be when 2348 requested by Controller or by MA on its own initiative). 2350 o removed mention of Data Transfer Tasks. This abstraction is left 2351 to the information model i-d 2353 o added Deployment sub-section about Measurement Agent embedded in 2354 ISP Network 2356 o various other smaller improvements, arising from the 2nd WGLC 2358 12.6. From -05 to -06 2360 o clarified terminlogy around Measurement Methods and Tasks. Since 2361 within a Method there may be several different roles (requester 2362 and responder, for instance) 2364 o Suppression: there is now the concept of a flag (boolean) which 2365 indicates whether a Task is by default gets suppressed or not. 2366 The optional suppression message (with list of specific tasks 2367 /schedules to suppress) over-rides this flag. 2369 o The previous bullet also means there is no need to make a 2370 distinction between active and passive Measurement Tasks, so this 2371 distinction is removed. 2373 o removed distinction 2375 o added a Configuration Protocol - allows the Controller to update 2376 the MA about information that it obtained during the bootstrapping 2377 process (for consistency with Information Model) 2379 13. Informative References 2381 [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, 2382 "The Role of Network Trace anonymisation Under Attack", 2383 January 2010. 2385 [TR-069] TR-069, , "CPE WAN Management Protocol", 2386 http://www.broadband-forum.org/technical/trlist.php, 2387 November 2013. 2389 [UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP 2390 Device Control Protocols specifications", 2391 http://upnp.org/sdcps-and-certification/standards/, 2011. 2393 [RFC1035] Mockapetris, P., "Domain names - implementation and 2394 specification", STD 13, RFC 1035, November 1987. 2396 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, 2397 June 2005. 2399 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2400 Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2401 2005. 2403 [I-D.ietf-lmap-use-cases] 2404 Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, 2405 "Large-Scale Broadband Measurement Use Cases", draft-ietf- 2406 lmap-use-cases-03 (work in progress), April 2014. 2408 [I-D.manyfolks-ippm-metric-registry] 2409 Bagnulo, M., Claise, B., Eardley, P., and A. Morton, 2410 "Registry for Performance Metrics", draft-manyfolks-ippm- 2411 metric-registry-00 (work in progress), February 2014. 2413 [I-D.ietf-homenet-arch] 2414 Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, 2415 "IPv6 Home Networking Architecture Principles", draft- 2416 ietf-homenet-arch-16 (work in progress), June 2014. 2418 [RFC6419] Wasserman, M. and P. Seite, "Current Practices for 2419 Multiple-Interface Hosts", RFC 6419, November 2011. 2421 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 2422 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2423 2013. 2425 [I-D.ietf-lmap-information-model] 2426 Burbridge, T., Eardley, P., Bagnulo, M., and J. 2427 Schoenwaelder, "Information Model for Large-Scale 2428 Measurement Platforms (LMAP)", draft-ietf-lmap- 2429 information-model-00 (work in progress), February 2014. 2431 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization 2432 Support", RFC 6235, May 2011. 2434 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 2435 Morris, J., Hansen, M., and R. Smith, "Privacy 2436 Considerations for Internet Protocols", RFC 6973, July 2437 2013. 2439 [I-D.ietf-ippm-lmap-path] 2440 Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and 2441 A. Morton, "A Reference Path and Measurement Points for 2442 LMAP", draft-ietf-ippm-lmap-path-03 (work in progress), 2443 May 2014. 2445 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 2446 Zekauskas, "A One-way Active Measurement Protocol 2447 (OWAMP)", RFC 4656, September 2006. 2449 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 2450 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 2451 RFC 5357, October 2008. 2453 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2454 Information Models and Data Models", RFC 3444, January 2455 2003. 2457 Authors' Addresses 2459 Philip Eardley 2460 BT 2461 Adastral Park, Martlesham Heath 2462 Ipswich 2463 ENGLAND 2465 Email: philip.eardley@bt.com 2467 Al Morton 2468 AT&T Labs 2469 200 Laurel Avenue South 2470 Middletown, NJ 2471 USA 2473 Email: acmorton@att.com 2474 Marcelo Bagnulo 2475 Universidad Carlos III de Madrid 2476 Av. Universidad 30 2477 Leganes, Madrid 28911 2478 SPAIN 2480 Phone: 34 91 6249500 2481 Email: marcelo@it.uc3m.es 2482 URI: http://www.it.uc3m.es 2484 Trevor Burbridge 2485 BT 2486 Adastral Park, Martlesham Heath 2487 Ipswich 2488 ENGLAND 2490 Email: trevor.burbridge@bt.com 2492 Paul Aitken 2493 Cisco Systems, Inc. 2494 96 Commercial Street 2495 Edinburgh, Scotland EH6 6LX 2496 UK 2498 Email: paitken@cisco.com 2500 Aamer Akhter 2501 Cisco Systems, Inc. 2502 7025 Kit Creek Road 2503 RTP, NC 27709 2504 USA 2506 Email: aakhter@cisco.com