idnits 2.17.1 draft-ietf-lmap-framework-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 12, 2014) is 3423 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 250 -- Looks like a reference, but probably isn't: '180' on line 250 == Missing Reference: 'Cycle-ID' is mentioned on line 1042, but not defined == Outdated reference: A later version (-06) exists of draft-ietf-lmap-use-cases-05 == Outdated reference: A later version (-24) exists of draft-ietf-ippm-metric-registry-01 == Outdated reference: A later version (-18) exists of draft-ietf-lmap-information-model-02 Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Eardley 3 Internet-Draft BT 4 Intended status: Informational A. Morton 5 Expires: June 15, 2015 AT&T Labs 6 M. Bagnulo 7 UC3M 8 T. Burbridge 9 BT 10 P. Aitken 11 A. Akhter 12 Cisco Systems 13 December 12, 2014 15 A framework for large-scale measurement platforms (LMAP) 16 draft-ietf-lmap-framework-09 18 Abstract 20 Measuring broadband service on a large scale requires a description 21 of the logical architecture and standardisation of the key protocols 22 that coordinate interactions between the components. The document 23 presents an overall framework for large-scale measurements. It also 24 defines terminology for LMAP (large-scale measurement platforms). 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on June 15, 2015. 43 Copyright Notice 45 Copyright (c) 2014 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Outline of an LMAP-based measurement system . . . . . . . . . 5 62 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 63 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 12 64 4.1. The measurement system is under the direction of a single 65 organisation . . . . . . . . . . . . . . . . . . . . . . 12 66 4.2. Each MA may only have a single Controller at any point in 67 time . . . . . . . . . . . . . . . . . . . . . . . . . . 13 68 5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13 69 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 14 70 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15 71 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15 72 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16 73 5.2.3. Capabilities, Failure and Logging Information . . . . 19 74 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 21 75 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 21 76 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 22 77 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 23 78 5.4.1. Reporting of Subscriber's service parameters . . . . 25 79 5.5. Operation of LMAP over the underlying packet transfer 80 mechanism . . . . . . . . . . . . . . . . . . . . . . . . 25 81 5.6. Items beyond the scope of the initial LMAP work . . . . . 26 82 5.6.1. End-user-controlled measurement system . . . . . . . 27 83 6. Deployment considerations . . . . . . . . . . . . . . . . . . 28 84 6.1. Controller and the measurement system . . . . . . . . . . 28 85 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 29 86 6.2.1. Measurement Agent on a networked device . . . . . . . 29 87 6.2.2. Measurement Agent embedded in site gateway . . . . . 29 88 6.2.3. Measurement Agent embedded behind site NAT /firewall 30 89 6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 30 90 6.2.5. Measurement Agent embedded in ISP network . . . . . . 31 91 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 31 92 7. Security considerations . . . . . . . . . . . . . . . . . . . 31 93 8. Privacy considerations . . . . . . . . . . . . . . . . . . . 33 94 8.1. Categories of entities with information of interest . . . 34 95 8.2. Examples of sensitive information . . . . . . . . . . . . 35 96 8.3. Different privacy issues raised by different sorts of 97 Measurement Methods . . . . . . . . . . . . . . . . . . . 36 98 8.4. Privacy analysis of the communication models . . . . . . 36 99 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 37 100 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 37 101 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 38 102 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 38 103 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 40 104 8.4.6. Storage and reporting of Measurement Results . . . . 41 105 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 41 106 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 41 107 8.5.2. Stored data compromise . . . . . . . . . . . . . . . 41 108 8.5.3. Correlation and identification . . . . . . . . . . . 42 109 8.5.4. Secondary use and disclosure . . . . . . . . . . . . 42 110 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 43 111 8.6.1. Data minimisation . . . . . . . . . . . . . . . . . . 43 112 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 44 113 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 45 114 8.6.4. Other mitigations . . . . . . . . . . . . . . . . . . 45 115 9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 46 116 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 46 117 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 118 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 46 119 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 47 120 11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 48 121 11.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 48 122 11.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 49 123 11.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 50 124 11.7. From -06 to -07 . . . . . . . . . . . . . . . . . . . . 50 125 11.8. From -07 to -08 . . . . . . . . . . . . . . . . . . . . 50 126 11.9. From -08 to -09 . . . . . . . . . . . . . . . . . . . . 50 127 12. Informative References . . . . . . . . . . . . . . . . . . . 50 128 Appendix A. Appendix: Deployment examples . . . . . . . . . . . 52 129 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 131 1. Introduction 133 There is a desire to be able to coordinate the execution of broadband 134 measurements and the collection of measurement results across a large 135 scale set of diverse devices. These devices could be software based 136 agents on PCs, embedded agents in consumer devices (such as TVs or 137 gaming consoles), service provider controlled devices such as set-top 138 boxes and home gateways, or simply dedicated probes. It is expected 139 that such a system could easily comprise 100,000 devices. 140 Measurement devices may also be embedded on a device that is part of 141 an ISP's network, such as a DSLAM (Digital Subscriber Line Access 142 Multiplexer), router, Carrier Grade NAT (Network Address Translator) 143 or ISP Gateway. Such a scale presents unique problems in 144 coordination, execution and measurement result collection. Several 145 use cases have been proposed for large-scale measurements including: 147 o Operators: to help plan their network and identify faults 149 o Regulators: to benchmark several network operators and support 150 public policy development 152 Further details of the use cases can be found in 153 [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for 154 these, as well as other use cases, such as to help end users run 155 diagnostic checks like a network speed test. 157 The LMAP Framework has three basic elements: Measurement Agents, 158 Controllers and Collectors. 160 Measurement Agents (MAs) initiate the actual measurements, which are 161 called Measurement Tasks in the LMAP terminology. In principle, 162 there are no restrictions on the type of device in which the MA 163 function resides. 165 The Controller instructs one or more MAs and communicates the set of 166 Measurement Tasks an MA should perform and when. For example it may 167 instruct a MA at a home gateway: "Measure the 'UDP latency' with 168 www.example.org; repeat every hour at xx.05". The Controller also 169 manages a MA by instructing it how to report the Measurement Results, 170 for example: "Report results once a day in a batch at 4am". We refer 171 to these as the Measurement Schedule and Report Schedule. 173 The Collector accepts Reports from the MAs with the Results from 174 their Measurement Tasks. Therefore the MA is a device that gets 175 Instructions from the Controller, initiates the Measurement Tasks, 176 and reports to the Collector. The communications between these three 177 LMAP functions are structured according to a Control Protocol and a 178 Report Protocol. 180 The desirable features for a large-scale Measurement Systems we are 181 designing for are: 183 o Standardised - in terms of the Measurement Tasks that they 184 perform, the components, the data models and protocols for 185 transferring information between the components. Amongst other 186 things, standardisation enables meaningful comparisons of 187 measurements made of the same metric at different times and 188 places, and provides the operator of a Measurement System with 189 criteria for evaluation of the different solutions that can be 190 used for various purposes including buying decisions (such as 191 buying the various components from different vendors). Today's 192 systems are proprietary in some or all of these aspects. 194 o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement 195 Agents in every home gateway and edge device such as set-top boxes 196 and tablet computers, and located throughout the Internet as well 197 [I-D.ietf-ippm-lmap-path]. It is expected that a Measurement 198 System could easily encompass a few hundred thousand or even 199 millions of Measurement Agents. Existing systems have up to a few 200 thousand MAs (without judging how much further they could scale). 202 o Diversity - a Measurement System should handle Measurement Agents 203 from different vendors, that are in wired and wireless networks, 204 can execute different sorts of Measurement Task, are on devices 205 with IPv4 or IPv6 addresses, and so on. 207 2. Outline of an LMAP-based measurement system 209 In this section we provide an overview of the whole Measurement 210 System. New LMAP-specific terms are capitalised; Section 3 provides 211 a terminology section with a compilation of all the LMAP terms and 212 their definition. Section 4 onwards considers the LMAP components in 213 more detail. 215 Other LMAP specifications will define an information model, the 216 associated data models, and select/extend one or more protocols for 217 the secure communication: firstly, a Control Protocol, from a 218 Controller to instruct Measurement Agents what performance metrics to 219 measure, when to measure them, how/when to report the measurement 220 results to a Collector; secondly, a Report Protocol, for a 221 Measurement Agent to report the results to the Collector. 223 Figure 1 shows the main components of a Measurement System, and the 224 interactions of those components. Some of the components are outside 225 the scope of initial LMAP work. 227 The MA performs Measurement Tasks. In the example shown in Figure 1, 228 the MA is observing existing traffic. Another possibility is for the 229 MA may generate (or receive) traffic specially created for the 230 purpose and measure some metric associated with its transfer. The 231 Appendix shows some examples of possible arrangements of the 232 components. 234 The MAs are pieces of code that can be executed in specialised 235 hardware (hardware probe) or on a general-purpose device (like a PC 236 or mobile phone). A device with a Measurement Agent may have 237 multiple physical interfaces (Wi-Fi, Ethernet, DSL (Digital 238 Subscriber Line); and non-physical interfaces such as PPPoE (Point- 239 to-Point Protocol over Ethernet) or IPsec) and the Measurement Tasks 240 may specify any one of these. 242 The Controller manages a MA through use of the Control Protocol, 243 which transfers the Instruction to the MA. This describes the 244 Measurement Tasks the MA should perform and when. For example the 245 Controller may instruct a MA at a home gateway: "Count the number of 246 TCP SYN packets observed in a 1 minute interval; repeat every hour at 247 xx.05 + Unif[0,180] seconds". The Measurement Schedule determines 248 when the Measurement Tasks are executed. The Controller also manages 249 a MA by instructing it how to report the Measurement Results, for 250 example: "Report results once a day in a batch at 4am + Unif[0,180] 251 seconds; if the end user is active then delay the report 5 minutes". 252 The Report Schedule determines when the Reports are uploaded to the 253 Collector. The Measurement Schedule and Report Schedule can define 254 one-off (non-recurring) actions ("Do measurement now", "Report as 255 soon as possible"), as well as recurring ones. 257 The Collector accepts a Report from a MA with the Measurement Results 258 from its Measurement Tasks. It then provides the Results to a 259 repository (see below). 261 A Measurement Method defines how to measure a Metric of interest. It 262 is very useful to standardise Measurement Methods, so that it is 263 meaningful to compare measurements of the same Metric made at 264 different times and places. It is also useful to define a registry 265 for commonly-used Metrics [I-D.ietf-ippm-metric-registry] so that a 266 Metric with its associated Measurement Method can be referred to 267 simply by its identifier in the registry. The registry will 268 hopefully be referenced by other standards organisations. The 269 Measurement Methods may be defined by the IETF, locally, or by some 270 other standards body. 272 Broadly speaking there are two types of Measurement Method. It may 273 involve a single MA simply observing existing traffic - for example, 274 the Measurement Agent could count bytes or calculate the average loss 275 for a particular flow. On the other hand, a Measurement Method may 276 involve multiple network entities, which perform different roles. 277 For example, a "ping" Measurement Method, to measure the round trip 278 delay , would consist of an MA sending an ICMP (Internet Control 279 Message Protocol) ECHO request to a responder in the Internet. In 280 LMAP terms, the responder is termed a Measurement Peer (MP), meaning 281 that it helps the MA but is not managed by the Controller. Other 282 Measurement Methods involve a second MA, with the Controller 283 instructing the MAs in a coordinated manner. Traffic generated 284 specifically as part of the Measurement Method is termed Measurement 285 Traffic; in the ping example, it is the ICMP ECHO Requests and 286 Replies. The protocols used for the Measurement Traffic are out of 287 the scope of initial LMAP work, and fall within the scope of other 288 IETF WGs such as IPPM (IP Performance Metrics). 290 A Measurement Task is the action performed by a particular MA at a 291 particular time, as the specific instance of its role in a 292 Measurement Method. LMAP is mainly concerned with Measurement Tasks, 293 for instance in terms of its Information Model and Protocols. 295 For Measurement Results to be truly comparable, as might be required 296 by a regulator, not only do the same Measurement Methods need to be 297 used to assess Metrics, but also the set of Measurement Tasks should 298 follow a similar Measurement Schedule and be of similar number. The 299 details of such a characterisation plan are beyond the scope of work 300 in IETF although certainly facilitated by IETF's work. 302 Messages are transferred over a secure Channel. A Control Channel is 303 between the Controller and a MA; the Control Protocol delivers 304 Instruction Messages to the MA and Capabilities, Failure and Logging 305 Information in the reverse direction. A Report Channel is between a 306 MA and Collector, and the Report Protocol delivers Reports to the 307 Collector. 309 Finally we introduce several components that are outside the scope of 310 initial LMAP work and will be provided through existing protocols or 311 applications. They affect how the Measurement System uses the 312 Measurement Results and how it decides what set of Measurement Tasks 313 to perform. As shown in Figure 1, these components are: the 314 bootstrapper, Subscriber parameter database, data analysis tools, and 315 Results repository. 317 The MA needs to be bootstrapped with initial details about its 318 Controller, including authentication credentials. The LMAP work 319 considers the bootstrap process, since it affects the Information 320 Model. However, LMAP does not define a bootstrap protocol, since it 321 is likely to be technology specific and could be defined by the 322 Broadband Forum, CableLabs or IEEE depending on the device. Possible 323 protocols are SNMP (Simple Network Management Protocol), NETCONF 324 (Network Configuration Protocol) or (for Home Gateways) CPE WAN 325 Management Protocol (CWMP) from the Auto Configuration Server (ACS) 326 (as specified in TR-069 [TR-069]). 328 A Subscriber parameter database contains information about the line, 329 such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), 330 the line technology (DSL or fibre), the time zone where the MA is 331 located, and the type of home gateway and MA. These parameters are 332 already gathered and stored by existing operations systems. They may 333 affect the choice of what Measurement Tasks to run and how to 334 interpret the Measurement Results. For example, a download test 335 suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s 336 line. 338 A results repository records all Measurement Results in an equivalent 339 form, for example an SQL (Structured Query Language) database, so 340 that they can easily be accessed by the data analysis tools. 342 The data analysis tools receive the results from the Collector or via 343 the Results repository. They might visualise the data or identify 344 which component or link is likely to be the cause of a fault or 345 degradation. This information could help the Controller decide what 346 follow-up Measurement Task to perform in order to diagnose a fault. 347 The data analysis tools also need to understand the Subscriber's 348 service information, for example the broadband contract. 350 +-----------+ +-----------+ ^ 351 |End user or| |End user or| | 352 |Measurement| |Measurement| Non-LMAP 353 | Peer | | Peer | Scope 354 +-----------+ +-----------+ v 355 ^ ^ 356 \ traffic +-------------+ / ^ 357 \...............|.............|........./ | 358 | Measurement | | 359 +----------------->| Agent | | 360 | +-------------+ | 361 | ^ | | 362 | Instruction | | Report | 363 | (over Control | | (over Control Channel) | 364 | Channel) | +---------------+ | 365 | | | | 366 | | | 367 | | v LMAP 368 | +------------+ +------------+ Scope 369 | | Controller | | Collector | | 370 | +------------+ +------------+ v 371 | ^ ^ | ^ 372 | | | | | 373 | | +-------+ | | 374 | | | v | 375 +------------+ +----------+ +--------+ +----------+ | 376 |Bootstrapper| |Subscriber|--->| data |<---| Results | Out 377 +------------+ |parameter | |analysis| |repository| of 378 |database | | tools | +----------+ Scope 379 +----------+ +--------+ | 380 | 381 v 383 Figure 1: Schematic of main elements of an LMAP-based 384 Measurement System 385 (showing the elements in and out of the scope of initial LMAP work) 387 3. Terminology 389 This section defines terminology for LMAP. Please note that defined 390 terms are capitalized. 392 Bootstrap: A process that integrates a Measurement Agent into a 393 Measurement System. 395 Capabilities: Information about the performance measurement 396 capabilities of the MA, in particular the Measurement Method roles 397 and measurement protocol roles that it can perform, and the device 398 hosting the MA, for example its interface type and speed, but not 399 dynamic information. 401 Channel: A bi-directional logical connection that is defined by a 402 specific Controller and MA, or Collector and MA, plus associated 403 security. 405 Collector: A function that receives a Report from a Measurement 406 Agent. 408 Configuration: A process for informing the MA about its MA-ID, 409 (optional) Group-ID and Control Channel. 411 Controller: A function that provides a Measurement Agent with its 412 Instruction. 414 Control Channel: A Channel between a Controller and a MA over which 415 Instruction Messages and Capabilities, Failure and Logging 416 Information are sent. 418 Control Protocol: The protocol delivering Instruction(s) from a 419 Controller to a Measurement Agent. It also delivers Capabilities, 420 Failure and Logging Information from the Measurement Agent to the 421 Controller. It can also be used to update the MA's Configuration. 422 It runs over the Control Channel. 424 Cycle-ID: A tag that is sent by the Controller in an Instruction and 425 echoed by the MA in its Report. The same Cycle-ID is used by several 426 MAs that use the same Measurement Method for a Metric with the same 427 Input Parameters. Hence the Cycle-ID allows the Collector to easily 428 identify Measurement Results that should be comparable. 430 Data Model: The implementation of an Information Model in a 431 particular data modelling language [RFC3444]. 433 Environmental Constraint: A parameter that is measured as part of the 434 Measurement Task, its value determining whether the rest of the 435 Measurement Task proceeds. 437 Failure Information: Information about the MA's failure to action or 438 execute an Instruction, whether concerning Measurement Tasks or 439 Reporting. 441 Group-ID: An identifier of a group of MAs. 443 Information Model: The protocol-neutral definition of the semantics 444 of the Instructions, the Report, the status of the different elements 445 of the Measurement System as well of the events in the system 446 [RFC3444]. 448 Input Parameter: A parameter whose value is left open by the Metric 449 and its Measurement Method and is set to a specific value in a 450 Measurement Task. Altering the value of an Input Parameter does not 451 change the fundamental nature of the Measurement Task. 453 Instruction: The description of Measurement Tasks for a MA to perform 454 and the details of the Report for it to send. It is the collective 455 description of the Measurement Task configurations, the configuration 456 of the Measurement Schedules, the configuration of the Report 457 Channel(s), the configuration of Report Schedule(s), and the details 458 of any suppression. 460 Instruction Message: The message that carries an Instruction from a 461 Controller to a Measurement Agent. 463 Logging Information: Information about the operation of the 464 Measurement Agent and which may be useful for debugging. 466 Measurement Agent (MA): The function that receives Instruction 467 Messages from a Controller and operates the Instruction by executing 468 Measurement Tasks (using protocols outside the initial LMAP work 469 scope and perhaps in concert with one or more other Measurement 470 Agents or Measurement Peers) and (if part of the Instruction) by 471 reporting Measurement Results to a Collector or Collectors. 473 Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that 474 identifies a particular MA and is configured as part of the 475 Bootstrapping process. 477 Measurement Method: The process for assessing the value of a Metric; 478 the process of measuring some performance or reliability parameter 479 associated with the transfer of traffic. 481 Measurement Peer (MP): The function that assists a Measurement Agent 482 with Measurement Tasks and does not have an interface to the 483 Controller or Collector. 485 Measurement Result: The output of a single Measurement Task (the 486 value obtained for the parameter of interest or Metric). 488 Measurement Schedule: The schedule for performing Measurement Tasks. 490 Measurement System: The set of LMAP-defined and related components 491 that are operated by a single organisation, for the purpose of 492 measuring performance aspects of the network. 494 Measurement Task: The action performed by a particular Measurement 495 Agent that consists of the single assessment of a Metric through 496 operation of a Measurement Method role at a particular time, with all 497 of the role's Input Parameters set to specific values. 499 Measurement Traffic: the packet(s) generated by some types of 500 Measurement Method that involve measuring some parameter associated 501 with the transfer of the packet(s). 503 Metric: The quantity related to the performance and reliability of 504 the network that we'd like to know the value of. 506 Report: The set of Measurement Results and other associated 507 information (as defined by the Instruction). The Report is sent by a 508 Measurement Agent to a Collector. 510 Report Channel: A Channel between a Collector and a MA over which 511 Report messages are sent. 513 Report Protocol: The protocol delivering Report(s) from a Measurement 514 Agent to a Collector. It runs over the Report Channel. 516 Report Schedule: the schedule for sending Reports to a Collector. 518 Subscriber: An entity (associated with one or more users) that is 519 engaged in a subscription with a service provider. 521 Suppression: the temporary cessation of Measurement Tasks. 523 4. Constraints 525 The LMAP framework makes some important assumptions, which constrain 526 the scope of the initial LMAP work. 528 4.1. The measurement system is under the direction of a single 529 organisation 531 In the LMAP framework, the Measurement System is under the direction 532 of a single organisation that is responsible for any impact that its 533 measurements have on a user's quality of experience and privacy. 534 Clear responsibility is critical given that a misbehaving large-scale 535 Measurement System could potentially harm user experience, user 536 privacy and network security. 538 However, the components of an LMAP Measurement System can be deployed 539 in administrative domains that are not owned by the measuring 540 organisation. Thus, the system of functions deployed by a single 541 organisation constitutes a single LMAP domain which may span 542 ownership or other administrative boundaries. 544 4.2. Each MA may only have a single Controller at any point in time 546 A MA is instructed by one Controller and is in one Measurement 547 System. The constraint avoids different Controllers giving a MA 548 conflicting instructions and so means that the MA does not have to 549 manage contention between multiple Measurement (or Report) Schedules. 550 This simplifies the design of MAs (critical for a large-scale 551 infrastructure) and allows a Measurement Schedule to be tested on 552 specific types of MA before deployment to ensure that the end user 553 experience is not impacted (due to CPU, memory or broadband-product 554 constraints). However, a Measurement System may have several 555 Controllers. 557 5. Protocol Model 559 A protocol model [RFC4101] presents an architectural model for how 560 the protocol operates and needs to answer three basic questions: 562 1. What problem is the protocol trying to achieve? 564 2. What messages are being transmitted and what do they mean? 566 3. What are the important, but unobvious, features of the protocol? 568 An LMAP system goes through the following phases: 570 o a Bootstrapping process before the MA can take part in the other 571 three phases. 573 o a Control Protocol, which delivers Instruction Messages from a 574 Controller to a MA (amongst other things). 576 o the actual Measurement Tasks, which measure some performance or 577 reliability parameter(s) associated with the transfer of packets. 579 o a Report Protocol, which delivers Reports containing the 580 Measurement Results from a MA to a Collector. 582 The diagrams show the various LMAP messages and uses the following 583 convention: 585 o (optional): indicated by round brackets 587 o [potentially repeated]: indicated by square brackets 588 The protocol model is closely related to the Information Model 589 [I-D.ietf-lmap-information-model], which is the abstract definition 590 of the information carried by the protocol. (If there is any 591 difference between this document and the Information Model, the 592 latter is definitive, since it is on the standards track.) The 593 purpose of both is to provide a protocol and device independent view, 594 which can be implemented via specific protocols. LMAP defines a 595 specific Control Protocol and Report Protocol, but others could be 596 defined by other standards bodies or be proprietary. However it is 597 important that they all implement the same Information Model and 598 protocol model, in order to ease the definition, operation and 599 interoperability of large-scale Measurement Systems. 601 5.1. Bootstrapping process 603 The primary purpose of bootstrapping is to enable a MA to be 604 integrated into a Measurement System. The MA retrieves information 605 about itself (like its identity in the Measurement System) and about 606 the Controller, the Controller learns information about the MA, and 607 they learn about security information to communicate (such as 608 certificates and credentials). 610 Whilst this memo considers the bootstrapping process, it is beyond 611 the scope of initial LMAP work to define a bootstrap mechanism, as it 612 depends on the type of device and access. 614 As a result of the bootstrapping process the MA learns information 615 with the following aims ([I-D.ietf-lmap-information-model] defines 616 the consequent list of information elements): 618 o its identifier, either its MA-ID or a device identifier such as 619 one of its MAC or both. 621 o (optionally) a Group-ID. A Group-ID would be shared by several 622 MAs and could be useful for privacy reasons. For instance, 623 reporting the Group-ID and not the MA-ID could hinder tracking of 624 a mobile device 626 o the Control Channel, which is defined by: 628 * the address which identifies the Control Channel, such as the 629 Controller's FQDN (Fully Qualified Domain Name) [RFC1035]) 631 * security information (for example to enable the MA to decrypt 632 the Instruction Message and encrypt messages sent to the 633 Controller) 635 The details of the bootstrapping process are device /access specific. 636 For example, the information could be in the firmware, manually 637 configured or transferred via a protocol like TR-069 [TR-069]. There 638 may be a multi-stage process where the MA contacts a 'hard-coded' 639 address, which replies with the bootstrapping information. 641 The MA must learn its MA-ID before getting an Instruction, either 642 during Bootstrapping or via Configuration (Section 5.2.1). 644 5.2. Control Protocol 646 The primary purpose of the Control Protocol is to allow the 647 Controller to configure a Measurement Agent with an Instruction about 648 what Measurement Tasks to do, when to do them, and how to report the 649 Measurement Results (Section 5.2.2). The Measurement Agent then acts 650 on the Instruction autonomously. The Control Protocol also enables 651 the MA to inform the Controller about its Capabilities and any 652 Failure and Logging Information (Section 5.2.2). Finally, the 653 Control Protocol allows the Controller to update the MA's 654 Configuration. 656 5.2.1. Configuration 658 Configuration allows the Controller to update the MA about some or 659 all of the information that it obtained during the bootstrapping 660 process: the MA-ID, the (optional) Group-ID and the Control Channel. 661 The Measurement System might use Configuration for several reasons. 662 For example, the bootstrapping process could 'hard code' the MA with 663 details of an initial Controller, and then the initial Controller 664 could configure the MA with details about the Controller that sends 665 Instruction Messages. (Note that a MA only has one Control Channel, 666 and so is associated with only one Controller, at any moment.) 668 Note that an implementation may choose to combine Configuration 669 information and an Instruction Message into a single message. 671 +-----------------+ +-------------+ 672 | | | Measurement | 673 | Controller |===================================| Agent | 674 +-----------------+ +-------------+ 676 Configuration information: -> 677 (MA-ID), 678 (Group-ID), 679 (Control Channel) 680 <- Response(details) 682 5.2.2. Instruction 684 The Instruction is the description of the Measurement Tasks for a 685 Measurement Agent to do and the details of the Measurement Reports 686 for it to send. In order to update the Instruction the Controller 687 uses the Control Protocol to send an Instruction Message over the 688 Control Channel. 690 +-----------------+ +-------------+ 691 | | | Measurement | 692 | Controller |===================================| Agent | 693 +-----------------+ +-------------+ 695 Instruction: -> 696 [(Measurement Task configuration 697 URI of Metric( 698 [Input Parameter], 699 (interface), 700 (Cycle-ID))), 701 (Report Channel), 702 (Schedule), 703 (Suppression information)] 704 <- Response(details) 706 The Instruction defines information with the following aims 707 ([I-D.ietf-lmap-information-model] defines the consequent list of 708 information elements): 710 o the Measurement Task configurations, each of which needs: 712 * the Metric, specified as a URI to a registry entry; it includes 713 the specification of a Measurement Method. The registry could 714 be defined by the IETF [I-D.ietf-ippm-metric-registry], locally 715 by the operator of the Measurement System or perhaps by another 716 standards organisation. 718 * the Measurement Method role. For some Measurement Methods, 719 different parties play different roles; for example (figure A3 720 in the Appendix) an iperf sender and receiver. Each Metric and 721 its associated Measurement Method will describe all measurement 722 roles involved in the process. 724 * a boolean flag (suppress or do-not-suppress) indicating how 725 such a Measurement Task is impacted by a Suppression message 726 (see Section 5.2.2.1). Thus, the flag is an Input Parameter. 728 * any Input Parameters that need to be set for the Metric and the 729 Measurement Method. For example, the address of a Measurement 730 Peer (or other Measurement Agent) that may be involved in a 731 Measurement Task. 733 * if the device with the MA has multiple interfaces, then the 734 interface to use (if not defined, then the default interface is 735 used). 737 * optionally, a Cycle-ID. 739 * optionally, the measurement point designation 740 [I-D.ietf-ippm-lmap-path] of the MA and, if applicable, of the 741 MP or other MA. This can be useful for reporting. 743 o configuration of the Schedules, each of which needs: 745 * the timing of when the Measurement Tasks are to be performed, 746 or the Measurement Reports are to be sent. Possible types of 747 timing are periodic, calendar-based periodic, one-off immediate 748 and one-off at a future time 750 o configuration of the Report Channels, each of which needs: 752 * the address of the Collector, for instance its URL 754 * security for this Report Channel, for example the X.509 755 certificate 757 o Suppression information, if any (see Section 5.2.1.1) 759 A single Instruction Message may contain some or all of the above 760 parts. The finest level of granularity possible in an Instruction 761 Message is determined by the implementation and operation of the 762 Control Protocol. For example, a single Instruction Message may add 763 or update an individual Measurement Schedule - or it may only update 764 the complete set of Measurement Schedules; a single Instruction 765 Message may update both Measurement Schedules and Measurement Task 766 configurations - or only one at a time; and so on. However, 767 Suppression information always replaces (rather than adds to) any 768 previous Suppression information. 770 The MA informs the Controller that it has successfully understood the 771 Instruction Message, or that it cannot action the Instruction - for 772 example, if it doesn't include a parameter that is mandatory for the 773 requested Metric and Measurement Method, or it is missing details of 774 the target Collector. 776 The Instruction Message instructs the MA; the Control Protocol does 777 not allow the MA to negotiate, as this would add complexity to the 778 MA, Controller and Control Protocol for little benefit. 780 5.2.2.1. Suppression 782 The Instruction may include Suppression information. The main 783 motivation for Suppression is to enable the Measurement System to 784 eliminate Measurement Traffic, because there is some unexpected 785 network issue for example. There may be other circumstances when 786 Suppression is useful, for example to eliminate inessential Reporting 787 traffic. 789 The Suppression information may include any of the following optional 790 fields: 792 o a set of Measurement Tasks to suppress; the others are not 793 suppressed. For example, this could be useful if a particular 794 Measurement Task is overloading a Measurement Peer with 795 Measurement Traffic. 797 o a set of Measurement Schedules to suppress; the others are not 798 suppressed. For example, suppose the Measurement System has 799 defined two Schedules, one with the most critical Measurement 800 Tasks and the other with less critical ones that create a lot of 801 Measurement Traffic, then it may only want to suppress the second. 803 o if both the previous fields are included then the MA suppresses 804 the union - in other words, it suppresses both the set of 805 Measurement Tasks and the set of Measurement Schedules. 807 o if the Suppression information includes neither a set of 808 Measurement Tasks nor a set of Measurement Schedules, then the MA 809 does not begin new Measurement Tasks that have the boolean flag 810 set to "suppress"; however, the MA does begin new Measurement 811 Tasks that have the flag set to "do-not-suppress". 813 o a start time, at which suppression begins. If absent, then 814 Suppression begins immediately. 816 o an end time, at which suppression ends. If absent, then 817 Suppression continues until the MA receives an un-Suppress 818 message. 820 o a demand that the MA immediately ends on-going Measurement Task(s) 821 that are tagged for suppression. (Most likely it is appropriate 822 to delete the associated partial Measurement Result(s).) This 823 could be useful in the case of a network emergency so that the 824 operator can eliminate all inessential traffic as rapidly as 825 possible. If absent, the MA completes on-going Measurement Tasks. 827 An un-Suppress message instructs the MA no longer to suppress, 828 meaning that the MA once again begins new Measurement Tasks, 829 according to its Measurement Schedule. 831 Note that Suppression is not intended to permanently stop a 832 Measurement Task (instead, the Controller should send a new 833 Measurement Schedule), nor to permanently disable a MA (instead, some 834 kind of management action is suggested). 836 +-----------------+ +-------------+ 837 | | | Measurement | 838 | Controller |==============================| Agent | 839 +-----------------+ +-------------+ 841 Suppress: 842 [(Measurement Task), -> 843 (Measurement Schedule), 844 [start time], 845 [end time], 846 [on-going suppressed?]] 848 Un-suppress -> 850 5.2.3. Capabilities, Failure and Logging Information 852 The Control Protocol also enables the MA to inform the Controller 853 about various information, such as its Capabilities and any Failures. 854 It is also possible to use a device-specific mechanism which is 855 beyond the scope of the initial LMAP work. 857 Capabilities are information about the MA that the Controller needs 858 to know in order to correctly instruct the MA, such as: 860 o the Measurement Method (roles) that the MA supports 862 o the measurement protocol types and roles that the MA supports 864 o the interfaces that the MA has 866 o the version of the MA 868 o the version of the hardware, firmware or software of the device 869 with the MA 871 o its Instruction (this could be useful if the Controller thinks 872 something has gone wrong, and wants to check what Instruction the 873 MA is using) 875 o but not dynamic information like the currently unused CPU, memory 876 or battery life of the device with the MA. 878 Failure Information concerns why the MA has been unable to execute a 879 Measurement Task or deliver a Report, for example: 881 o the Measurement Task failed to run properly because the MA 882 (unexpectedly) has no spare CPU cycles 884 o the MA failed record the Measurement Results because it 885 (unexpectedly) is out of spare memory 887 o a Report failed to deliver Measurement Results because the 888 Collector (unexpectedly) is not responding 890 o but not if a Measurement Task correctly doesn't start. For 891 example, the first step of some Measurement Methods is for the MA 892 to check there is no cross-traffic. 894 Logging Information concerns how the MA is operating and may help 895 debugging, for example: 897 o the last time the MA ran a Measurement Task 899 o the last time the MA sent a Measurement Report 901 o the last time the MA received an Instruction Message 903 o whether the MA is currently Suppressing Measurement Tasks 905 Capabilities, Failure and Logging Information are sent by the MA, 906 either in response to a request from the Controller (for example, if 907 the Controller forgets what the MA can do or otherwise wants to 908 resynchronize what it knows about the MA), or on its own initiative 909 (for example when the MA first communicates with a Controller or if 910 it becomes capable of a new Measurement Method). Another example of 911 the latter case is if the device with the MA re-boots, then the MA 912 should notify its Controller in case its Instruction needs to be 913 updated; to avoid a "mass calling event" after a widespread power 914 restoration affecting many MAs, it is sensible for an MA to pause for 915 a random delay, perhaps in the range of one minute or so. 917 +-----------------+ +-------------+ 918 | | | Measurement | 919 | Controller |==================================| Agent | 920 +-----------------+ +-------------+ 922 (Instruction: 923 [(Request Capabilities), 924 (Request Failure Information), 925 (Request Logging Information), 926 (Request Instruction)]) -> 927 <- (Capabilities), 928 (Failure Information), 929 (Logging Information), 930 (Instruction) 932 5.3. Operation of Measurement Tasks 934 This LMAP framework is neutral to what the actual Measurement Task 935 is. It does not define Metrics and Measurement Methods, these are 936 defined elsewhere. 938 The MA carries out the Measurement Tasks as instructed, unless it 939 gets an updated Instruction. The MA acts autonomously, in terms of 940 operation of the Measurement Tasks and reporting of the Results; it 941 doesn't do a 'safety check' with the Controller to ask whether it 942 should still continue with the requested Measurement Tasks. 944 The MA may operate Measurement Tasks sequentially or in parallel (see 945 Section 5.3.2). 947 5.3.1. Starting and Stopping Measurement Tasks 949 This LMAP framework does not define a generic start and stop process, 950 since the correct approach depends on the particular Measurement 951 Task; the details are defined as part of each Measurement Method. 952 This section provides some general hints. The MA does not inform the 953 Controller about Measurement Tasks starting and stopping. 955 Before beginning a Measurement Task the MA may want to run a pre- 956 check. (The pre-check could be defined as a separate, preceding Task 957 or as the first part of a larger Task.) 959 For Measurement Tasks that observe existing traffic, action could 960 include: 962 o checking that there is traffic of interest; 963 o checking that the device with the MA has enough resources to 964 execute the Measurement Task reliably. Note that the designer of 965 the Measurement System should ensure that the device's 966 capabilities are normally sufficient to comfortably operate the 967 Measurement Tasks. 969 For Measurement Tasks that generate Measurement Traffic, a pre-check 970 could include: 972 o the MA checking that there is no cross-traffic. In other words, a 973 check that the end-user isn't already sending traffic; 975 o the MA checking with the Measurement Peer (or other Measurement 976 Agent) involved in the Measurement Task that it can handle a new 977 Measurement Task. For example, the Measurement Peer may already 978 be handling many Measurement Tasks with other MAs; 980 o sending traffic that probes the path to check it isn't overloaded; 982 o checking that the device with the MA has enough resources to 983 execute the Measurement Task reliably. 985 It is possible that similar checks continue during the Measurement 986 Task, especially one that is long-running and/or creates a lot of 987 Measurement Traffic, and might lead to it being abandoned whilst in- 988 progress. A Measurement Task could also be abandoned in response to 989 a "suppress" message (see Section 5.2.1). Action could include: 991 o For 'upload' tests, the MA not sending traffic 993 o For 'download' tests, the MA closing the TCP connection or sending 994 a TWAMP (Two-Way Active Measurement Protocol) Stop control message 995 [RFC5357]. 997 The Controller may want a MA to run the same Measurement Task 998 indefinitely (for example, "run the 'upload speed' Measurement Task 999 once an hour until further notice"). To avoid the MA generating 1000 traffic forever after a Controller has permanently failed (or 1001 communications with the Controller have failed), the MA can be 1002 configured with a time limit; if the MA doesn't hear from the 1003 Controller for this length of time, then it stops operating 1004 Measurement Tasks. 1006 5.3.2. Overlapping Measurement Tasks 1008 It is possible that a MA starts a new Measurement Task before another 1009 Measurement Task has completed. This may be intentional (the way 1010 that the Measurement System has designed the Measurement Schedules), 1011 but it could also be unintentional - for instance, if a Measurement 1012 Task has a 'wait for X' step which pauses for an unexpectedly long 1013 time. This document makes no assumptions about the impact of one 1014 Measurement Task on another. 1016 The operator of the Measurement System can handle (or not) 1017 overlapping Measurement Tasks in any way they choose - it is a policy 1018 or implementation issue and not the concern of LMAP. Some possible 1019 approaches are: to configure the MA not to begin the second 1020 Measurement Task; to start the second Measurement Task as usual; for 1021 the action to be an Input Parameter of the Measurement Task; and so 1022 on. 1024 It may be important to include in the Measurement Report the fact 1025 that the Measurement Task overlapped with another. 1027 5.4. Report Protocol 1029 The primary purpose of the Report Protocol is to allow a Measurement 1030 Agent to report its Measurement Results to a Collector, along with 1031 the context in which they were obtained. 1033 +-----------------+ +-------------+ 1034 | | | Measurement | 1035 | Collector |==================================| Agent | 1036 +-----------------+ +-------------+ 1038 <- Report: 1039 [MA-ID &/or Group-ID], 1040 [Measurement Result], 1041 [details of Measurement Task], 1042 [Cycle-ID] 1043 ACK -> 1045 The Report contains: 1047 o the MA-ID or a Group-ID (to anonymise results) 1049 o the actual Measurement Results, including the time they were 1050 measured. In general the time is simply the MA's best estimate 1051 and there is no guarantee on the accuracy or granularity of the 1052 information. It is possible that some specific analysis of a 1053 particular Measurement Method's Results will impose timing 1054 requirements. 1056 o the details of the Measurement Task (to avoid the Collector having 1057 to ask the Controller for this information later). For example, 1058 the interface used for the measurements. 1060 o the Cycle-ID, if one was included in the Instruction. 1062 o perhaps the Subscriber's service parameters (see Section 5.4.1). 1064 o the measurement point designation of the MA and, if applicable, 1065 the MP or other MA, if the information was included in the 1066 Instruction. This numbering system is defined in 1067 [I-D.ietf-ippm-lmap-path] and allows a Measurement Report to 1068 describe abstractly the path measured (for example, "from a MA at 1069 a home gateway to a MA at a DSLAM"). Also, the MA can anonymise 1070 results by including measurement point designations instead of IP 1071 addresses (Section 8.6.2). 1073 The MA sends Reports as defined by the Instruction. It is possible 1074 that the Instruction tells the MA to report the same Results to more 1075 than one Collector, or to report a different subset of Results to 1076 different Collectors. It is also possible that a Measurement Task 1077 may create two (or more) Measurement Results, which could be reported 1078 differently (for example, one Result could be reported periodically, 1079 whilst the second Result could be an alarm that is created as soon as 1080 the measured value of the Metric crosses a threshold and that is 1081 reported immediately). 1083 Optionally, a Report is not sent when there are no Measurement 1084 Results. 1086 In the initial LMAP Information Model and Report Protocol, for 1087 simplicity we assume that all Measurement Results are reported as-is, 1088 but allow extensibility so that a Measurement System (or perhaps a 1089 second phase of LMAP) could allow a MA to: 1091 o label, or perhaps not include, Measurement Results impacted by, 1092 for instance, cross-traffic or a Measurement Peer (or other 1093 Measurement Agent) being busy 1095 o label Measurement Results obtained by a Measurement Task that 1096 overlapped with another 1098 o not report the Measurement Results if the MA believes that they 1099 are invalid 1101 o detail when Suppression started and ended 1102 As discussed in Section 6.1, data analysis of the results should 1103 carefully consider potential bias from any Measurement Results that 1104 are not reported, or from Measurement Results that are reported but 1105 may be invalid. 1107 5.4.1. Reporting of Subscriber's service parameters 1109 The Subscriber's service parameters are information about his/her 1110 broadband contract, line rate and so on. Such information is likely 1111 to be needed to help analyse the Measurement Results, for example to 1112 help decide whether the measured download speed is reasonable. 1114 The information could be transferred directly from the Subscriber 1115 parameter database to the data analysis tools. It may also be 1116 possible to transfer the information via the MA. How (and if) the MA 1117 knows such information is likely to depend on the device type. The 1118 MA could either include the information in a Measurement Report or 1119 separately. 1121 5.5. Operation of LMAP over the underlying packet transfer mechanism 1123 The above sections have described LMAP's protocol model. Other 1124 specifications will define the actual Control and Report Protocols, 1125 possibly operating over an existing protocol, such as REST-style 1126 HTTP(S). It is also possible that a different choice is made for the 1127 Control and Report Protocols, for example NETCONF-YANG [RFC6241] and 1128 IPFIX (Internet Protocol Flow Information Export) [RFC7011] 1129 respectively. 1131 From an LMAP perspective, the Controller needs to know that the MA 1132 has received the Instruction Message, or at least that it needs to be 1133 re-sent as it may have failed to be delivered. Similarly the MA 1134 needs to know about the delivery of Capabilities and Failure 1135 information to the Controller and Reports to the Collector. How this 1136 is done depends on the design of the Control and Report Protocols and 1137 the underlying packet transfer mechanism. 1139 For the Control Protocol, the underlying packet transfer mechanism 1140 could be: 1142 o a 'push' protocol (that is, from the Controller to the MA) 1144 o a multicast protocol (from the Controller to a group of MAs) 1146 o a 'pull' protocol. The MA periodically checks with Controller if 1147 the Instruction has changed and pulls a new Instruction if 1148 necessary. A pull protocol seems attractive for a MA behind a NAT 1149 or firewall (as is typical for a MA on an end-user's device), so 1150 that it can initiate the communications. It also seems attractive 1151 for a MA on a mobile device, where the Controller might not know 1152 how to reach the MA. A pull mechanism is likely to require the MA 1153 to be configured with how frequently it should check in with the 1154 Controller, and perhaps what it should do if the Controller is 1155 unreachable after a certain number of attempts. 1157 o a hybrid protocol. In addition to a pull protocol, the Controller 1158 can also push an alert to the MA that it should immediately pull a 1159 new Instruction. 1161 For the Report Protocol, the underlying packet transfer mechanism 1162 could be: 1164 o a 'push' protocol (that is, from the MA to the Collector) 1166 o perhaps supplemented by the ability for the Collector to 'pull' 1167 Measurement Results from a MA. 1169 5.6. Items beyond the scope of the initial LMAP work 1171 There are several potential interactions between LMAP elements that 1172 are beyond the scope of the initial LMAP work: 1174 1. It does not define a coordination process between MAs. Whilst a 1175 Measurement System may define coordinated Measurement Schedules 1176 across its various MAs, there is no direct coordination between 1177 MAs. 1179 2. It does not define interactions between the Collector and 1180 Controller. It is quite likely that there will be such 1181 interactions, optionally intermediated by the data analysis 1182 tools. For example, if there is an "interesting" Measurement 1183 Result then the Measurement System may want to trigger extra 1184 Measurement Tasks that explore the potential cause in more 1185 detail; or if the Collector unexpectedly does not hear from a MA, 1186 then the Measurement System may want to trigger the Controller to 1187 send a fresh Instruction Message to the MA. 1189 3. It does not define coordination between different Measurement 1190 Systems. For example, it does not define the interaction of a MA 1191 in one Measurement System with a Controller or Collector in a 1192 different Measurement System. Whilst it is likely that the 1193 Control and Report Protocols could be re-used or adapted for this 1194 scenario, any form of coordination between different 1195 organisations involves difficult commercial and technical issues 1196 and so, given the novelty of large-scale measurement efforts, any 1197 form of inter-organisation coordination is outside the scope of 1198 the initial LMAP work. Note that a single MA is instructed by a 1199 single Controller and is only in one Measurement System. 1201 * An interesting scenario is where a home contains two 1202 independent MAs, for example one controlled by a regulator and 1203 one controlled by an ISP. Then the Measurement Traffic of one 1204 MA is treated by the other MA just like any other end-user 1205 traffic. 1207 4. It does not consider how to prevent a malicious party "gaming the 1208 system". For example, where a regulator is running a Measurement 1209 System in order to benchmark operators, a malicious operator 1210 could try to identify the broadband lines that the regulator was 1211 measuring and prioritise that traffic. It is assumed this is a 1212 policy issue and would be dealt with through a code of conduct 1213 for instance. 1215 5. It does not define how to analyse Measurement Results, including 1216 how to interpret missing Results. 1218 6. It does not specifically define a end-user-controlled Measurement 1219 System, see sub-section 5.6.1. 1221 5.6.1. End-user-controlled measurement system 1223 This framework concentrates on the cases where an ISP or a regulator 1224 runs the Measurement System. However, we expect that LMAP 1225 functionality will also be used in the context of an end-user- 1226 controlled Measurement System. There are at least two ways this 1227 could happen (they have various pros and cons): 1229 1. an end-user could somehow request the ISP- (or regulator-) run 1230 Measurement System to test his/her line. The ISP (or regulator) 1231 Controller would then send an Instruction to the MA in the usual 1232 LMAP way. 1234 2. an end-user could deploy their own Measurement System, with their 1235 own MA, Controller and Collector. For example, the user could 1236 implement all three functions onto the same end-user-owned end 1237 device, perhaps by downloading the functions from the ISP or 1238 regulator. Then the LMAP Control and Report Protocols do not 1239 need to be used, but using LMAP's Information Model would still 1240 be beneficial. A Measurement Peer (or other MA involved in a 1241 Measurement Task) could be in the home gateway or outside the 1242 home network; in the latter case the Measurement Peer is highly 1243 likely to be run by a different organisation, which raises extra 1244 privacy considerations. 1246 In both cases there will be some way for the end-user to initiate the 1247 Measurement Task(s). The mechanism is outside the scope of the 1248 initial LMAP work, but could include the user clicking a button on a 1249 GUI or sending a text message. Presumably the user will also be able 1250 to see the Measurement Results, perhaps summarised on a webpage. It 1251 is suggested that these interfaces conform to the LMAP guidance on 1252 privacy in Section 8. 1254 6. Deployment considerations 1256 The Appendix has some examples of possible deployment arrangements of 1257 Measurement Agents and Peers. 1259 6.1. Controller and the measurement system 1261 The Controller should understand both the MA's LMAP Capabilities (for 1262 instance what Metrics and Measurement Methods it can perform) and 1263 about the MA's other capabilities like processing power and memory. 1264 This allows the Controller to make sure that the Measurement Schedule 1265 of Measurement Tasks and the Reporting Schedule are sensible for each 1266 MA that it instructs. 1268 An Instruction is likely to include several Measurement Tasks. 1269 Typically these run at different times, but it is also possible for 1270 them to run at the same time. Some Tasks may be compatible, in that 1271 they do not affect each other's Results, whilst with others great 1272 care would need to be taken. Some Tasks may be complementary. For 1273 example, one Task may be followed by a traceroute Task to the same 1274 destination address, in order to learn the network path that was 1275 measured. 1277 The Controller should ensure that the Measurement Tasks do not have 1278 an adverse effect on the end user. Tasks, especially those that 1279 generate a substantial amount of Measurement Traffic, will often 1280 include a pre-check that the user isn't already sending traffic 1281 (Section 5.3). Another consideration is whether Measurement Traffic 1282 will impact a Subscriber's bill or traffic cap. 1284 A Measurement System may have multiple Controllers (but note the 1285 overriding principle that a single MA is instructed by a single 1286 Controller at any point in time (Section 4.2)). For example, there 1287 could be different Controllers for different types of MA (home 1288 gateways, tablets) or locations (Ipswich, Edinburgh, Paris), for load 1289 balancing or to cope with failure of one Controller. 1291 The measurement system also needs to consider carefully how to 1292 interpret missing Results. The correct interpretation depends on why 1293 the Results are missing, and potentially on the specifics of the 1294 Measurement Task and Measurement Schedule. 1296 6.2. Measurement Agent 1298 The MA should be cautious about resuming Measurement Tasks if it re- 1299 boots or has been off-line for some time, as its Instruction may be 1300 stale. In the former case it also needs to ensure that its clock has 1301 re-set correctly, so that it interprets the Schedule correctly. 1303 If the MA runs out of storage space for Measurement Results or can't 1304 contact the Controller, then the appropriate action is specific to 1305 the device and Measurement System. 1307 The Measurement Agent could take a number of forms: a dedicated 1308 probe, software on a PC, embedded into an appliance, or even embedded 1309 into a gateway. A single site (home, branch office etc.) that is 1310 participating in a measurement could make use of one or multiple 1311 Measurement Agents or Measurement Peers in a single measurement. 1313 The Measurement Agent could be deployed in a variety of locations. 1314 Not all deployment locations are available to every kind of 1315 Measurement Agent. There are also a variety of limitations and 1316 trade-offs depending on the final placement. The next sections 1317 outline some of the locations a Measurement Agent may be deployed. 1318 This is not an exhaustive list and combinations may also apply. 1320 6.2.1. Measurement Agent on a networked device 1322 A MA may be embedded on a device that is directly connected to the 1323 network, such as a MA on a smartphone. Other examples include a MA 1324 downloaded and installed on a subscriber's laptop computer or tablet 1325 when the network service is provided on wired or other wireless radio 1326 technologies, such as Wi-Fi. 1328 6.2.2. Measurement Agent embedded in site gateway 1330 A Measurement Agent embedded with the site gateway, for example a 1331 home router or the edge router of a branch office in a managed 1332 service environment, is one of better places the Measurement Agent 1333 could be deployed. All site-to-ISP traffic would traverse through 1334 the gateway. So, Measurement Methods that measure user traffic could 1335 easily be performed. Similarly, due to this user traffic visibility, 1336 a Measurement Method that generates Measurement Traffic could ensure 1337 it does not compete with user traffic. Generally NAT and firewall 1338 services are built into the gateway, allowing the Measurement Agent 1339 the option to offer its Controller-facing management interface 1340 outside of the NAT/firewall. This placement of the management 1341 interface allows the Controller to unilaterally contact the 1342 Measurement Agent for instructions. However, a Measurement Agent on 1343 a site gateway (whether end-user service-provider owned) will 1344 generally not be directly available for over the top providers, the 1345 regulator, end users or enterprises. 1347 6.2.3. Measurement Agent embedded behind site NAT /firewall 1349 The Measurement Agent could also be embedded behind a NAT, a 1350 firewall, or both. In this case the Controller may not be able to 1351 unilaterally contact the Measurement Agent unless either static port 1352 forwarding or firewall pin holing is configured. Configuring port 1353 forwarding could use protocols such as PCP [RFC6887], TR-069 [TR-069] 1354 or UPnP [UPnP]. To open a pin hole in the firewall, the Measurement 1355 Agent could send keepalives towards the Controller (and perhaps use 1356 these also as a network reachability test). 1358 6.2.4. Multi-homed Measurement Agent 1360 If the device with the Measurement Agent is single homed then there 1361 is no confusion about what interface to measure. Similarly, if the 1362 MA is at the gateway and the gateway only has a single WAN-side and a 1363 single LAN-side interface, there is little confusion - for 1364 Measurement Methods that generate Measurement Traffic, the location 1365 of the other MA or Measurement Peer determines whether the WAN or LAN 1366 is measured. 1368 However, the device with the Measurement Agent may be multi-homed. 1369 For example, a home or campus may be connected to multiple broadband 1370 ISPs, such as a wired and wireless broadband provider, perhaps for 1371 redundancy or load- sharing. It may also be helpful to think of dual 1372 stack IPv4 and IPv6 broadband devices as multi-homed. More 1373 generally, Section 3.2 of [RFC7368] describes dual-stack and multi- 1374 homing topologies that might be encountered in a home network, 1375 [RFC6419] provides the current practices of multi-interfaces hosts, 1376 and the Multiple Interfaces (mif) working group covers cases where 1377 hosts are either directly attached to multiple networks (physical or 1378 virtual) or indirectly (multiple default routers, etc.). In these 1379 cases, there needs to be clarity on which network connectivity option 1380 is being measured. 1382 One possibility is to have a Measurement Agent per interface. Then 1383 the Controller's choice of MA determines which interface is measured. 1384 However, if a MA can measure any of the interfaces, then the 1385 Controller defines in the Instruction which interface the MA should 1386 use for a Measurement Task; if the choice of interface is not defined 1387 then the MA uses the default one. Explicit definition is preferred 1388 if the Measurement System wants to measure the performance of a 1389 particular network, whereas using the default is better if the 1390 Measurement System wants to include the impact of the MA's interface 1391 selection algorithm. In any case, the Measurement Result should 1392 include the network that was measured. 1394 6.2.5. Measurement Agent embedded in ISP network 1396 A MA may be embedded on a device that is part of an ISP's network, 1397 such as a router or switch. Usually the network devices with an 1398 embedded MA will be strategically located, such as a Carrier Grade 1399 NAT or ISP Gateway. [I-D.ietf-ippm-lmap-path] gives many examples 1400 where a MA might be located within a network to provide an 1401 intermediate measurement point on the end-to-end path. Other 1402 examples include a network device whose primary role is to host MA 1403 functions and the necessary measurement protocol. 1405 6.3. Measurement Peer 1407 A Measurement Peer participates in some Measurement Methods. It may 1408 have specific functionality to enable it to participate in a 1409 particular Measurement Method. On the other hand, other Measurement 1410 Methods may require no special functionality. For example if the 1411 Measurement Agent sends a ping to example.com then the server at 1412 example.com plays the role of a Measurement Peer; or if the MA 1413 monitors existing traffic, then the existing end points are 1414 Measurement Peers. 1416 A device may participate in some Measurement Methods as a Measurement 1417 Agent and in others as a Measurement Peer. 1419 Measurement Schedules should account for limited resources in a 1420 Measurement Peer when instructing a MA to execute measurements with a 1421 Measurement Peer. In some measurement protocols, such as [RFC4656] 1422 and [RFC5357], the Measurement Peer can reject a measurement session 1423 or refuse a control connection prior to setting-up a measurement 1424 session and so protect itself from resource exhaustion. This is a 1425 valuable capability because the MP may be used by more than one 1426 organisation. 1428 7. Security considerations 1430 The security of the LMAP framework should protect the interests of 1431 the measurement operator(s), the network user(s) and other actors who 1432 could be impacted by a compromised measurement deployment. The 1433 Measurement System must secure the various components of the system 1434 from unauthorised access or corruption. Much of the general advice 1435 contained in section 6 of [RFC4656] is applicable here. 1437 The process to upgrade the firmware in an MA is outside the scope of 1438 the initial LMAP work, similar to the protocol to bootstrap the MAs 1439 (as specified in the charter). However, systems which provide remote 1440 upgrade must secure authorised access and integrity of the process. 1442 We assume that each Measurement Agent (MA) will receive its 1443 Instructions from a single organisation, which operates the 1444 Controller. These Instructions must be authenticated (to ensure that 1445 they come from the trusted Controller), checked for integrity (to 1446 ensure no-one has tampered with them) and not vulnerable to replay 1447 attacks. If a malicious party can gain control of the MA they can 1448 use it to launch DoS attacks at targets, create a platform for 1449 pervasive monitoring [RFC7258], reduce the end user's quality of 1450 experience and corrupt the Measurement Results that are reported to 1451 the Collector. By altering the Measurement Tasks and/or the address 1452 that Results are reported to, they can also compromise the 1453 confidentiality of the network user and the MA environment (such as 1454 information about the location of devices or their traffic). The 1455 Instruction Messages also need to be encrypted to maintain 1456 confidentiality, as the information might be useful to an attacker. 1458 Reporting by the MA must be encrypted to maintain confidentiality, so 1459 that only the authorised Collector can decrypt the results, to 1460 prevent the leakage of confidential or private information. 1461 Reporting must also be authenticated (to ensure that it comes from a 1462 trusted MA and that the MA reports to a genuine Collector) and not 1463 vulnerable to tampering (which can be ensured through integrity and 1464 replay checks). It must not be possible to fool a MA into injecting 1465 falsified data and the results must also be held and processed 1466 securely after collection and analysis. See section 8.5.2 below for 1467 additional considerations on stored data compromise, and section 8.6 1468 on potential mitigations for compromise. 1470 Since Collectors will be contacted repeatedly by MAs using the 1471 Collection Protocol to convey their recent results, a successful 1472 attack to exhaust the communication resources would prevent a 1473 critical operation: reporting. Therefore, all LMAP Collectors should 1474 implement technical mechanisms to: 1476 o limit the number of reporting connections from a single MA 1477 (simultaneous, and connections per unit time). 1479 o limit the transmission rate from a single MA. 1481 o limit the memory/storage consumed by a single MA's reports. 1483 o efficiently reject reporting connections from unknown sources. 1485 o separate resources if multiple authentication strengths are used, 1486 where the resources should be separated according to each class of 1487 strength. 1489 A corrupted MA could report falsified information to the Collector. 1490 Whether this can be effectively mitigated depends on the platform on 1491 which the MA is deployed, but where the MA is deployed on a customer- 1492 controlled device then the reported data is to some degree inherently 1493 untrustworthy. Further, a sophisticated party could distort some 1494 Measurement Methods, perhaps by dropping or delaying packets for 1495 example. This suggests that the network operator should be cautious 1496 about relying on Measurement Results for action such as refunding 1497 fees if a service level agreement is not met. 1499 As part of the protocol design, it will be decided how LMAP operates 1500 over the underlying protocol (Section 5.5). The choice raises 1501 various security issues, such as how to operate through a NAT and how 1502 to protect the Controller and Collector from denial of service 1503 attacks. 1505 The security mechanisms described above may not be strictly necessary 1506 if the network's design ensures the LMAP components and their 1507 communications are already secured, for example potentially if they 1508 are all part of an ISP's dedicated management network. 1510 Finally, there are three other issues related to security: privacy 1511 (considered in Section 8 below), availability and 'gaming the 1512 system'. While the loss of some MAs may not be considered critical, 1513 the unavailability of the Collector could mean that valuable business 1514 data or data critical to a regulatory process is lost. Similarly, 1515 the unavailability of a Controller could mean that the MAs do not 1516 operate a correct Measurement Schedule. 1518 A malicious party could "game the system". For example, where a 1519 regulator is running a Measurement System in order to benchmark 1520 operators, an operator could try to identify the broadband lines that 1521 the regulator was measuring and prioritise that traffic. Normally, 1522 this potential issue is handled by a code of conduct. It is outside 1523 the scope of the initial LMAP work to consider the issue. 1525 8. Privacy considerations 1527 The LMAP work considers privacy as a core requirement and will ensure 1528 that by default the Control and Report Protocols operate in a 1529 privacy-sensitive manner and that privacy features are well-defined. 1531 This section provides a set of privacy considerations for LMAP. This 1532 section benefits greatly from the timely publication of [RFC6973]. 1534 Privacy and security (Section 7) are related. In some jurisdictions 1535 privacy is called data protection. 1537 We begin with a set of assumptions related to protecting the 1538 sensitive information of individuals and organisations participating 1539 in LMAP-orchestrated measurement and data collection. 1541 8.1. Categories of entities with information of interest 1543 LMAP protocols need to protect the sensitive information of the 1544 following entities, including individuals and organisations who 1545 participate in measurement and collection of results. 1547 o Individual Internet users: Persons who utilise Internet access 1548 services for communications tasks, according to the terms of 1549 service of a service agreement. Such persons may be a service 1550 Subscriber, or have been given permission by the Subscriber to use 1551 the service. 1553 o Internet service providers: Organisations who offer Internet 1554 access service subscriptions, and thus have access to sensitive 1555 information of individuals who choose to use the service. These 1556 organisations desire to protect their Subscribers and their own 1557 sensitive information which may be stored in the process of 1558 performing Measurement Tasks and collecting Results. 1560 o Regulators: Public authorities responsible for exercising 1561 supervision of the electronic communications sector, and which may 1562 have access to sensitive information of individuals who 1563 participate in a measurement campaign. Similarly, regulators 1564 desire to protect the participants and their own sensitive 1565 information. 1567 o Other LMAP system operators: Organisations who operate Measurement 1568 Systems or participate in measurements in some way. 1570 Although privacy is a protection extended to individuals, we include 1571 discussion of ISPs and other LMAP system operators in this section. 1572 These organisations have sensitive information involved in the LMAP 1573 system, and many of the same dangers and mitigations are applicable. 1574 Further, the ISPs store information on their Subscribers beyond that 1575 used in the LMAP system (for instance billing information), and there 1576 should be a benefit in considering all the needs and potential 1577 solutions coherently. 1579 8.2. Examples of sensitive information 1581 This section gives examples of sensitive information which may be 1582 measured or stored in a Measurement System, and which is to be kept 1583 private by default in the LMAP core protocols. 1585 Examples of Subscriber or authorised Internet user sensitive 1586 information: 1588 o Sub-IP layer addresses and names (MAC address, base station ID, 1589 SSID) 1591 o IP address in use 1593 o Personal Identification (real name) 1595 o Location (street address, city) 1597 o Subscribed service parameters 1599 o Contents of traffic (activity, DNS queries, destinations, 1600 equipment types, account info for other services, etc.) 1602 o Status as a study volunteer and Schedule of Measurement Tasks 1604 Examples of Internet Service Provider sensitive information: 1606 o Measurement device identification (equipment ID and IP address) 1608 o Measurement Instructions (choice of measurements) 1610 o Measurement Results (some may be shared, others may be private) 1612 o Measurement Schedule (exact times) 1614 o Network topology (locations, connectivity, redundancy) 1616 o Subscriber billing information, and any of the above Subscriber 1617 information known to the provider. 1619 o Authentication credentials (such as certificates) 1621 Other organisations will have some combination of the lists above. 1622 The LMAP system would not typically expose all of the information 1623 above, but could expose a combination of items which could be 1624 correlated with other pieces collected by an attacker (as discussed 1625 in the section on Threats below). 1627 8.3. Different privacy issues raised by different sorts of Measurement 1628 Methods 1630 Measurement Methods raise different privacy issues depending on 1631 whether they measure traffic created specifically for that purpose, 1632 or whether they measure user traffic. 1634 Measurement Tasks conducted on user traffic store sensitive 1635 information, however briefly this storage may be. We note that some 1636 authorities make a distinction on time of storage, and information 1637 that is kept only temporarily to perform a communications function is 1638 not subject to regulation (for example, active queue management, deep 1639 packet inspection). Such Measurement Tasks could reveal all the 1640 websites a Subscriber visits and the applications and/or services 1641 they use. 1643 Other types of Measurement Task are conducted on traffic which is 1644 created specifically for the purpose. Even if a user host generates 1645 Measurement Traffic, there is limited sensitive information about the 1646 Subscriber present and stored in the Measurement System: 1648 o IP address in use (and possibly sub-IP addresses and names) 1650 o Status as a study volunteer and Schedule of Measurement Tasks 1652 On the other hand, for a service provider the sensitive information 1653 like Measurement Results is the same for all Measurement Tasks. 1655 From the Subscriber perspective, both types of Measurement Task 1656 potentially expose the description of Internet access service and 1657 specific service parameters, such as subscribed rate and type of 1658 access. 1660 8.4. Privacy analysis of the communication models 1662 This section examines each of the protocol exchanges described at a 1663 high level in Section 5 and some example Measurement Tasks, and 1664 identifies specific sensitive information which must be secured 1665 during communication for each case. With the protocol-related 1666 sensitive information identified, we can better consider the threats 1667 described in the following section. 1669 From the privacy perspective, all entities participating in LMAP 1670 protocols can be considered "observers" according to the definition 1671 in [RFC6973]. Their stored information potentially poses a threat to 1672 privacy, especially if one or more of these functional entities has 1673 been compromised. Likewise, all devices on the paths used for 1674 control, reporting, and measurement are also observers. 1676 8.4.1. MA Bootstrapping 1678 Section 5.1 provides the communication model for the Bootstrapping 1679 process. 1681 Although the specification of mechanisms for Bootstrapping the MA are 1682 beyond the initial LMAP work scope, designers should recognize that 1683 the Bootstrapping process is extremely powerful and could cause an MA 1684 to join a new or different LMAP system with a different Controller 1685 and Collector, or simply install new Metrics with associated 1686 Measurement Methods (for example to record DNS queries). A Bootstrap 1687 attack could result in a breach of the LMAP system with significant 1688 sensitive information exposure depending on the capabilities of the 1689 MA, so sufficient security protections are warranted. 1691 The Bootstrapping process provides sensitive information about the 1692 LMAP system and the organisation that operates it, such as 1694 o the MA's identifier (MA-ID) 1696 o the address that identifies the Control Channel, such as the 1697 Controller's FQDN 1699 o Security information for the Control Channel 1701 During the Bootstrap process for an MA located at a single 1702 subscriber's service demarcation point, the MA receives a MA-ID which 1703 is a persistent pseudonym for the Subscriber. Thus, the MA-ID is 1704 considered sensitive information because it could provide the link 1705 between Subscriber identification and Measurements Results. 1707 Also, the Bootstrap process could assign a Group-ID to the MA. The 1708 specific definition of information represented in a Group-ID is to be 1709 determined, but several examples are envisaged including use as a 1710 pseudonym for a set of Subscribers, a class of service, an access 1711 technology, or other important categories. Assignment of a Group-ID 1712 enables anonymisation sets to be formed on the basis of service 1713 type/grade/rates. Thus, the mapping between Group-ID and MA-ID is 1714 considered sensitive information. 1716 8.4.2. Controller <-> Measurement Agent 1718 The high-level communication model for interactions between the LMAP 1719 Controller and Measurement Agent is illustrated in Section 5.2. The 1720 primary purpose of this exchange is to authenticate and task a 1721 Measurement Agent with Measurement Instructions, which the 1722 Measurement Agent then acts on autonomously. 1724 Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged 1725 with a capability request, then measurement-related information of 1726 interest such as the parameters, schedule, metrics, and IP addresses 1727 of measurement devices. Thus, the measurement Instruction contains 1728 sensitive information which must be secured. For example, the fact 1729 that an ISP is running additional measurements beyond the set 1730 reported externally is sensitive information, as are the additional 1731 Measurements Tasks themselves. The Measurement Schedule is also 1732 sensitive, because an attacker intending to bias the results without 1733 being detected can use this information to great advantage. 1735 An organisation operating the Controller having no service 1736 relationship with a user who hosts the Measurement Agent *could* gain 1737 real-name mapping to a public IP address through user participation 1738 in an LMAP system (this applies to the Measurement Collection 1739 protocol, as well). 1741 8.4.3. Collector <-> Measurement Agent 1743 The high-level communication model for interactions between the 1744 Measurement Agent and Collector is illustrated in Section 5.4. The 1745 primary purpose of this exchange is to authenticate and collect 1746 Measurement Results from a MA, which the MA has measured autonomously 1747 and stored. 1749 The Measurement Results are the additional sensitive information 1750 included in the Collector-MA exchange. Organisations collecting LMAP 1751 measurements have the responsibility for data control. Thus, the 1752 Results and other information communicated in the Collector protocol 1753 must be secured. 1755 8.4.4. Measurement Peer <-> Measurement Agent 1757 A Measurement Method involving Measurement Traffic raises potential 1758 privacy issues, although the specification of the mechanisms is 1759 beyond the scope of the initial LMAP work. The high-level 1760 communications model below illustrates the various exchanges to 1761 execute such a Measurement Method and store the Results. 1763 We note the potential for additional observers in the figures below 1764 by indicating the possible presence of a NAT, which has additional 1765 significance to the protocols and direction of initiation. 1767 The various messages are optional, depending on the nature of the 1768 Measurement Method. It may involve sending Measurement Traffic from 1769 the Measurement Peer to MA, MA to Measurement Peer, or both. 1770 Similarly, a second (or more) MAs may be involved. 1772 _________________ _________________ 1773 | | | | 1774 |Measurement Peer |=========== NAT ? ==========|Measurement Agent| 1775 |_________________| |_________________| 1777 <- (Key Negotiation & 1778 Encryption Setup) 1779 (Encrypted Channel -> 1780 Established) 1781 (Announce capabilities -> 1782 & status) 1783 <- (Select capabilities) 1784 ACK -> 1785 <- (Measurement Request 1786 (MA+MP IPAddrs,set of 1787 Metrics, Schedule)) 1788 ACK -> 1790 Measurement Traffic <> Measurement Traffic 1791 (may/may not be encrypted) (may/may not be encrypted) 1793 <- (Stop Measurement Task) 1795 Measurement Results -> 1796 (if applicable) 1797 <- ACK, Close 1799 This exchange primarily exposes the IP addresses of measurement 1800 devices and the inference of measurement participation from such 1801 traffic. There may be sensitive information on key points in a 1802 service provider's network included. There may also be access to 1803 measurement-related information of interest such as the Metrics, 1804 Schedule, and intermediate results carried in the Measurement Traffic 1805 (usually a set of timestamps). 1807 The Measurement Peer may be able to use traffic analysis (perhaps 1808 combined with traffic injection) to obtain interesting insights about 1809 the Subscriber. As a simple example, if the Measurement Task 1810 includes a pre-check that the end-user isn't already sending traffic, 1811 the Measurement Peer may be able to deduce when the Subscriber is 1812 away on holiday, for example. 1814 If the Measurement Traffic is unencrypted, as found in many systems 1815 today, then both timing and limited results are open to on-path 1816 observers. 1818 8.4.5. Measurement Agent 1820 Some Measurement Methods only involve a single Measurement Agent 1821 observing existing traffic. They raise potential privacy issues, 1822 although the specification of the mechanisms is beyond the scope of 1823 the initial LMAP work. 1825 The high-level communications model below illustrates the collection 1826 of user information of interest with the Measurement Agent performing 1827 the monitoring and storage of the Results. This particular exchange 1828 is for measurement of DNS Response Time, which most frequently uses 1829 UDP transport. 1831 _________________ ____________ 1832 | | | | 1833 | DNS Server |=========== NAT ? ==========*=======| User client| 1834 |_________________| ^ |____________| 1835 ______|_______ 1836 | | 1837 | Measurement | 1838 | Agent | 1839 |______________| 1841 <- Name Resolution Req 1842 (MA+MP IPAddrs, 1843 Desired Domain Name) 1844 Return Record -> 1846 In this particular example, the MA monitors DNS messages in order to 1847 measure that DNS response time. The Measurement Agent may be 1848 embedded in the user host, or it may be located in another device 1849 capable of observing user traffic. The MA learns the IP addresses of 1850 measurement devices and the intent to communicate with or access the 1851 services of a particular domain name, and perhaps also information on 1852 key points in a service provider's network, such as the address of 1853 one of its DNS servers. 1855 In principle, any of the user sensitive information of interest 1856 (listed above) can be collected and stored in the monitoring scenario 1857 and so must be secured. 1859 It would also be possible for a Measurement Agent to source the DNS 1860 query itself. But then there are few privacy concerns. 1862 8.4.6. Storage and reporting of Measurement Results 1864 Although the mechanisms for communicating results (beyond the initial 1865 Collector) are beyond the initial LMAP work scope, there are 1866 potential privacy issues related to a single organisation's storage 1867 and reporting of Measurement Results. Both storage and reporting 1868 functions can help to preserve privacy by implementing the 1869 mitigations described below. 1871 8.5. Threats 1873 This section indicates how each of the threats described in [RFC6973] 1874 apply to the LMAP entities and their communication and storage of 1875 "information of interest". Denial of Service (DOS) and other attacks 1876 described in the Security section represent threats as well, and 1877 these attacks are more effective when sensitive information 1878 protections have been compromised. 1880 8.5.1. Surveillance 1882 Section 5.1.1 of [RFC6973] describes Surveillance as the "observation 1883 or monitoring of and individual's communications or activities." 1884 Hence all Measurement Methods that measure user traffic are a form of 1885 surveillance, with inherent risks. 1887 Measurement Methods which avoid periods of user transmission 1888 indirectly produce a record of times when a subscriber or authorised 1889 user has used their network access service. 1891 Measurement Methods may also utilise and store a Subscriber's 1892 currently assigned IP address when conducting measurements that are 1893 relevant to a specific Subscriber. Since the Measurement Results are 1894 time-stamped, they could provide a record of IP address assignments 1895 over time. 1897 Either of the above pieces of information could be useful in 1898 correlation and identification, described below. 1900 8.5.2. Stored data compromise 1902 Section 5.1.2 of [RFC6973] describes Stored Data Compromise as 1903 resulting from inadequate measures to secure stored data from 1904 unauthorised or inappropriate access. For LMAP systems this includes 1905 deleting or modifying collected measurement records, as well as data 1906 theft. 1908 The primary LMAP entity subject to compromise is the repository, 1909 which stores the Measurement Results; extensive security and privacy 1910 threat mitigations are warranted. The Collector and MA also store 1911 sensitive information temporarily, and need protection. The 1912 communications between the local storage of the Collector and the 1913 repository is beyond the scope of the initial LMAP work, though this 1914 communications channel will certainly need protection as well as the 1915 mass storage itself. 1917 The LMAP Controller may have direct access to storage of Subscriber 1918 information (location, billing, service parameters, etc.) and other 1919 information which the controlling organisation considers private, and 1920 again needs protection. 1922 Note that there is tension between the desire to store all raw 1923 results in the LMAP Collector (for reproducibility and custom 1924 analysis), and the need to protect the privacy of measurement 1925 participants. Many of the compromise mitigations described in 1926 section 8.6 below are most efficient when deployed at the MA, 1927 therefore minimising the risks with stored results. 1929 8.5.3. Correlation and identification 1931 Sections 5.2.1 and 5.2.2 of [RFC6973] describe Correlation as 1932 combining various pieces of information to obtain desired 1933 characteristics of an individual, and Identification as using this 1934 combination to infer identity. 1936 The main risk is that the LMAP system could unwittingly provide a key 1937 piece of the correlation chain, starting with an unknown Subscriber's 1938 IP address and another piece of information. For example, a 1939 Subscriber utilised Internet access from 2000 to 2310 UTC, because 1940 the Measurement Tasks were deferred, or sent a name resolution for 1941 www.example.com at 2300 UTC. 1943 8.5.4. Secondary use and disclosure 1945 Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as 1946 unauthorised utilisation of an individual's information for a purpose 1947 the individual did not intend, and Disclosure is when such 1948 information is revealed causing other's notions of the individual to 1949 change, or confidentiality to be violated. 1951 Measurement Methods that measure user traffic are a form of Secondary 1952 Use, and the Subscribers' permission should be obtained beforehand. 1953 It may be necessary to obtain the measured ISP's permission to 1954 conduct measurements, for example when required by the terms and 1955 conditions of the service agreement, and notification is considered 1956 good measurement practice. 1958 For Measurement Methods that measure Measurement Traffic the 1959 Measurement Results provide some limited information about the 1960 Subscriber or ISP and could result in Secondary Uses. For example, 1961 the use of the Results in unauthorised marketing campaigns would 1962 qualify as Secondary Use. Secondary use may break national laws and 1963 regulations, and may violate individual's expectations or desires. 1965 8.6. Mitigations 1967 This section examines the mitigations listed in section 6 of 1968 [RFC6973] and their applicability to LMAP systems. Note that each 1969 section in [RFC6973] identifies the threat categories that each 1970 technique mitigates. 1972 8.6.1. Data minimisation 1974 Section 6.1 of [RFC6973] encourages collecting and storing the 1975 minimal information needed to perform a task. 1977 LMAP results can be useful for general reporting about performance 1978 and for specific troubleshooting. They need different levels of 1979 information detail, as explained in the paragraphs below. 1981 For general results, the results can be aggregated into large 1982 categories (the month of March, all subscribers West of the 1983 Mississippi River). In this case, all individual identifications 1984 (including IP address of the MA) can be excluded, and only relevant 1985 results are provided. However, this implies a filtering process to 1986 reduce the information fields, because greater detail was needed to 1987 conduct the Measurement Tasks in the first place. 1989 For troubleshooting, so that a network operator or end user can 1990 identify a performance issue or failure, potentially all the network 1991 information (IP addresses, equipment IDs, location), Measurement 1992 Schedule, service configuration, Measurement Results, and other 1993 information may assist in the process. This includes the information 1994 needed to conduct the Measurements Tasks, and represents a need where 1995 the maximum relevant information is desirable, therefore the greatest 1996 protections should be applied. This level of detail is greater than 1997 needed for general performance monitoring. 1999 As regards Measurement Methods that measure user traffic, we note 2000 that a user may give temporary permission (to enable detailed 2001 troubleshooting), but withhold permission for them in general. Here 2002 the greatest breadth of sensitive information is potentially exposed, 2003 and the maximum privacy protection must be provided. The Collector 2004 may perform pre-storage minimisation and other mitigations (below) to 2005 help preserve privacy. 2007 For MAs with access to the sensitive information of users (e.g., 2008 within a home or a personal host/handset), it is desirable for the 2009 results collection to minimise the data reported, but also to balance 2010 this desire with the needs of troubleshooting when a service 2011 subscription exists between the user and organisation operating the 2012 measurements. 2014 8.6.2. Anonymity 2016 Section 6.1.1 of [RFC6973] describes a way in which anonymity is 2017 achieved: "there must exist a set of individuals that appear to have 2018 the same attributes as the individual", defined as an "anonymity 2019 set". 2021 Experimental methods for anonymisation of user identifiable data (and 2022 so particularly applicable to Measurement Methods that measure user 2023 traffic) have been identified in [RFC6235]. However, the findings of 2024 several of the same authors is that "there is increasing evidence 2025 that anonymisation applied to network trace or flow data on its own 2026 is insufficient for many data protection applications as in [Bur10]." 2027 Essentially, the details of such Measurement Methods can only be 2028 accessed by closed organisations, and unknown injection attacks are 2029 always less expensive than the protections from them. However, some 2030 forms of summary may protect the user's sensitive information 2031 sufficiently well, and so each Metric must be evaluated in the light 2032 of privacy. 2034 The techniques in [RFC6235] could be applied more successfully in 2035 Measurement Methods that generate Measurement Traffic, where there 2036 are protections from injection attack. The successful attack would 2037 require breaking the integrity protection of the LMAP Reporting 2038 Protocol and injecting Measurement Results (known fingerprint, see 2039 section 3.2 of [RFC6973]) for inclusion with the shared and 2040 anonymised results, then fingerprinting those records to ascertain 2041 the anonymisation process. 2043 Beside anonymisation of measured Results for a specific user or 2044 provider, the value of sensitive information can be further diluted 2045 by summarising the results over many individuals or areas served by 2046 the provider. There is an opportunity enabled by forming anonymity 2047 sets [RFC6973] based on the reference path measurement points in 2048 [I-D.ietf-ippm-lmap-path]. For example, all measurements from the 2049 Subscriber device can be identified as "mp000", instead of using the 2050 IP address or other device information. The same anonymisation 2051 applies to the Internet Service Provider, where their Internet 2052 gateway would be referred to as "mp190". 2054 Another anonymisation technique is for the MA to include its Group-ID 2055 instead of its MA-ID in its Measurement Reports, with several MAs 2056 sharing the same Group-ID. 2058 8.6.3. Pseudonymity 2060 Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, 2061 are a possible mitigation to revealing one's true identity, since 2062 there is no requirement to use real names in almost all protocols. 2064 A pseudonym for a measurement device's IP address could be an LMAP- 2065 unique equipment ID. However, this would likely be a permanent 2066 handle for the device, and long-term use weakens a pseudonym's power 2067 to obscure identity. 2069 8.6.4. Other mitigations 2071 Data can be de-personalised by blurring it, for example by adding 2072 synthetic data, data-swapping, or perturbing the values in ways that 2073 can be reversed or corrected. 2075 Sections 6.2 and 6.3 of [RFC6973] describe User Participation and 2076 Security, respectively. 2078 Where LMAP measurements involve devices on the Subscriber's premises 2079 or Subscriber-owned equipment, it is essential to secure the 2080 Subscriber's permission with regard to the specific information that 2081 will be collected. The informed consent of the Subscriber (and, if 2082 different, the end user) may be needed, including the specific 2083 purpose of the measurements. The approval process could involve 2084 showing the Subscriber their measured information and results before 2085 instituting periodic collection, or before all instances of 2086 collection, with the option to cancel collection temporarily or 2087 permanently. 2089 It should also be clear who is legally responsible for data 2090 protection (privacy); in some jurisdictions this role is called the 2091 'data controller'. It is always good practice to limit the time of 2092 personal information storage. 2094 Although the details of verification would be impenetrable to most 2095 subscribers, the MA could be architected as an "app" with open 2096 source-code, pre-download and embedded terms of use and agreement on 2097 measurements, and protection from code modifications usually provided 2098 by the app-stores. Further, the app itself could provide data 2099 reduction and temporary storage mitigations as appropriate and 2100 certified through code review. 2102 LMAP protocols, devices, and the information they store clearly need 2103 to be secure from unauthorised access. This is the hand-off between 2104 privacy and security considerations (Section 7). The Data Controller 2105 has the (legal) responsibility to maintain data protections described 2106 in the Subscriber's agreement and agreements with other 2107 organisations. 2109 9. IANA considerations 2111 There are no IANA considerations in this memo. 2113 10. Acknowledgments 2115 This document originated as a merger of three individual drafts: 2116 draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, 2117 and draft-eardley-lmap-framework-02. 2119 Thanks to Juergen Schoenwaelder for his detailed review of the 2120 terminology. Thanks to Charles Cook for a very detailed review of 2121 -02. Thanks to Barbara Stark and Ken Ko for many helpful comments 2122 about later versions. 2124 Thanks to numerous people for much discussion, directly and on the 2125 LMAP list (apologies to those unintentionally omitted): Alan Clark, 2126 Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian 2127 Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen, 2128 Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay, 2129 Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, 2130 Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael 2131 Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter, 2132 Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey, 2133 Vaibhav Bajpai, Vero Zheng, William Lupton. 2135 Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on 2136 the Leone research project, which receives funding from the European 2137 Union Seventh Framework Programme [FP7/2007-2013] under grant 2138 agreement number 317647. 2140 11. History 2142 First WG version, copy of draft-folks-lmap-framework-00. 2144 11.1. From -00 to -01 2146 o new sub-section of possible use of Group-IDs for privacy 2148 o tweak to definition of Control protocol 2149 o fix typo in figure in S5.4 2151 11.2. From -01 to -02 2153 o change to INFORMATIONAL track (previous version had typo'd 2154 Standards track) 2156 o new definitions for Capabilities Information and Failure 2157 Information 2159 o clarify that diagrams show LMAP-level information flows. 2160 Underlying protocol could do other interactions, eg to get through 2161 NAT or for Collector to pull a Report 2163 o add hint that after a re-boot should pause random time before re- 2164 register (to avoid mass calling event) 2166 o delete the open issue "what happens if a Controller fails" (normal 2167 methods can handle) 2169 o add some extra words about multiple Tasks in one Schedule 2171 o clarify that new Schedule replaces (rather than adds to) and old 2172 one. Similarly for new configuration of Measurement Tasks or 2173 Report Channels. 2175 o clarify suppression is temporary stop; send a new Schedule to 2176 permanently stop Tasks 2178 o alter suppression so it is ACKed 2180 o add un-suppress message 2182 o expand the text on error reporting, to mention Reporting failures 2183 (as well as failures to action or execute Measurement Task & 2184 Schedule) 2186 o add some text about how to have Tasks running indefinitely 2188 o add that optionally a Report is not sent when there are no 2189 Measurement Results 2191 o add that a Measurement Task may create more than one Measurement 2192 Result 2194 o clarify /amend /expand that Reports include the "raw" Measurement 2195 Results - any pre-processing is left for lmap2.0 2197 o add some cautionary words about what if the Collector unexpectedly 2198 doesn't hear from a MA 2200 o add some extra words about the potential impact of Measurement 2201 Tasks 2203 o clarified various aspects of the privacy section 2205 o updated references 2207 o minor tweaks 2209 11.3. From -02 to -03 2211 o alignment with the Information Model [burbridge-lmap-information- 2212 model] as this is agreed as a WG document 2214 o One-off and periodic Measurement Schedules are kept separate, so 2215 that they can be updated independently 2217 o Measurement Suppression in a separate sub-section. Can now 2218 optionally include particular Measurement Tasks &/or Schedules to 2219 suppress, and start/stop time 2221 o for clarity, concept of Channel split into Control, Report and MA- 2222 to-Controller Channels 2224 o numerous editorial changes, mainly arising from a very detailed 2225 review by Charles Cook 2227 o 2229 11.4. From -03 to -04 2231 o updates following the WG Last Call, with the proposed consensus on 2232 the various issues as detailed in 2233 http://tools.ietf.org/agenda/89/slides/slides-89-lmap-2.pdf. In 2234 particular: 2236 o tweaked definitions, especially of Measurement Agent and 2237 Measurement Peer 2239 o Instruction - left to each implementation & deployment of LMAP to 2240 decide on the granularity at which an Instruction Message works 2242 o words added about overlapping Measurement Tasks (Measurement 2243 System can handle any way they choose; Report should mention if 2244 the Task overlapped with another) 2246 o Suppression: no defined impact on Passive Measurement Task; extra 2247 option to suppress on-going Active Measurement Tasks; suppression 2248 doesn't go to Measurement Peer, since they don't understand 2249 Instructions 2251 o new concept of Data Transfer Task (and therefore adjustment of the 2252 Channel concept) 2254 o enhancement of Results with Subscriber's service parameters - 2255 could be useful, don't define how but can be included in Report to 2256 various other sections 2258 o various other smaller improvements, arising from the WGLC 2260 o Appendix added with examples of Measurement Agents and Peers in 2261 various deployment scenarios. To help clarify what these terms 2262 mean. 2264 11.5. From -04 to -05 2266 o clarified various scoping comments by using the phrase "scope of 2267 initial LMAP work" (avoiding "scope of LMAP WG" since this may 2268 change in the future) 2270 o added a Configuration Protocol - allows the Controller to update 2271 the MA about information that it obtained during the bootstrapping 2272 process (for consistency with Information Model) 2274 o Removed over-detailed information about the relationship between 2275 the different items in Instruction, as this seems more appropriate 2276 for the information model. Clarified that the lists given are 2277 about the aims and not a list of information elements (these will 2278 be defined in draft-ietf-information-model). 2280 o the Measurement Method, specified as a URI to a registry entry - 2281 rather than a URN 2283 o MA configured with time limit after which, if it hasn't heard from 2284 Controller, then it stops running Measurement Tasks (rather than 2285 this being part of a Schedule) 2287 o clarified there is no distinction between how capabilities, 2288 failure and logging information are transferred (all can be when 2289 requested by Controller or by MA on its own initiative). 2291 o removed mention of Data Transfer Tasks. This abstraction is left 2292 to the information model i-d 2294 o added Deployment sub-section about Measurement Agent embedded in 2295 ISP Network 2297 o various other smaller improvements, arising from the 2nd WGLC 2299 11.6. From -05 to -06 2301 o clarified terminlogy around Measurement Methods and Tasks. Since 2302 within a Method there may be several different roles (requester 2303 and responder, for instance) 2305 o Suppression: there is now the concept of a flag (boolean) which 2306 indicates whether a Task is by default gets suppressed or not. 2307 The optional suppression message (with list of specific tasks 2308 /schedules to suppress) over-rides this flag. 2310 o The previous bullet also means there is no need to make a 2311 distinction between active and passive Measurement Tasks, so this 2312 distinction is removed. 2314 o removed Configuration Protocol - Configuration is part of the 2315 Instruction and so uses the Control Protocol. 2317 11.7. From -06 to -07 2319 o Clarifications and nits 2321 11.8. From -07 to -08 2323 o Clarifications resulting from WG 3rd LC, as discussed in 2324 https://tools.ietf.org/agenda/90/slides/slides-90-lmap-0.pdf, plus 2325 comments made in the IETF-90 meeting. 2327 o added mention of "measurement point designations" in Measurement 2328 Task configuration and Report Protocol. 2330 11.9. From -08 to -09 2332 o Clarifications and changes from the AD review (Benoit Claise) and 2333 security directorate review (Radia Perlman). 2335 12. Informative References 2337 [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, 2338 "The Role of Network Trace anonymisation Under Attack", 2339 January 2010. 2341 [TR-069] TR-069, , "CPE WAN Management Protocol", 2342 http://www.broadband-forum.org/technical/trlist.php, 2343 November 2013. 2345 [UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP 2346 Device Control Protocols specifications", 2347 http://upnp.org/sdcps-and-certification/standards/, 2011. 2349 [RFC1035] Mockapetris, P., "Domain names - implementation and 2350 specification", STD 13, RFC 1035, November 1987. 2352 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, 2353 June 2005. 2355 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2356 Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2357 2005. 2359 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 2360 Bierman, "Network Configuration Protocol (NETCONF)", RFC 2361 6241, June 2011. 2363 [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of 2364 the IP Flow Information Export (IPFIX) Protocol for the 2365 Exchange of Flow Information", STD 77, RFC 7011, September 2366 2013. 2368 [RFC7368] Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, 2369 "IPv6 Home Networking Architecture Principles", RFC 7368, 2370 October 2014. 2372 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 2373 Attack", BCP 188, RFC 7258, May 2014. 2375 [I-D.ietf-lmap-use-cases] 2376 Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, 2377 "Large-Scale Broadband Measurement Use Cases", draft-ietf- 2378 lmap-use-cases-05 (work in progress), November 2014. 2380 [I-D.ietf-ippm-metric-registry] 2381 Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A. 2382 Akhter, "Registry for Performance Metrics", draft-ietf- 2383 ippm-metric-registry-01 (work in progress), September 2384 2014. 2386 [RFC6419] Wasserman, M. and P. Seite, "Current Practices for 2387 Multiple-Interface Hosts", RFC 6419, November 2011. 2389 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 2390 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2391 2013. 2393 [I-D.ietf-lmap-information-model] 2394 Burbridge, T., Eardley, P., Bagnulo, M., and J. 2395 Schoenwaelder, "Information Model for Large-Scale 2396 Measurement Platforms (LMAP)", draft-ietf-lmap- 2397 information-model-02 (work in progress), August 2014. 2399 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization 2400 Support", RFC 6235, May 2011. 2402 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 2403 Morris, J., Hansen, M., and R. Smith, "Privacy 2404 Considerations for Internet Protocols", RFC 6973, July 2405 2013. 2407 [I-D.ietf-ippm-lmap-path] 2408 Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and 2409 A. Morton, "A Reference Path and Measurement Points for 2410 Large-Scale Measurement of Broadband Performance", draft- 2411 ietf-ippm-lmap-path-07 (work in progress), October 2014. 2413 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 2414 Zekauskas, "A One-way Active Measurement Protocol 2415 (OWAMP)", RFC 4656, September 2006. 2417 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 2418 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 2419 RFC 5357, October 2008. 2421 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2422 Information Models and Data Models", RFC 3444, January 2423 2003. 2425 Appendix A. Appendix: Deployment examples 2427 In this section we describe some deployment scenarios that are 2428 feasible within the LMAP framework defined in this document. 2430 A very simple example of a Measurement Peer (MP) is a web server that 2431 the MA is downloading a web page from (such as www.example.com) in 2432 order to perform a speed test. The web server is a MP and from its 2433 perspective, the MA is just another client; the MP doesn't have a 2434 specific function for assisting measurements. This is described in 2435 the figure A1. 2437 ^ 2438 +----------------+ Web Traffic +----------------+ non-LMAP 2439 |MA: Web Client |<------------>| MP: Web Server | Scope 2440 | | +----------------+ | 2441 ...|................|....................................V... 2442 | LMAP interface | ^ 2443 +----------------+ | 2444 ^ | | 2445 Instruction | | Report | 2446 | +-----------------+ | 2447 | | | 2448 | v LMAP 2449 +------------+ +------------+ Scope 2450 | Controller | | Collector | | 2451 +------------+ +------------+ V 2453 Figure A1: Schematic of LMAP-based Measurement System, 2454 with Web server as Measurement Peer 2456 Another case that is slightly different than this would be the one of 2457 a TWAMP-responder. This is also a MP, with a helper function, the 2458 TWAMP server, which is specially deployed to assist the MAs that 2459 perform TWAMP tests. Another example is with a ping server, as 2460 described in Section 2. 2462 A further example is the case of a traceroute like measurement. In 2463 this case, for each packet sent, the router where the TTL expires is 2464 performing the MP function. So for a given Measurement Task, there 2465 is one MA involved and several MPs, one per hop. 2467 In figure A2 we depict the case of an OWAMP (One-Way Active 2468 Measurement Protocol) responder acting as an MP. In this case, the 2469 helper function in addition reports results back to the MA. So it 2470 has both a data plane and control interface with the MA. 2472 +----------------+ OWAMP +----------------+ ^ 2473 | MA: OWAMP |<--control--->| MP: | | 2474 | control-client |-test-traffic>| OWAMP server & | non-LMAP 2475 | fetch-client & |<----fetch----| session-rec'ver| Scope 2476 | session-sender | | | | 2477 | | +----------------+ | 2478 ...|................|....................................v... 2479 | LMAP interface | ^ 2480 +----------------+ | 2481 ^ | | 2482 Instruction | | Report | 2483 | +-----------------+ | 2484 | | | 2485 | v LMAP 2486 +------------+ +------------+ Scope 2487 | Controller | | Collector | | 2488 +------------+ +------------+ v 2490 Figure A2: Schematic of LMAP-based Measurement System, 2491 with OWAMP server as Measurement Peer 2493 However, it is also possible to use two Measurement Agents when 2494 performing one way Measurement Tasks, as described in figure A3 2495 below. Both MAs are instructed by the Controller: MA-1 to send the 2496 traffic and MA-2 to measure the received traffic and send Reports to 2497 the Collector. Note that the Measurement Task at MA-2 can listen for 2498 traffic from MA-1 and respond multiple times without having to be 2499 rescheduled. 2501 +----------------+ +----------------+ ^ 2502 | MA-1: | | MA-2: | non-LMAP 2503 | iperf -u sender|-UDP traffic->| iperf -u recvr | Scope 2504 | | | | v 2505 ...|................|..............|................|....v... 2506 | LMAP interface | | LMAP interface | ^ 2507 +----------------+ +----------------+ | 2508 ^ ^ | | 2509 Instruction | Instruction{Report} | | Report | 2510 {task, | +-------------------+ | | 2511 schedule} | | | | 2512 | | v LMAP 2513 +------------+ +------------+ Scope 2514 | Controller | | Collector | | 2515 +------------+ +------------+ v 2517 Figure A3: Schematic of LMAP-based Measurement System, 2518 with two Measurement Agents cooperating to measure UDP traffic 2520 Next, we consider Measurement Methods that measure user traffic. 2521 Traffic generated in one point in the network flowing towards a given 2522 destination and the traffic is observed in some point along the path. 2523 One way to implement this is that the endpoints generating and 2524 receiving the traffic are not instructed by the Controller; hence 2525 they are MPs. The MA is located along the path with a monitor 2526 function that measures the traffic. The MA is instructed by the 2527 Controller to monitor that particular traffic and to send the Report 2528 to the Collector. It is depicted in figure A4 below. 2530 +--------+ +----------------+ +--------+ ^ 2531 |End user| | MA: Monitor | |End user| | 2532 | or MP |<--|----------------|--traffic-->| or MP | non-LMAP 2533 | | | | | | Scope 2534 +--------+ | | +--------+ | 2535 ...|................|............................v.. 2536 | LMAP interface | ^ 2537 +----------------+ | 2538 ^ | | 2539 Instruction | | Report | 2540 | +-----------------+ | 2541 | | | 2542 | v LMAP 2543 +------------+ +------------+ Scope 2544 | Controller | | Collector | | 2545 +------------+ +------------+ v 2547 Figure A4: Schematic of LMAP-based Measurement System, 2548 with a Measurement Agent monitoring traffic 2550 Authors' Addresses 2552 Philip Eardley 2553 BT 2554 Adastral Park, Martlesham Heath 2555 Ipswich 2556 ENGLAND 2558 Email: philip.eardley@bt.com 2560 Al Morton 2561 AT&T Labs 2562 200 Laurel Avenue South 2563 Middletown, NJ 2564 USA 2566 Email: acmorton@att.com 2567 Marcelo Bagnulo 2568 Universidad Carlos III de Madrid 2569 Av. Universidad 30 2570 Leganes, Madrid 28911 2571 SPAIN 2573 Phone: 34 91 6249500 2574 Email: marcelo@it.uc3m.es 2575 URI: http://www.it.uc3m.es 2577 Trevor Burbridge 2578 BT 2579 Adastral Park, Martlesham Heath 2580 Ipswich 2581 ENGLAND 2583 Email: trevor.burbridge@bt.com 2585 Paul Aitken 2586 Cisco Systems, Inc. 2587 96 Commercial Street 2588 Edinburgh, Scotland EH6 6LX 2589 UK 2591 Email: paitken@cisco.com 2593 Aamer Akhter 2594 Cisco Systems, Inc. 2595 7025 Kit Creek Road 2596 RTP, NC 27709 2597 USA 2599 Email: aakhter@cisco.com