idnits 2.17.1 draft-ietf-lmap-framework-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 16, 2015) is 3288 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 261 -- Looks like a reference, but probably isn't: '180' on line 261 == Missing Reference: 'Cycle-ID' is mentioned on line 1075, but not defined == Outdated reference: A later version (-24) exists of draft-ietf-ippm-metric-registry-02 == Outdated reference: A later version (-18) exists of draft-ietf-lmap-information-model-05 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group P. Eardley 3 Internet-Draft BT 4 Intended status: Informational A. Morton 5 Expires: October 18, 2015 AT&T Labs 6 M. Bagnulo 7 UC3M 8 T. Burbridge 9 BT 10 P. Aitken 11 Brocade 12 A. Akhter 13 Consultant 14 April 16, 2015 16 A framework for Large-Scale Measurement of Broadband Performance (LMAP) 17 draft-ietf-lmap-framework-13 19 Abstract 21 Measuring broadband service on a large scale requires a description 22 of the logical architecture and standardisation of the key protocols 23 that coordinate interactions between the components. The document 24 presents an overall framework for large-scale measurements. It also 25 defines terminology for LMAP (Large-Scale Measurement of Broadband 26 Performance). 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on October 18, 2015. 45 Copyright Notice 47 Copyright (c) 2015 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Outline of an LMAP-based measurement system . . . . . . . . . 5 64 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 12 66 4.1. The measurement system is under the direction of a single 67 organisation . . . . . . . . . . . . . . . . . . . . . . 13 68 4.2. Each MA may only have a single Controller at any point in 69 time . . . . . . . . . . . . . . . . . . . . . . . . . . 13 70 5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13 71 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 14 72 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15 73 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15 74 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16 75 5.2.3. Capabilities, Failure and Logging Information . . . . 20 76 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 22 77 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22 78 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 23 79 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 24 80 5.4.1. Reporting of Subscriber's service parameters . . . . 25 81 5.5. Operation of LMAP over the underlying packet transfer 82 mechanism . . . . . . . . . . . . . . . . . . . . . . . . 26 83 5.6. Items beyond the scope of the initial LMAP work . . . . . 27 84 5.6.1. End-user-controlled measurement system . . . . . . . 28 85 6. Deployment considerations . . . . . . . . . . . . . . . . . . 28 86 6.1. Controller and the measurement system . . . . . . . . . . 28 87 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 29 88 6.2.1. Measurement Agent on a networked device . . . . . . . 30 89 6.2.2. Measurement Agent embedded in site gateway . . . . . 30 90 6.2.3. Measurement Agent embedded behind site NAT /firewall 30 91 6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 31 92 6.2.5. Measurement Agent embedded in ISP network . . . . . . 31 94 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 32 95 6.4. Deployment examples . . . . . . . . . . . . . . . . . . . 32 96 7. Security considerations . . . . . . . . . . . . . . . . . . . 35 97 8. Privacy considerations . . . . . . . . . . . . . . . . . . . 37 98 8.1. Categories of entities with information of interest . . . 38 99 8.2. Examples of sensitive information . . . . . . . . . . . . 38 100 8.3. Different privacy issues raised by different sorts of 101 Measurement Methods . . . . . . . . . . . . . . . . . . . 39 102 8.4. Privacy analysis of the communication models . . . . . . 40 103 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 40 104 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 41 105 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 42 106 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 42 107 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 44 108 8.4.6. Storage and reporting of Measurement Results . . . . 45 109 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 45 110 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 45 111 8.5.2. Stored data compromise . . . . . . . . . . . . . . . 45 112 8.5.3. Correlation and identification . . . . . . . . . . . 46 113 8.5.4. Secondary use and disclosure . . . . . . . . . . . . 46 114 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 47 115 8.6.1. Data minimisation . . . . . . . . . . . . . . . . . . 47 116 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 48 117 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 49 118 8.6.4. Other mitigations . . . . . . . . . . . . . . . . . . 49 119 9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 50 120 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 121 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 122 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 51 123 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 51 124 11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 52 125 11.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 52 126 11.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 53 127 11.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 54 128 11.7. From -06 to -07 . . . . . . . . . . . . . . . . . . . . 54 129 11.8. From -07 to -08 . . . . . . . . . . . . . . . . . . . . 54 130 11.9. From -08 to -09 . . . . . . . . . . . . . . . . . . . . 55 131 11.10. From -09 to -10 . . . . . . . . . . . . . . . . . . . . 55 132 11.11. From -10 to -11 . . . . . . . . . . . . . . . . . . . . 55 133 11.12. From -11 to -12 . . . . . . . . . . . . . . . . . . . . 55 134 12. Informative References . . . . . . . . . . . . . . . . . . . 55 135 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 137 1. Introduction 139 There is a desire to be able to coordinate the execution of broadband 140 measurements and the collection of measurement results across a large 141 scale set of Measurement Agents (MAs). These MAs could be software 142 based agents on PCs, embedded agents in consumer devices (such as TVs 143 or gaming consoles), embedded in service provider controlled devices 144 such as set-top boxes and home gateways, or simply dedicated probes. 145 MAs may also be embedded on a device that is part of an ISP's 146 network, such as a DSLAM (Digital Subscriber Line Access 147 Multiplexer), router, Carrier Grade NAT (Network Address Translator) 148 or ISP Gateway. It is expected that a measurement system could 149 easily encompass a few hundred thousand or even millions of such MAs. 150 Such a scale presents unique problems in coordination, execution and 151 measurement result collection. Several use cases have been proposed 152 for large-scale measurements including: 154 o Operators: to help plan their network and identify faults 156 o Regulators: to benchmark several network operators and support 157 public policy development 159 Further details of the use cases can be found in 160 [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for 161 these, as well as other use cases, such as to help end users run 162 diagnostic checks like a network speed test. 164 The LMAP Framework has three basic elements: Measurement Agents, 165 Controllers and Collectors. 167 Measurement Agents (MAs) initiate the actual measurements, which are 168 called Measurement Tasks in the LMAP terminology. In principle, 169 there are no restrictions on the type of device in which the MA 170 function resides. 172 The Controller instructs one or more MAs and communicates the set of 173 Measurement Tasks an MA should perform and when. For example it may 174 instruct a MA at a home gateway: "Measure the 'UDP latency' with 175 www.example.org; repeat every hour at xx.05". The Controller also 176 manages a MA by instructing it how to report the Measurement Results, 177 for example: "Report results once a day in a batch at 4am". We refer 178 to these as the Measurement Schedule and Report Schedule. 180 The Collector accepts Reports from the MAs with the Results from 181 their Measurement Tasks. Therefore the MA is a device that gets 182 Instructions from the Controller, initiates the Measurement Tasks, 183 and reports to the Collector. The communications between these three 184 LMAP functions are structured according to a Control Protocol and a 185 Report Protocol. 187 The desirable features for a large-scale Measurement Systems we are 188 designing for are: 190 o Standardised - in terms of the Measurement Tasks that they 191 perform, the components, the data models and protocols for 192 transferring information between the components. Amongst other 193 things, standardisation enables meaningful comparisons of 194 measurements made of the same metric at different times and 195 places, and provides the operator of a Measurement System with 196 criteria for evaluation of the different solutions that can be 197 used for various purposes including buying decisions (such as 198 buying the various components from different vendors). Today's 199 systems are proprietary in some or all of these aspects. 201 o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement 202 Agents in every home gateway and edge device such as set-top boxes 203 and tablet computers, and located throughout the Internet as well 204 [RFC7398]. It is expected that a Measurement System could easily 205 encompass a few hundred thousand or even millions of Measurement 206 Agents. Existing systems have up to a few thousand MAs (without 207 judging how much further they could scale). 209 o Diversity - a Measurement System should handle Measurement Agents 210 from different vendors, that are in wired and wireless networks, 211 can execute different sorts of Measurement Task, are on devices 212 with IPv4 or IPv6 addresses, and so on. 214 o Privacy Respecting - the protocols and procedures should respect 215 the sensitive information of all those involved in measurements. 217 2. Outline of an LMAP-based measurement system 219 In this section we provide an overview of the whole Measurement 220 System. New LMAP-specific terms are capitalised; Section 3 provides 221 a terminology section with a compilation of all the LMAP terms and 222 their definition. Section 4 onwards considers the LMAP components in 223 more detail. 225 Other LMAP specifications will define an information model, the 226 associated data models, and select/extend one or more protocols for 227 the secure communication: firstly, a Control Protocol, from a 228 Controller to instruct Measurement Agents what performance metrics to 229 measure, when to measure them, how/when to report the measurement 230 results to a Collector; secondly, a Report Protocol, for a 231 Measurement Agent to report the results to the Collector. 233 The Figure below shows the main components of a Measurement System, 234 and the interactions of those components. Some of the components are 235 outside the scope of initial LMAP work. 237 The MA performs Measurement Tasks. One possibility is that the MA is 238 observes existing traffic. Another possibility is for the MA to 239 generate (or receive) traffic specially created for the purpose and 240 measure some metric associated with its transfer. The 241 Figure includes both possibilities (in practice, it may be more usual 242 for a MA to do one) whilst Section 6.4 shows some examples of 243 possible arrangements of the components. 245 The MAs are pieces of code that can be executed in specialised 246 hardware (hardware probe) or on a general-purpose device (like a PC 247 or mobile phone). A device with a Measurement Agent may have 248 multiple physical interfaces (Wi-Fi, Ethernet, DSL (Digital 249 Subscriber Line); and non-physical interfaces such as PPPoE (Point- 250 to-Point Protocol over Ethernet) or IPsec) and the Measurement Tasks 251 may specify any one of these. 253 The Controller manages a MA through use of the Control Protocol, 254 which transfers the Instruction to the MA. This describes the 255 Measurement Tasks the MA should perform and when. For example the 256 Controller may instruct a MA at a home gateway: "Count the number of 257 TCP SYN packets observed in a 1 minute interval; repeat every hour at 258 xx.05 + Unif[0,180] seconds". The Measurement Schedule determines 259 when the Measurement Tasks are executed. The Controller also manages 260 a MA by instructing it how to report the Measurement Results, for 261 example: "Report results once a day in a batch at 4am + Unif[0,180] 262 seconds; if the end user is active then delay the report 5 minutes". 263 The Report Schedule determines when the Reports are uploaded to the 264 Collector. The Measurement Schedule and Report Schedule can define 265 one-off (non-recurring) actions ("Do measurement now", "Report as 266 soon as possible"), as well as recurring ones. 268 The Collector accepts a Report from a MA with the Measurement Results 269 from its Measurement Tasks. It then provides the Results to a 270 repository (see below). 272 A Measurement Method defines how to measure a Metric of interest. It 273 is very useful to standardise Measurement Methods, so that it is 274 meaningful to compare measurements of the same Metric made at 275 different times and places. It is also useful to define a registry 276 for commonly-used Metrics [I-D.ietf-ippm-metric-registry] so that a 277 Metric with its associated Measurement Method can be referred to 278 simply by its identifier in the registry. The registry will 279 hopefully be referenced by other standards organisations. The 280 Measurement Methods may be defined by the IETF, locally, or by some 281 other standards body. 283 Broadly speaking there are two types of Measurement Method. In both 284 types a Measurement Agent measures a particular Observed Traffic 285 Flow. It may involve a single MA simply observing existing traffic - 286 for example, the Measurement Agent could count bytes or calculate the 287 average loss for a particular flow. On the other hand, a Measurement 288 Method may involve multiple network entities, which perform different 289 roles. For example, a "ping" Measurement Method, to measure the 290 round trip delay , would consist of an MA sending an ICMP (Internet 291 Control Message Protocol) ECHO request to a responder in the 292 Internet. In LMAP terms, the responder is termed a Measurement Peer 293 (MP), meaning that it helps the MA but is not managed by the 294 Controller. Other Measurement Methods involve a second MA, with the 295 Controller instructing the MAs in a coordinated manner. Traffic 296 generated specifically as part of the Measurement Method is termed 297 Measurement Traffic; in the ping example, it is the ICMP ECHO 298 Requests and Replies. The protocols used for the Measurement Traffic 299 are out of the scope of initial LMAP work, and fall within the scope 300 of other IETF WGs such as IPPM (IP Performance Metrics). 302 A Measurement Task is the action performed by a particular MA at a 303 particular time, as the specific instance of its role in a 304 Measurement Method. LMAP is mainly concerned with Measurement Tasks, 305 for instance in terms of its Information Model and Protocols. 307 For Measurement Results to be truly comparable, as might be required 308 by a regulator, not only do the same Measurement Methods need to be 309 used to assess Metrics, but also the set of Measurement Tasks should 310 follow a similar Measurement Schedule and be of similar number. The 311 details of such a characterisation plan are beyond the scope of work 312 in IETF although certainly facilitated by IETF's work. 314 Both control and report messages are transferred over a secure 315 Channel. A Control Channel is between the Controller and a MA; the 316 Control Protocol delivers Instruction Messages to the MA and 317 Capabilities, Failure and Logging Information in the reverse 318 direction. A Report Channel is between a MA and Collector, and the 319 Report Protocol delivers Reports to the Collector. 321 Finally we introduce several components that are outside the scope of 322 initial LMAP work and will be provided through existing protocols or 323 applications. They affect how the Measurement System uses the 324 Measurement Results and how it decides what set of Measurement Tasks 325 to perform. As shown in the Figure, these components are: the 326 bootstrapper, Subscriber parameter database, data analysis tools, and 327 Results repository. 329 The MA needs to be bootstrapped with initial details about its 330 Controller, including authentication credentials. The LMAP work 331 considers the bootstrap process, since it affects the Information 332 Model. However, LMAP does not define a bootstrap protocol, since it 333 is likely to be technology specific and could be defined by the 334 Broadband Forum, CableLabs or IEEE depending on the device. Possible 335 protocols are SNMP (Simple Network Management Protocol), NETCONF 336 (Network Configuration Protocol) or (for Home Gateways) CPE WAN 337 Management Protocol (CWMP) from the Auto Configuration Server (ACS) 338 (as specified in TR-069 [TR-069]). 340 A Subscriber parameter database contains information about the line, 341 such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), 342 the line technology (DSL or fibre), the time zone where the MA is 343 located, and the type of home gateway and MA. These parameters are 344 already gathered and stored by existing operations systems. They may 345 affect the choice of what Measurement Tasks to run and how to 346 interpret the Measurement Results. For example, a download test 347 suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s 348 line. 350 A Results repository records all Measurement Results in an equivalent 351 form, for example an SQL (Structured Query Language) database, so 352 that they can easily be accessed by the data analysis tools. 354 The data analysis tools receive the results from the Collector or via 355 the Results repository. They might visualise the data or identify 356 which component or link is likely to be the cause of a fault or 357 degradation. This information could help the Controller decide what 358 follow-up Measurement Task to perform in order to diagnose a fault. 359 The data analysis tools also need to understand the Subscriber's 360 service information, for example the broadband contract. 362 +-----------+ +-----------+ ^ 363 | | | | | 364 | End user | | End user | | 365 | | | | Non-LMAP 366 +-----------+ +-----------+ Scope 367 ^ Observed ^ ^ | 368 \ traffic flow +-------------+ / / | 369 \...............|.............|..../ / Measurement | 370 | Measurement |......../ traffic v 371 | Agent | ^ 372 +----------------->| | | 373 | +-------------+ | 374 | ^ | | 375 | Instruction | | Report | 376 | (over Control | | (over Report Channel) | 377 | Channel) | +---------------+ | 378 | | | | 379 | | | | 380 | | v LMAP 381 | +------------+ +------------+ Scope 382 | | Controller | | Collector | | 383 | +------------+ +------------+ v 384 | ^ ^ | ^ 385 | | | | | 386 | | +-------+ | | 387 | | | v | 388 +------------+ +----------+ +--------+ +----------+ | 389 |Bootstrapper| |Subscriber|--->| data |<---| Results | Non- 390 +------------+ |parameter | |analysis| |repository| LMAP 391 |database | | tools | +----------+ Scope 392 +----------+ +--------+ | 393 | 394 v 396 Schematic of main elements of an LMAP-based Measurement System 397 (showing the elements in and out of the scope of initial LMAP work) 399 3. Terminology 401 This section defines terminology for LMAP. Please note that defined 402 terms are capitalized. 404 Bootstrap: A process that integrates a Measurement Agent into a 405 Measurement System. 407 Capabilities: Information about the performance measurement 408 capabilities of the MA, in particular the Measurement Method roles 409 and measurement protocol roles that it can perform, and the device 410 hosting the MA, for example its interface type and speed, but not 411 dynamic information. 413 Channel: A bi-directional logical connection that is defined by a 414 specific Controller and MA, or Collector and MA, plus associated 415 security. 417 Collector: A function that receives a Report from a Measurement 418 Agent. 420 Configuration: A process for informing the MA about its MA-ID, 421 (optional) Group-ID and Control Channel. 423 Controller: A function that provides a Measurement Agent with its 424 Instruction. 426 Control Channel: A Channel between a Controller and a MA over which 427 Instruction Messages and Capabilities, Failure and Logging 428 Information are sent. 430 Control Protocol: The protocol delivering Instruction(s) from a 431 Controller to a Measurement Agent. It also delivers Capabilities, 432 Failure and Logging Information from the Measurement Agent to the 433 Controller. It can also be used to update the MA's Configuration. 434 It runs over the Control Channel. 436 Cycle-ID: A tag that is sent by the Controller in an Instruction and 437 echoed by the MA in its Report. The same Cycle-ID is used by several 438 MAs that use the same Measurement Method for a Metric with the same 439 Input Parameters. Hence the Cycle-ID allows the Collector to easily 440 identify Measurement Results that should be comparable. 442 Data Model: The implementation of an Information Model in a 443 particular data modelling language [RFC3444]. 445 Environmental Constraint: A parameter that is measured as part of the 446 Measurement Task, its value determining whether the rest of the 447 Measurement Task proceeds. 449 Failure Information: Information about the MA's failure to action or 450 execute an Instruction, whether concerning Measurement Tasks or 451 Reporting. 453 Group-ID: An identifier of a group of MAs. 455 Information Model: The protocol-neutral definition of the semantics 456 of the Instructions, the Report, the status of the different elements 457 of the Measurement System as well of the events in the system 458 [RFC3444]. 460 Input Parameter: A parameter whose value is left open by the Metric 461 and its Measurement Method and is set to a specific value in a 462 Measurement Task. Altering the value of an Input Parameter does not 463 change the fundamental nature of the Measurement Task. 465 Instruction: The description of Measurement Tasks for a MA to perform 466 and the details of the Report for it to send. It is the collective 467 description of the Measurement Task configurations, the configuration 468 of the Measurement Schedules, the configuration of the Report 469 Channel(s), the configuration of Report Schedule(s), and the details 470 of any suppression. 472 Instruction Message: The message that carries an Instruction from a 473 Controller to a Measurement Agent. 475 Logging Information: Information about the operation of the 476 Measurement Agent, which may be useful for debugging. 478 Measurement Agent (MA): The function that receives Instruction 479 Messages from a Controller and operates the Instruction by executing 480 Measurement Tasks (using protocols outside the initial LMAP work 481 scope and perhaps in concert with one or more other Measurement 482 Agents or Measurement Peers) and (if part of the Instruction) by 483 reporting Measurement Results to a Collector or Collectors. 485 Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that 486 identifies a particular MA and is configured as part of the 487 Bootstrapping process. 489 Measurement Method: The process for assessing the value of a Metric; 490 the process of measuring some performance or reliability parameter 491 associated with the transfer of traffic. 493 Measurement Peer (MP): The function that assists a Measurement Agent 494 with Measurement Tasks and does not have an interface to the 495 Controller or Collector. 497 Measurement Result: The output of a single Measurement Task (the 498 value obtained for the parameter of interest or Metric). 500 Measurement Schedule: The schedule for performing Measurement Tasks. 502 Measurement System: The set of LMAP-defined and related components 503 that are operated by a single organisation, for the purpose of 504 measuring performance aspects of the network. 506 Measurement Task: The action performed by a particular Measurement 507 Agent that consists of the single assessment of a Metric through 508 operation of a Measurement Method role at a particular time, with all 509 of the role's Input Parameters set to specific values. 511 Measurement Traffic: the packet(s) generated by some types of 512 Measurement Method that involve measuring some parameter associated 513 with the transfer of the packet(s). 515 Metric: The quantity related to the performance and reliability of 516 the network that we'd like to know the value of. 518 Observed Traffic Flow: In RFC 7011, a Traffic Flow (or Flow) is 519 defined as a set of packets or frames passing an Observation Point in 520 the network during a certain time interval. All packets belonging to 521 a particular Flow have a set of common properties, such as packet 522 header fields, characteristics, and treatments. A Flow measured by 523 the LMAP system is termed an Observed Traffic Flow. Its properties 524 are summarized and tabulated in Measurement Results (as opposed to 525 raw capture and export). 527 Report: The set of Measurement Results and other associated 528 information (as defined by the Instruction). The Report is sent by a 529 Measurement Agent to a Collector. 531 Report Channel: A Channel between a Collector and a MA over which 532 Report messages are sent. 534 Report Protocol: The protocol delivering Report(s) from a Measurement 535 Agent to a Collector. It runs over the Report Channel. 537 Report Schedule: the schedule for sending Reports to a Collector. 539 Subscriber: An entity (associated with one or more users) that is 540 engaged in a subscription with a service provider. 542 Suppression: the temporary cessation of Measurement Tasks. 544 4. Constraints 546 The LMAP framework makes some important assumptions, which constrain 547 the scope of the initial LMAP work. 549 4.1. The measurement system is under the direction of a single 550 organisation 552 In the LMAP framework, the Measurement System is under the direction 553 of a single organisation that is responsible for any impact that its 554 measurements have on a user's quality of experience and privacy. 555 Clear responsibility is critical given that a misbehaving large-scale 556 Measurement System could potentially harm user experience, user 557 privacy and network security. 559 However, the components of an LMAP Measurement System can be deployed 560 in administrative domains that are not owned by the measuring 561 organisation. Thus, the system of functions deployed by a single 562 organisation constitutes a single LMAP domain which may span 563 ownership or other administrative boundaries. 565 4.2. Each MA may only have a single Controller at any point in time 567 A MA is instructed by one Controller and is in one Measurement 568 System. The constraint avoids different Controllers giving a MA 569 conflicting instructions and so means that the MA does not have to 570 manage contention between multiple Measurement (or Report) Schedules. 571 This simplifies the design of MAs (critical for a large-scale 572 infrastructure) and allows a Measurement Schedule to be tested on 573 specific types of MA before deployment to ensure that the end user 574 experience is not impacted (due to CPU, memory or broadband-product 575 constraints). However, a Measurement System may have several 576 Controllers. 578 5. Protocol Model 580 A protocol model [RFC4101] presents an architectural model for how 581 the protocol operates and needs to answer three basic questions: 583 1. What problem is the protocol trying to address? 585 2. What messages are being transmitted and what do they mean? 587 3. What are the important, but unobvious, features of the protocol? 589 An LMAP system goes through the following phases: 591 o a Bootstrapping process before the MA can take part in the other 592 three phases. 594 o a Control Protocol, which delivers Instruction Messages from a 595 Controller to a MA (amongst other things). 597 o the actual Measurement Tasks, which measure some performance or 598 reliability parameter(s) associated with the transfer of packets. 600 o a Report Protocol, which delivers Reports containing the 601 Measurement Results from a MA to a Collector. 603 The diagrams show the various LMAP messages and uses the following 604 convention: 606 o (optional): indicated by round brackets 608 o [potentially repeated]: indicated by square brackets 610 The protocol model is closely related to the Information Model 611 [I-D.ietf-lmap-information-model], which is the abstract definition 612 of the information carried by the protocol. (If there is any 613 difference between this document and the Information Model, the 614 latter is definitive, since it is on the standards track.) The 615 purpose of both is to provide a protocol and device independent view, 616 which can be implemented via specific protocols. LMAP defines a 617 specific Control Protocol and Report Protocol, but others could be 618 defined by other standards bodies or be proprietary. However it is 619 important that they all implement the same Information Model and 620 protocol model, in order to ease the definition, operation and 621 interoperability of large-scale Measurement Systems. 623 5.1. Bootstrapping process 625 The primary purpose of bootstrapping is to enable a MA to be 626 integrated into a Measurement System. The MA retrieves information 627 about itself (like its identity in the Measurement System) and about 628 the Controller, the Controller learns information about the MA, and 629 they learn about security information to communicate (such as 630 certificates and credentials). 632 Whilst this memo considers the bootstrapping process, it is beyond 633 the scope of initial LMAP work to define a bootstrap mechanism, as it 634 depends on the type of device and access. 636 As a result of the bootstrapping process the MA learns information 637 with the following aims ([I-D.ietf-lmap-information-model] defines 638 the consequent list of information elements): 640 o its identifier, either its MA-ID or a device identifier such as 641 one of its MAC or both. 643 o (optionally) a Group-ID. A Group-ID would be shared by several 644 MAs and could be useful for privacy reasons. For instance, 645 reporting the Group-ID and not the MA-ID could hinder tracking of 646 a mobile device 648 o the Control Channel, which is defined by: 650 * the address which identifies the Control Channel, such as the 651 Controller's FQDN (Fully Qualified Domain Name) [RFC1035]) 653 * security information (for example to enable the MA to decrypt 654 the Instruction Message and encrypt messages sent to the 655 Controller) 657 The details of the bootstrapping process are device /access specific. 658 For example, the information could be in the firmware, manually 659 configured or transferred via a protocol like TR-069 [TR-069]. There 660 may be a multi-stage process where the MA contacts a 'hard-coded' 661 address, which replies with the bootstrapping information. 663 The MA must learn its MA-ID before getting an Instruction, either 664 during Bootstrapping or via Configuration (Section 5.2.1). 666 5.2. Control Protocol 668 The primary purpose of the Control Protocol is to allow the 669 Controller to configure a Measurement Agent with an Instruction about 670 what Measurement Tasks to do, when to do them, and how to report the 671 Measurement Results (Section 5.2.2). The Measurement Agent then acts 672 on the Instruction autonomously. The Control Protocol also enables 673 the MA to inform the Controller about its Capabilities and any 674 Failure and Logging Information (Section 5.2.2). Finally, the 675 Control Protocol allows the Controller to update the MA's 676 Configuration. 678 5.2.1. Configuration 680 Configuration allows the Controller to update the MA about some or 681 all of the information that it obtained during the bootstrapping 682 process: the MA-ID, the (optional) Group-ID and the Control Channel. 683 The Measurement System might use Configuration for several reasons. 684 For example, the bootstrapping process could 'hard code' the MA with 685 details of an initial Controller, and then the initial Controller 686 could configure the MA with details about the Controller that sends 687 Instruction Messages. (Note that a MA only has one Control Channel, 688 and so is associated with only one Controller, at any moment.) 690 Note that an implementation may choose to combine Configuration 691 information and an Instruction Message into a single message. 693 +-----------------+ +-------------+ 694 | | | Measurement | 695 | Controller |===================================| Agent | 696 +-----------------+ +-------------+ 698 Configuration information: -> 699 (MA-ID), 700 (Group-ID), 701 (Control Channel) 702 <- Response(details) 704 5.2.2. Instruction 706 The Instruction is the description of the Measurement Tasks for a 707 Measurement Agent to do and the details of the Measurement Reports 708 for it to send. In order to update the Instruction the Controller 709 uses the Control Protocol to send an Instruction Message over the 710 Control Channel. 712 +-----------------+ +-------------+ 713 | | | Measurement | 714 | Controller |===================================| Agent | 715 +-----------------+ +-------------+ 717 Instruction: -> 718 [(Measurement Task configuration 719 URI of Metric( 720 [Input Parameter], 721 (Role) 722 (interface), 723 (Cycle-ID) 724 (measurement point)), 725 (Report Channel), 726 (Schedule), 727 (Suppression information)] 728 <- Response(details) 730 The Instruction defines information with the following aims 731 ([I-D.ietf-lmap-information-model] defines the consequent list of 732 information elements): 734 o the Measurement Task configurations, each of which needs: 736 * the Metric, specified as a URI to a registry entry; it includes 737 the specification of a Measurement Method. The registry could 738 be defined by a standards organisation or locally by the 739 operator of the Measurement System. Note that, at the time of 740 writing, the IETF works on such a registry specification 741 [I-D.ietf-ippm-metric-registry]. 743 * the Measurement Method role. For some Measurement Methods, 744 different parties play different roles; for example (see 745 Section 6.4) an iperf sender and receiver. Each Metric and its 746 associated Measurement Method will describe all measurement 747 roles involved in the process. 749 * a boolean flag (suppress or do-not-suppress) indicating if such 750 a Measurement Task is impacted by a Suppression message (see 751 Section 5.2.2.1). Thus, the flag is an Input Parameter. 753 * any Input Parameters that need to be set for the Metric and the 754 Measurement Method. For example, the address of a Measurement 755 Peer (or other Measurement Agent) that may be involved in a 756 Measurement Task , or traffic filters associated with the 757 Observed Traffic Flow. 759 * if the device with the MA has multiple interfaces, then the 760 interface to use (if not defined, then the default interface is 761 used). 763 * optionally, a Cycle-ID. 765 * optionally, the measurement point designation [RFC7398] of the 766 MA and, if applicable, of the MP or other MA. This can be 767 useful for reporting. 769 o configuration of the Schedules, each of which needs: 771 * the timing of when the Measurement Tasks are to be performed, 772 or the Measurement Reports are to be sent. Possible types of 773 timing are periodic, calendar-based periodic, one-off immediate 774 and one-off at a future time 776 o configuration of the Report Channel(s), each of which needs: 778 * the address of the Collector, for instance its URL 780 * security for this Report Channel, for example the X.509 781 certificate 783 o Suppression information, if any (see Section 5.2.1.1) 784 A single Instruction Message may contain some or all of the above 785 parts. The finest level of granularity possible in an Instruction 786 Message is determined by the implementation and operation of the 787 Control Protocol. For example, a single Instruction Message may add 788 or update an individual Measurement Schedule - or it may only update 789 the complete set of Measurement Schedules; a single Instruction 790 Message may update both Measurement Schedules and Measurement Task 791 configurations - or only one at a time; and so on. However, 792 Suppression information always replaces (rather than adds to) any 793 previous Suppression information. 795 The MA informs the Controller that it has successfully understood the 796 Instruction Message, or that it cannot action the Instruction - for 797 example, if it doesn't include a parameter that is mandatory for the 798 requested Metric and Measurement Method, or it is missing details of 799 the target Collector. 801 The Instruction Message instructs the MA; the Control Protocol does 802 not allow the MA to negotiate, as this would add complexity to the 803 MA, Controller and Control Protocol for little benefit. 805 5.2.2.1. Suppression 807 The Instruction may include Suppression information. The main 808 motivation for Suppression is to enable the Measurement System to 809 eliminate Measurement Traffic, because there is some unexpected 810 network issue for example. There may be other circumstances when 811 Suppression is useful, for example to eliminate inessential Reporting 812 traffic (even if there is no Measurement Traffic). 814 The Suppression information may include any of the following optional 815 fields: 817 o a set of Measurement Tasks to suppress; the others are not 818 suppressed. For example, this could be useful if a particular 819 Measurement Task is overloading a Measurement Peer with 820 Measurement Traffic. 822 o a set of Measurement Schedules to suppress; the others are not 823 suppressed. For example, suppose the Measurement System has 824 defined two Schedules, one with the most critical Measurement 825 Tasks and the other with less critical ones that create a lot of 826 Measurement Traffic, then it may only want to suppress the second. 828 o a set of Reporting Schedules to suppress; the others are not 829 suppressed. This can be particularly useful in the case of a 830 Measurement Method that doesn't generate Measurement Traffic; it 831 may need to continue observing traffic flows but temporarily 832 suppress Reports due to the network footprint of the Reports. 834 o if all the previous fields are included then the MA suppresses the 835 union - in other words, it suppresses the set of Measurement 836 Tasks, the set of Measurement Schedules, and the set of Reporting 837 Schedules. 839 o if the Suppression information includes neither a set of 840 Measurement Tasks nor a set of Measurement Schedules, then the MA 841 does not begin new Measurement Tasks that have the boolean flag 842 set to "suppress"; however, the MA does begin new Measurement 843 Tasks that have the flag set to "do-not-suppress". 845 o a start time, at which suppression begins. If absent, then 846 Suppression begins immediately. 848 o an end time, at which suppression ends. If absent, then 849 Suppression continues until the MA receives an un-Suppress 850 message. 852 o a demand that the MA immediately ends on-going Measurement Task(s) 853 that are tagged for suppression. (Most likely it is appropriate 854 to delete the associated partial Measurement Result(s).) This 855 could be useful in the case of a network emergency so that the 856 operator can eliminate all inessential traffic as rapidly as 857 possible. If absent, the MA completes on-going Measurement Tasks. 859 An un-Suppress message instructs the MA no longer to suppress, 860 meaning that the MA once again begins new Measurement Tasks, 861 according to its Measurement Schedule. 863 Note that Suppression is not intended to permanently stop a 864 Measurement Task (instead, the Controller should send a new 865 Measurement Schedule), nor to permanently disable a MA (instead, some 866 kind of management action is suggested). 868 +-----------------+ +-------------+ 869 | | | Measurement | 870 | Controller |==============================| Agent | 871 +-----------------+ +-------------+ 873 Suppress: 874 [(Measurement Task), -> 875 (Measurement Schedule), 876 [start time], 877 [end time], 878 [on-going suppressed?]] 880 Un-suppress -> 882 5.2.3. Capabilities, Failure and Logging Information 884 The Control Protocol also enables the MA to inform the Controller 885 about various information, such as its Capabilities and any Failures. 886 It is also possible to use a device-specific mechanism which is 887 beyond the scope of the initial LMAP work. 889 Capabilities are information about the MA that the Controller needs 890 to know in order to correctly instruct the MA, such as: 892 o the Measurement Method (roles) that the MA supports 894 o the measurement protocol types and roles that the MA supports 896 o the interfaces that the MA has 898 o the version of the MA 900 o the version of the hardware, firmware or software of the device 901 with the MA 903 o its Instruction (this could be useful if the Controller thinks 904 something has gone wrong, and wants to check what Instruction the 905 MA is using) 907 o but not dynamic information like the currently unused CPU, memory 908 or battery life of the device with the MA. 910 Failure Information concerns why the MA has been unable to execute a 911 Measurement Task or deliver a Report, for example: 913 o the Measurement Task failed to run properly because the MA 914 (unexpectedly) has no spare CPU cycles 916 o the MA failed to record the Measurement Results because it 917 (unexpectedly) is out of spare memory 919 o a Report failed to deliver Measurement Results because the 920 Collector (unexpectedly) is not responding 922 o but not if a Measurement Task correctly doesn't start. For 923 example, the first step of some Measurement Methods is for the MA 924 to check there is no cross-traffic. 926 Logging Information concerns how the MA is operating and may help 927 debugging, for example: 929 o the last time the MA ran a Measurement Task 931 o the last time the MA sent a Measurement Report 933 o the last time the MA received an Instruction Message 935 o whether the MA is currently Suppressing Measurement Tasks 937 Capabilities, Failure and Logging Information are sent by the MA, 938 either in response to a request from the Controller (for example, if 939 the Controller forgets what the MA can do or otherwise wants to 940 resynchronize what it knows about the MA), or on its own initiative 941 (for example when the MA first communicates with a Controller or if 942 it becomes capable of a new Measurement Method). Another example of 943 the latter case is if the device with the MA re-boots, then the MA 944 should notify its Controller in case its Instruction needs to be 945 updated; to avoid a "mass calling event" after a widespread power 946 restoration affecting many MAs, it is sensible for an MA to pause for 947 a random delay, perhaps in the range of one minute or so. 949 +-----------------+ +-------------+ 950 | | | Measurement | 951 | Controller |==================================| Agent | 952 +-----------------+ +-------------+ 954 (Instruction: 955 [(Request Capabilities), 956 (Request Failure Information), 957 (Request Logging Information), 958 (Request Instruction)]) -> 959 <- (Capabilities), 960 (Failure Information), 961 (Logging Information), 962 (Instruction) 964 5.3. Operation of Measurement Tasks 966 This LMAP framework is neutral to what the actual Measurement Task 967 is. It does not define Metrics and Measurement Methods, these are 968 defined elsewhere. 970 The MA carries out the Measurement Tasks as instructed, unless it 971 gets an updated Instruction. The MA acts autonomously, in terms of 972 operation of the Measurement Tasks and reporting of the Results; it 973 doesn't do a 'safety check' with the Controller to ask whether it 974 should still continue with the requested Measurement Tasks. 976 The MA may operate Measurement Tasks sequentially or in parallel (see 977 Section 5.3.2). 979 5.3.1. Starting and Stopping Measurement Tasks 981 This LMAP framework does not define a generic start and stop process, 982 since the correct approach depends on the particular Measurement 983 Task; the details are defined as part of each Measurement Method. 984 This section provides some general hints. The MA does not inform the 985 Controller about Measurement Tasks starting and stopping. 987 Before beginning a Measurement Task the MA may want to run a pre- 988 check. (The pre-check could be defined as a separate, preceding Task 989 or as the first part of a larger Task.) 991 For Measurement Tasks that observe existing traffic, action could 992 include: 994 o checking that there is traffic of interest; 996 o checking that the device with the MA has enough resources to 997 execute the Measurement Task reliably. Note that the designer of 998 the Measurement System should ensure that the device's 999 capabilities are normally sufficient to comfortably operate the 1000 Measurement Tasks. 1002 For Measurement Tasks that generate Measurement Traffic, a pre-check 1003 could include: 1005 o the MA checking that there is no cross-traffic. In other words, a 1006 check that the end-user isn't already sending traffic; 1008 o the MA checking with the Measurement Peer (or other Measurement 1009 Agent) involved in the Measurement Task that it can handle a new 1010 Measurement Task. For example, the Measurement Peer may already 1011 be handling many Measurement Tasks with other MAs; 1013 o sending traffic that probes the path to check it isn't overloaded; 1015 o checking that the device with the MA has enough resources to 1016 execute the Measurement Task reliably. 1018 It is possible that similar checks continue during the Measurement 1019 Task, especially one that is long-running and/or creates a lot of 1020 Measurement Traffic, and might lead to it being abandoned whilst in- 1021 progress. A Measurement Task could also be abandoned in response to 1022 a "suppress" message (see Section 5.2.1). Action could include: 1024 o For 'upload' tests, the MA not sending traffic 1026 o For 'download' tests, the MA closing the TCP connection or sending 1027 a TWAMP (Two-Way Active Measurement Protocol) Stop control message 1028 [RFC5357]. 1030 The Controller may want a MA to run the same Measurement Task 1031 indefinitely (for example, "run the 'upload speed' Measurement Task 1032 once an hour until further notice"). To avoid the MA generating 1033 traffic forever after a Controller has permanently failed (or 1034 communications with the Controller have failed), the MA can be 1035 configured with a time limit; if the MA doesn't hear from the 1036 Controller for this length of time, then it stops operating 1037 Measurement Tasks. 1039 5.3.2. Overlapping Measurement Tasks 1041 It is possible that a MA starts a new Measurement Task before another 1042 Measurement Task has completed. This may be intentional (the way 1043 that the Measurement System has designed the Measurement Schedules), 1044 but it could also be unintentional - for instance, if a Measurement 1045 Task has a 'wait for X' step which pauses for an unexpectedly long 1046 time. This document makes no assumptions about the impact of one 1047 Measurement Task on another. 1049 The operator of the Measurement System can handle (or not) 1050 overlapping Measurement Tasks in any way they choose - it is a policy 1051 or implementation issue and not the concern of LMAP. Some possible 1052 approaches are: to configure the MA not to begin the second 1053 Measurement Task; to start the second Measurement Task as usual; for 1054 the action to be an Input Parameter of the Measurement Task; and so 1055 on. 1057 It may be important to include in the Measurement Report the fact 1058 that the Measurement Task overlapped with another. 1060 5.4. Report Protocol 1062 The primary purpose of the Report Protocol is to allow a Measurement 1063 Agent to report its Measurement Results to a Collector, along with 1064 the context in which they were obtained. 1066 +-----------------+ +-------------+ 1067 | | | Measurement | 1068 | Collector |==================================| Agent | 1069 +-----------------+ +-------------+ 1071 <- Report: 1072 [MA-ID &/or Group-ID], 1073 [Measurement Result], 1074 [details of Measurement Task], 1075 [Cycle-ID] 1076 ACK -> 1078 The Report contains: 1080 o the MA-ID or a Group-ID (to anonymise results) 1082 o the actual Measurement Results, including the time they were 1083 measured. In general the time is simply the MA's best estimate 1084 and there is no guarantee on the accuracy or granularity of the 1085 information. It is possible that some specific analysis of a 1086 particular Measurement Method's Results will impose timing 1087 requirements. 1089 o the details of the Measurement Task (to avoid the Collector having 1090 to ask the Controller for this information later). For example, 1091 the interface used for the measurements. 1093 o the Cycle-ID, if one was included in the Instruction. 1095 o perhaps the Subscriber's service parameters (see Section 5.4.1). 1097 o the measurement point designation of the MA and, if applicable, 1098 the MP or other MA, if the information was included in the 1099 Instruction. This numbering system is defined in [RFC7398] and 1100 allows a Measurement Report to describe abstractly the path 1101 measured (for example, "from a MA at a home gateway to a MA at a 1102 DSLAM"). Also, the MA can anonymise results by including 1103 measurement point designations instead of IP addresses 1104 (Section 8.6.2). 1106 The MA sends Reports as defined by the Instruction. It is possible 1107 that the Instruction tells the MA to report the same Results to more 1108 than one Collector, or to report a different subset of Results to 1109 different Collectors. It is also possible that a Measurement Task 1110 may create two (or more) Measurement Results, which could be reported 1111 differently (for example, one Result could be reported periodically, 1112 whilst the second Result could be an alarm that is created as soon as 1113 the measured value of the Metric crosses a threshold and that is 1114 reported immediately). 1116 Optionally, a Report is not sent when there are no Measurement 1117 Results. 1119 In the initial LMAP Information Model and Report Protocol, for 1120 simplicity we assume that all Measurement Results are reported as-is, 1121 but allow extensibility so that a Measurement System (or perhaps a 1122 second phase of LMAP) could allow a MA to: 1124 o label, or perhaps not include, Measurement Results impacted by, 1125 for instance, cross-traffic or a Measurement Peer (or other 1126 Measurement Agent) being busy 1128 o label Measurement Results obtained by a Measurement Task that 1129 overlapped with another 1131 o not report the Measurement Results if the MA believes that they 1132 are invalid 1134 o detail when Suppression started and ended 1136 As discussed in Section 6.1, data analysis of the results should 1137 carefully consider potential bias from any Measurement Results that 1138 are not reported, or from Measurement Results that are reported but 1139 may be invalid. 1141 5.4.1. Reporting of Subscriber's service parameters 1143 The Subscriber's service parameters are information about his/her 1144 broadband contract, line rate and so on. Such information is likely 1145 to be needed to help analyse the Measurement Results, for example to 1146 help decide whether the measured download speed is reasonable. 1148 The information could be transferred directly from the Subscriber 1149 parameter database to the data analysis tools. If the subscriber's 1150 service parameters are available to the MAs, they could be reported 1151 with the Measurement Results in the Report Protocol. How (and if) 1152 the MA knows such information is likely to depend on the device type. 1154 The MA could either include the information in a Measurement Report 1155 or separately. 1157 5.5. Operation of LMAP over the underlying packet transfer mechanism 1159 The above sections have described LMAP's protocol model. Other 1160 specifications will define the actual Control and Report Protocols, 1161 possibly operating over an existing protocol, such as REST-style 1162 HTTP(S). It is also possible that a different choice is made for the 1163 Control and Report Protocols, for example NETCONF-YANG [RFC6241] and 1164 IPFIX (Internet Protocol Flow Information Export) [RFC7011] 1165 respectively. 1167 From an LMAP perspective, the Controller needs to know that the MA 1168 has received the Instruction Message, or at least that it needs to be 1169 re-sent as it may have failed to be delivered. Similarly the MA 1170 needs to know about the delivery of Capabilities and Failure 1171 information to the Controller and Reports to the Collector. How this 1172 is done depends on the design of the Control and Report Protocols and 1173 the underlying packet transfer mechanism. 1175 For the Control Protocol, the underlying packet transfer mechanism 1176 could be: 1178 o a 'push' protocol (that is, from the Controller to the MA) 1180 o a multicast protocol (from the Controller to a group of MAs) 1182 o a 'pull' protocol. The MA periodically checks with Controller if 1183 the Instruction has changed and pulls a new Instruction if 1184 necessary. A pull protocol seems attractive for a MA behind a NAT 1185 or firewall (as is typical for a MA on an end-user's device), so 1186 that it can initiate the communications. It also seems attractive 1187 for a MA on a mobile device, where the Controller might not know 1188 how to reach the MA. A pull mechanism is likely to require the MA 1189 to be configured with how frequently it should check in with the 1190 Controller, and perhaps what it should do if the Controller is 1191 unreachable after a certain number of attempts. 1193 o a hybrid protocol. In addition to a pull protocol, the Controller 1194 can also push an alert to the MA that it should immediately pull a 1195 new Instruction. 1197 For the Report Protocol, the underlying packet transfer mechanism 1198 could be: 1200 o a 'push' protocol (that is, from the MA to the Collector) 1201 o perhaps supplemented by the ability for the Collector to 'pull' 1202 Measurement Results from a MA. 1204 5.6. Items beyond the scope of the initial LMAP work 1206 There are several potential interactions between LMAP elements that 1207 are beyond the scope of the initial LMAP work: 1209 1. It does not define a coordination process between MAs. Whilst a 1210 Measurement System may define coordinated Measurement Schedules 1211 across its various MAs, there is no direct coordination between 1212 MAs. 1214 2. It does not define interactions between the Collector and 1215 Controller. It is quite likely that there will be such 1216 interactions, optionally intermediated by the data analysis 1217 tools. For example, if there is an "interesting" Measurement 1218 Result then the Measurement System may want to trigger extra 1219 Measurement Tasks that explore the potential cause in more 1220 detail; or if the Collector unexpectedly does not hear from a MA, 1221 then the Measurement System may want to trigger the Controller to 1222 send a fresh Instruction Message to the MA. 1224 3. It does not define coordination between different Measurement 1225 Systems. For example, it does not define the interaction of a MA 1226 in one Measurement System with a Controller or Collector in a 1227 different Measurement System. Whilst it is likely that the 1228 Control and Report Protocols could be re-used or adapted for this 1229 scenario, any form of coordination between different 1230 organisations involves difficult commercial and technical issues 1231 and so, given the novelty of large-scale measurement efforts, any 1232 form of inter-organisation coordination is outside the scope of 1233 the initial LMAP work. Note that a single MA is instructed by a 1234 single Controller and is only in one Measurement System. 1236 * An interesting scenario is where a home contains two 1237 independent MAs, for example one controlled by a regulator and 1238 one controlled by an ISP. Then the Measurement Traffic of one 1239 MA is treated by the other MA just like any other end-user 1240 traffic. 1242 4. It does not consider how to prevent a malicious party "gaming the 1243 system". For example, where a regulator is running a Measurement 1244 System in order to benchmark operators, a malicious operator 1245 could try to identify the broadband lines that the regulator was 1246 measuring and prioritise that traffic. It is assumed this is a 1247 policy issue and would be dealt with through a code of conduct 1248 for instance. 1250 5. It does not define how to analyse Measurement Results, including 1251 how to interpret missing Results. 1253 6. It does not specifically define a end-user-controlled Measurement 1254 System, see sub-section 5.6.1. 1256 5.6.1. End-user-controlled measurement system 1258 This framework concentrates on the cases where an ISP or a regulator 1259 runs the Measurement System. However, we expect that LMAP 1260 functionality will also be used in the context of an end-user- 1261 controlled Measurement System. There are at least two ways this 1262 could happen (they have various pros and cons): 1264 1. an end-user could somehow request the ISP- (or regulator-) run 1265 Measurement System to test his/her line. The ISP (or regulator) 1266 Controller would then send an Instruction to the MA in the usual 1267 LMAP way. 1269 2. an end-user could deploy their own Measurement System, with their 1270 own MA, Controller and Collector. For example, the user could 1271 implement all three functions onto the same end-user-owned end 1272 device, perhaps by downloading the functions from the ISP or 1273 regulator. Then the LMAP Control and Report Protocols do not 1274 need to be used, but using LMAP's Information Model would still 1275 be beneficial. A Measurement Peer (or other MA involved in a 1276 Measurement Task) could be in the home gateway or outside the 1277 home network; in the latter case the Measurement Peer is highly 1278 likely to be run by a different organisation, which raises extra 1279 privacy considerations. 1281 In both cases there will be some way for the end-user to initiate the 1282 Measurement Task(s). The mechanism is outside the scope of the 1283 initial LMAP work, but could include the user clicking a button on a 1284 GUI or sending a text message. Presumably the user will also be able 1285 to see the Measurement Results, perhaps summarised on a webpage. It 1286 is suggested that these interfaces conform to the LMAP guidance on 1287 privacy in Section 8. 1289 6. Deployment considerations 1291 6.1. Controller and the measurement system 1293 The Controller should understand both the MA's LMAP Capabilities (for 1294 instance what Metrics and Measurement Methods it can perform) and 1295 about the MA's other capabilities like processing power and memory. 1296 This allows the Controller to make sure that the Measurement Schedule 1297 of Measurement Tasks and the Reporting Schedule are sensible for each 1298 MA that it instructs. 1300 An Instruction is likely to include several Measurement Tasks. 1301 Typically these run at different times, but it is also possible for 1302 them to run at the same time. Some Tasks may be compatible, in that 1303 they do not affect each other's Results, whilst with others great 1304 care would need to be taken. Some Tasks may be complementary. For 1305 example, one Task may be followed by a traceroute Task to the same 1306 destination address, in order to learn the network path that was 1307 measured. 1309 The Controller should ensure that the Measurement Tasks do not have 1310 an adverse effect on the end user. Tasks, especially those that 1311 generate a substantial amount of Measurement Traffic, will often 1312 include a pre-check that the user isn't already sending traffic 1313 (Section 5.3). Another consideration is whether Measurement Traffic 1314 will impact a Subscriber's bill or traffic cap. 1316 A Measurement System may have multiple Controllers (but note the 1317 overriding principle that a single MA is instructed by a single 1318 Controller at any point in time (Section 4.2)). For example, there 1319 could be different Controllers for different types of MA (home 1320 gateways, tablets) or locations (Ipswich, Edinburgh, Paris), for load 1321 balancing or to cope with failure of one Controller. 1323 The measurement system also needs to consider carefully how to 1324 interpret missing Results. The correct interpretation depends on why 1325 the Results are missing (perhaps related to measurement suppression 1326 or delayed Report submission), and potentially on the specifics of 1327 the Measurement Task and Measurement Schedule. For example, the set 1328 of packets represented by a Flow may be empty; that is, an Observed 1329 Traffic Flow may represent zero or more packets. The Flow would 1330 still be reported according to schedule. 1332 6.2. Measurement Agent 1334 The MA should be cautious about resuming Measurement Tasks if it re- 1335 boots or has been off-line for some time, as its Instruction may be 1336 stale. In the former case it also needs to ensure that its clock has 1337 re-set correctly, so that it interprets the Schedule correctly. 1339 If the MA runs out of storage space for Measurement Results or can't 1340 contact the Controller, then the appropriate action is specific to 1341 the device and Measurement System. 1343 The Measurement Agent could take a number of forms: a dedicated 1344 probe, software on a PC, embedded into an appliance, or even embedded 1345 into a gateway. A single site (home, branch office etc.) that is 1346 participating in a measurement could make use of one or multiple 1347 Measurement Agents or Measurement Peers in a single measurement. 1349 The Measurement Agent could be deployed in a variety of locations. 1350 Not all deployment locations are available to every kind of 1351 Measurement Agent. There are also a variety of limitations and 1352 trade-offs depending on the final placement. The next sections 1353 outline some of the locations a Measurement Agent may be deployed. 1354 This is not an exhaustive list and combinations may also apply. 1356 6.2.1. Measurement Agent on a networked device 1358 A MA may be embedded on a device that is directly connected to the 1359 network, such as a MA on a smartphone. Other examples include a MA 1360 downloaded and installed on a subscriber's laptop computer or tablet 1361 when the network service is provided on wired or other wireless radio 1362 technologies, such as Wi-Fi. 1364 6.2.2. Measurement Agent embedded in site gateway 1366 A Measurement Agent embedded with the site gateway, for example a 1367 home router or the edge router of a branch office in a managed 1368 service environment, is one of better places the Measurement Agent 1369 could be deployed. All site-to-ISP traffic would traverse through 1370 the gateway. So, Measurement Methods that measure user traffic could 1371 easily be performed. Similarly, due to this user traffic visibility, 1372 a Measurement Method that generates Measurement Traffic could ensure 1373 it does not compete with user traffic. Generally NAT and firewall 1374 services are built into the gateway, allowing the Measurement Agent 1375 the option to offer its Controller-facing management interface 1376 outside of the NAT/firewall. This placement of the management 1377 interface allows the Controller to unilaterally contact the 1378 Measurement Agent for instructions. However, a Measurement Agent on 1379 a site gateway (whether end-user service-provider owned) will 1380 generally not be directly available for over the top providers, the 1381 regulator, end users or enterprises. 1383 6.2.3. Measurement Agent embedded behind site NAT /firewall 1385 The Measurement Agent could also be embedded behind a NAT, a 1386 firewall, or both. In this case the Controller may not be able to 1387 unilaterally contact the Measurement Agent unless either static port 1388 forwarding or firewall pin holing is configured. Configuring port 1389 forwarding could use protocols such as PCP [RFC6887], TR-069 [TR-069] 1390 or UPnP [UPnP]. To open a pin hole in the firewall, the Measurement 1391 Agent could send keepalives towards the Controller (and perhaps use 1392 these also as a network reachability test). 1394 6.2.4. Multi-homed Measurement Agent 1396 If the device with the Measurement Agent is single homed then there 1397 is no confusion about what interface to measure. Similarly, if the 1398 MA is at the gateway and the gateway only has a single WAN-side and a 1399 single LAN-side interface, there is little confusion - for 1400 Measurement Methods that generate Measurement Traffic, the location 1401 of the other MA or Measurement Peer determines whether the WAN or LAN 1402 is measured. 1404 However, the device with the Measurement Agent may be multi-homed. 1405 For example, a home or campus may be connected to multiple broadband 1406 ISPs, such as a wired and wireless broadband provider, perhaps for 1407 redundancy or load- sharing. It may also be helpful to think of dual 1408 stack IPv4 and IPv6 broadband devices as multi-homed. More 1409 generally, Section 3.2 of [RFC7368] describes dual-stack and multi- 1410 homing topologies that might be encountered in a home network, 1411 [RFC6419] provides the current practices of multi-interfaces hosts, 1412 and the Multiple Interfaces (mif) working group covers cases where 1413 hosts are either directly attached to multiple networks (physical or 1414 virtual) or indirectly (multiple default routers, etc.). In these 1415 cases, there needs to be clarity on which network connectivity option 1416 is being measured. 1418 One possibility is to have a Measurement Agent per interface. Then 1419 the Controller's choice of MA determines which interface is measured. 1420 However, if a MA can measure any of the interfaces, then the 1421 Controller defines in the Instruction which interface the MA should 1422 use for a Measurement Task; if the choice of interface is not defined 1423 then the MA uses the default one. Explicit definition is preferred 1424 if the Measurement System wants to measure the performance of a 1425 particular network, whereas using the default is better if the 1426 Measurement System wants to include the impact of the MA's interface 1427 selection algorithm. In any case, the Measurement Result should 1428 include the network that was measured. 1430 6.2.5. Measurement Agent embedded in ISP network 1432 A MA may be embedded on a device that is part of an ISP's network, 1433 such as a router or switch. Usually the network devices with an 1434 embedded MA will be strategically located, such as a Carrier Grade 1435 NAT or ISP Gateway. [RFC7398] gives many examples where a MA might 1436 be located within a network to provide an intermediate measurement 1437 point on the end-to-end path. Other examples include a network 1438 device whose primary role is to host MA functions and the necessary 1439 measurement protocol. 1441 6.3. Measurement Peer 1443 A Measurement Peer participates in some Measurement Methods. It may 1444 have specific functionality to enable it to participate in a 1445 particular Measurement Method. On the other hand, other Measurement 1446 Methods may require no special functionality. For example if the 1447 Measurement Agent sends a ping to example.com then the server at 1448 example.com plays the role of a Measurement Peer; or if the MA 1449 monitors existing traffic, then the existing end points are 1450 Measurement Peers. 1452 A device may participate in some Measurement Methods as a Measurement 1453 Agent and in others as a Measurement Peer. 1455 Measurement Schedules should account for limited resources in a 1456 Measurement Peer when instructing a MA to execute measurements with a 1457 Measurement Peer. In some measurement protocols, such as [RFC4656] 1458 and [RFC5357], the Measurement Peer can reject a measurement session 1459 or refuse a control connection prior to setting-up a measurement 1460 session and so protect itself from resource exhaustion. This is a 1461 valuable capability because the MP may be used by more than one 1462 organisation. 1464 6.4. Deployment examples 1466 In this section we describe some deployment scenarios that are 1467 feasible within the LMAP framework defined in this document. 1469 A very simple example of a Measurement Peer (MP) is a web server that 1470 the MA is downloading a web page from (such as www.example.com) in 1471 order to perform a speed test. The web server is a MP and from its 1472 perspective, the MA is just another client; the MP doesn't have a 1473 specific function for assisting measurements. This is described in 1474 the figure below. 1476 ^ 1477 +------------------+ Web Traffic +----------------+ non-LMAP 1478 | Web Client |<------------>| Web Server | Scope 1479 | | +----------------+ | 1480 ...|..................|....................................V... 1481 |MA:LMAP interface | ^ 1482 +------------------+ | 1483 ^ | | 1484 Instruction | | Report | 1485 | +-----------------+ | 1486 | | | 1487 | v LMAP 1488 +------------+ +------------+ Scope 1489 | Controller | | Collector | | 1490 +------------+ +------------+ V 1492 Schematic of LMAP-based Measurement System, 1493 with Web server as Measurement Peer 1495 Another case that is slightly different than this would be the one of 1496 a TWAMP-responder. This is also a MP, with a helper function, the 1497 TWAMP server, which is specially deployed to assist the MAs that 1498 perform TWAMP tests. Another example is with a ping server, as 1499 described in Section 2. 1501 A further example is the case of a traceroute like measurement. In 1502 this case, for each packet sent, the router where the TTL expires is 1503 performing the MP function. So for a given Measurement Task, there 1504 is one MA involved and several MPs, one per hop. 1506 In the figure below we depict the case of an OWAMP (One-Way Active 1507 Measurement Protocol) responder acting as an MP. In this case, the 1508 helper function in addition reports results back to the MA. So it 1509 has both a data plane and control interface with the MA. 1511 +------------------+ OWAMP +----------------+ ^ 1512 | OWAMP |<--control--->| | | 1513 | control-client |-test-traffic>| OWAMP server & | non-LMAP 1514 | fetch-client & |<----fetch----| session-rec'ver| Scope 1515 | session-sender | | | | 1516 | | +----------------+ | 1517 ...|..................|....................................v... 1518 |MA:LMAP interface | ^ 1519 +------------------+ | 1520 ^ | | 1521 Instruction | | Report | 1522 | +-----------------+ | 1523 | | | 1524 | v LMAP 1525 +------------+ +------------+ Scope 1526 | Controller | | Collector | | 1527 +------------+ +------------+ v 1529 Schematic of LMAP-based Measurement System, 1530 with OWAMP server as Measurement Peer 1532 However, it is also possible to use two Measurement Agents when 1533 performing one way Measurement Tasks, as described in the figure 1534 below. Both MAs are instructed by the Controller: MA-1 to send the 1535 traffic and MA-2 to measure the received traffic and send Reports to 1536 the Collector. Note that the Measurement Task at MA-2 can listen for 1537 traffic from MA-1 and respond multiple times without having to be 1538 rescheduled. 1540 +----------------+ +----------------+ ^ 1541 | | | | non-LMAP 1542 | iperf -u sender|-UDP traffic->| iperf -u recvr | Scope 1543 | | | | v 1544 ...|................|..............|................|........ 1545 | MA-1: | | MA-2: | ^ 1546 | LMAP interface | | LMAP interface | | 1547 +----------------+ +----------------+ | 1548 ^ ^ | | 1549 Instruction | Instruction{Report} | | Report | 1550 {task, | +-------------------+ | | 1551 schedule} | | | | 1552 | | v LMAP 1553 +------------+ +------------+ Scope 1554 | Controller | | Collector | | 1555 +------------+ +------------+ v 1557 Schematic of LMAP-based Measurement System, with two 1558 Measurement Agents cooperating to measure UDP traffic 1559 Next, we consider Measurement Methods that meter the Observed Traffic 1560 Flow. Traffic generated in one point in the network flowing towards 1561 a given destination and the traffic is observed in some point along 1562 the path. One way to implement this is that the endpoints generating 1563 and receiving the traffic are not instructed by the Controller; hence 1564 they are MPs. The MA is located along the path with a monitor 1565 function that measures the traffic. The MA is instructed by the 1566 Controller to monitor that particular traffic and to send the Report 1567 to the Collector. It is depicted in the figure below. 1569 +--------+ +------------------+ +--------+ ^ 1570 |End user| | Monitor | Observed |End user| | 1571 | |<--|------------------|--traffic-->| | non-LMAP 1572 | | | | flow | | Scope 1573 +--------+ | | +--------+ | 1574 ...|..................|............................v.. 1575 |MA:LMAP interface | ^ 1576 +------------------+ | 1577 ^ | | 1578 Instruction | | Report | 1579 | +-----------------+ | 1580 | | | 1581 | v LMAP 1582 +------------+ +------------+ Scope 1583 | Controller | | Collector | | 1584 +------------+ +------------+ v 1586 Schematic of LMAP-based Measurement System, 1587 with a Measurement Agent monitoring traffic 1589 7. Security considerations 1591 The security of the LMAP framework should protect the interests of 1592 the measurement operator(s), the network user(s) and other actors who 1593 could be impacted by a compromised measurement deployment. The 1594 Measurement System must secure the various components of the system 1595 from unauthorised access or corruption. Much of the general advice 1596 contained in section 6 of [RFC4656] is applicable here. 1598 The process to upgrade the firmware in an MA is outside the scope of 1599 the initial LMAP work, just as is the protocol to bootstrap the MAs. 1600 However, systems which provide remote upgrade must secure authorised 1601 access and integrity of the process. 1603 We assume that each Measurement Agent (MA) will receive its 1604 Instructions from a single organisation, which operates the 1605 Controller. These Instructions must be authenticated (to ensure that 1606 they come from the trusted Controller), checked for integrity (to 1607 ensure no-one has tampered with them) and not vulnerable to replay 1608 attacks. If a malicious party can gain control of the MA they can 1609 use it to launch DoS attacks at targets, create a platform for 1610 pervasive monitoring [RFC7258], reduce the end user's quality of 1611 experience and corrupt the Measurement Results that are reported to 1612 the Collector. By altering the Measurement Tasks and/or the address 1613 that Results are reported to, they can also compromise the 1614 confidentiality of the network user and the MA environment (such as 1615 information about the location of devices or their traffic). The 1616 Instruction Messages also need to be encrypted to maintain 1617 confidentiality, as the information might be useful to an attacker. 1619 Reporting by the MA must be encrypted to maintain confidentiality, so 1620 that only the authorised Collector can decrypt the results, to 1621 prevent the leakage of confidential or private information. 1622 Reporting must also be authenticated (to ensure that it comes from a 1623 trusted MA and that the MA reports to a genuine Collector) and not 1624 vulnerable to tampering (which can be ensured through integrity and 1625 replay checks). It must not be possible to fool a MA into injecting 1626 falsified data and the results must also be held and processed 1627 securely after collection and analysis. See section 8.5.2 below for 1628 additional considerations on stored data compromise, and section 8.6 1629 on potential mitigations for compromise. 1631 Since Collectors will be contacted repeatedly by MAs using the 1632 Collection Protocol to convey their recent results, a successful 1633 attack to exhaust the communication resources would prevent a 1634 critical operation: reporting. Therefore, all LMAP Collectors should 1635 implement technical mechanisms to: 1637 o limit the number of reporting connections from a single MA 1638 (simultaneous, and connections per unit time). 1640 o limit the transmission rate from a single MA. 1642 o limit the memory/storage consumed by a single MA's reports. 1644 o efficiently reject reporting connections from unknown sources. 1646 o separate resources if multiple authentication strengths are used, 1647 where the resources should be separated according to each class of 1648 strength. 1650 A corrupted MA could report falsified information to the Collector. 1651 Whether this can be effectively mitigated depends on the platform on 1652 which the MA is deployed, but where the MA is deployed on a customer- 1653 controlled device then the reported data is to some degree inherently 1654 untrustworthy. Further, a sophisticated party could distort some 1655 Measurement Methods, perhaps by dropping or delaying packets for 1656 example. This suggests that the network operator should be cautious 1657 about relying on Measurement Results for action such as refunding 1658 fees if a service level agreement is not met. 1660 As part of the protocol design, it will be decided how LMAP operates 1661 over the underlying protocol (Section 5.5). The choice raises 1662 various security issues, such as how to operate through a NAT and how 1663 to protect the Controller and Collector from denial of service 1664 attacks. 1666 The security mechanisms described above may not be strictly necessary 1667 if the network's design ensures the LMAP components and their 1668 communications are already secured, for example potentially if they 1669 are all part of an ISP's dedicated management network. 1671 Finally, there are three other issues related to security: privacy 1672 (considered in Section 8 below), availability and 'gaming the 1673 system'. While the loss of some MAs may not be considered critical, 1674 the unavailability of the Collector could mean that valuable business 1675 data or data critical to a regulatory process is lost. Similarly, 1676 the unavailability of a Controller could mean that the MAs do not 1677 operate a correct Measurement Schedule. 1679 A malicious party could "game the system". For example, where a 1680 regulator is running a Measurement System in order to benchmark 1681 operators, an operator could try to identify the broadband lines that 1682 the regulator was measuring and prioritise that traffic. Normally, 1683 this potential issue is handled by a code of conduct. It is outside 1684 the scope of the initial LMAP work to consider the issue. 1686 8. Privacy considerations 1688 The LMAP work considers privacy as a core requirement and will ensure 1689 that by default the Control and Report Protocols operate in a 1690 privacy-sensitive manner and that privacy features are well-defined. 1692 This section provides a set of privacy considerations for LMAP. This 1693 section benefits greatly from the timely publication of [RFC6973]. 1694 Privacy and security (Section 7) are related. In some jurisdictions 1695 privacy is called data protection. 1697 We begin with a set of assumptions related to protecting the 1698 sensitive information of individuals and organisations participating 1699 in LMAP-orchestrated measurement and data collection. 1701 8.1. Categories of entities with information of interest 1703 LMAP protocols need to protect the sensitive information of the 1704 following entities, including individuals and organisations who 1705 participate in measurement and collection of results. 1707 o Individual Internet users: Persons who utilise Internet access 1708 services for communications tasks, according to the terms of 1709 service of a service agreement. Such persons may be a service 1710 Subscriber, or have been given permission by the Subscriber to use 1711 the service. 1713 o Internet service providers: Organisations who offer Internet 1714 access service subscriptions, and thus have access to sensitive 1715 information of individuals who choose to use the service. These 1716 organisations desire to protect their Subscribers and their own 1717 sensitive information which may be stored in the process of 1718 performing Measurement Tasks and collecting Results. 1720 o Regulators: Public authorities responsible for exercising 1721 supervision of the electronic communications sector, and which may 1722 have access to sensitive information of individuals who 1723 participate in a measurement campaign. Similarly, regulators 1724 desire to protect the participants and their own sensitive 1725 information. 1727 o Other LMAP system operators: Organisations who operate Measurement 1728 Systems or participate in measurements in some way. 1730 Although privacy is a protection extended to individuals, we discuss 1731 data protection by ISPs and other LMAP system operators in this 1732 section. These organisations have sensitive information involved in 1733 the LMAP system, and many of the same dangers and mitigations are 1734 applicable. Further, the ISPs store information on their Subscribers 1735 beyond that used in the LMAP system (for instance billing 1736 information), and there should be a benefit in considering all the 1737 needs and potential solutions coherently. 1739 8.2. Examples of sensitive information 1741 This section gives examples of sensitive information which may be 1742 measured or stored in a Measurement System, and which is to be kept 1743 private by default in the LMAP core protocols. 1745 Examples of Subscriber or authorised Internet user sensitive 1746 information: 1748 o Sub-IP layer addresses and names (MAC address, base station ID, 1749 SSID) 1751 o IP address in use 1753 o Personal Identification (real name) 1755 o Location (street address, city) 1757 o Subscribed service parameters 1759 o Contents of traffic (activity, DNS queries, destinations, 1760 equipment types, account info for other services, etc.) 1762 o Status as a study volunteer and Schedule of Measurement Tasks 1764 Examples of Internet Service Provider sensitive information: 1766 o Measurement device identification (equipment ID and IP address) 1768 o Measurement Instructions (choice of measurements) 1770 o Measurement Results (some may be shared, others may be private) 1772 o Measurement Schedule (exact times) 1774 o Network topology (locations, connectivity, redundancy) 1776 o Subscriber billing information, and any of the above Subscriber 1777 information known to the provider. 1779 o Authentication credentials (such as certificates) 1781 Other organisations will have some combination of the lists above. 1782 The LMAP system would not typically expose all of the information 1783 above, but could expose a combination of items which could be 1784 correlated with other pieces collected by an attacker (as discussed 1785 in the section on Threats below). 1787 8.3. Different privacy issues raised by different sorts of Measurement 1788 Methods 1790 Measurement Methods raise different privacy issues depending on 1791 whether they measure traffic created specifically for that purpose, 1792 or whether they measure user traffic. 1794 Measurement Tasks conducted on user traffic store sensitive 1795 information, however briefly this storage may be. We note that some 1796 authorities make a distinction on time of storage, and information 1797 that is kept only temporarily to perform a communications function is 1798 not subject to regulation (for example, active queue management, deep 1799 packet inspection). Such Measurement Tasks could reveal all the 1800 websites a Subscriber visits and the applications and/or services 1801 they use. This issue is not specific to LMAP. For instance, IPFIX 1802 has discussed similar issues (see section 11.8 of [RFC7011]), but 1803 mitigations described in the sections below were considered beyond 1804 their scope. 1806 Other types of Measurement Task are conducted on traffic which is 1807 created specifically for the purpose. Even if a user host generates 1808 Measurement Traffic, there is limited sensitive information about the 1809 Subscriber present and stored in the Measurement System: 1811 o IP address in use (and possibly sub-IP addresses and names) 1813 o Status as a study volunteer and Schedule of Measurement Tasks 1815 On the other hand, for a service provider the sensitive information 1816 like Measurement Results is the same for all Measurement Tasks. 1818 From the Subscriber perspective, both types of Measurement Task 1819 potentially expose the description of Internet access service and 1820 specific service parameters, such as subscribed rate and type of 1821 access. 1823 8.4. Privacy analysis of the communication models 1825 This section examines each of the protocol exchanges described at a 1826 high level in Section 5 and some example Measurement Tasks, and 1827 identifies specific sensitive information which must be secured 1828 during communication for each case. With the protocol-related 1829 sensitive information identified, we can better consider the threats 1830 described in the following section. 1832 From the privacy perspective, all entities participating in LMAP 1833 protocols can be considered "observers" according to the definition 1834 in [RFC6973]. Their stored information potentially poses a threat to 1835 privacy, especially if one or more of these functional entities has 1836 been compromised. Likewise, all devices on the paths used for 1837 control, reporting, and measurement are also observers. 1839 8.4.1. MA Bootstrapping 1841 Section 5.1 provides the communication model for the Bootstrapping 1842 process. 1844 Although the specification of mechanisms for Bootstrapping the MA are 1845 beyond the initial LMAP work scope, designers should recognize that 1846 the Bootstrapping process is extremely powerful and could cause an MA 1847 to join a new or different LMAP system with a different Controller 1848 and Collector, or simply install new Metrics with associated 1849 Measurement Methods (for example to record DNS queries). A Bootstrap 1850 attack could result in a breach of the LMAP system with significant 1851 sensitive information exposure depending on the capabilities of the 1852 MA, so sufficient security protections are warranted. 1854 The Bootstrapping process provides sensitive information about the 1855 LMAP system and the organisation that operates it, such as 1857 o the MA's identifier (MA-ID) 1859 o the address that identifies the Control Channel, such as the 1860 Controller's FQDN 1862 o Security information for the Control Channel 1864 During the Bootstrap process for an MA located at a single 1865 subscriber's service demarcation point, the MA receives a MA-ID which 1866 is a persistent pseudonym for the Subscriber. Thus, the MA-ID is 1867 considered sensitive information because it could provide the link 1868 between Subscriber identification and Measurements Results. 1870 Also, the Bootstrap process could assign a Group-ID to the MA. The 1871 specific definition of information represented in a Group-ID is to be 1872 determined, but several examples are envisaged including use as a 1873 pseudonym for a set of Subscribers, a class of service, an access 1874 technology, or other important categories. Assignment of a Group-ID 1875 enables anonymisation sets to be formed on the basis of service 1876 type/grade/rates. Thus, the mapping between Group-ID and MA-ID is 1877 considered sensitive information. 1879 8.4.2. Controller <-> Measurement Agent 1881 The high-level communication model for interactions between the LMAP 1882 Controller and Measurement Agent is illustrated in Section 5.2. The 1883 primary purpose of this exchange is to authenticate and task a 1884 Measurement Agent with Measurement Instructions, which the 1885 Measurement Agent then acts on autonomously. 1887 Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged 1888 with a capability request, then measurement-related information of 1889 interest such as the parameters, schedule, metrics, and IP addresses 1890 of measurement devices. Thus, the measurement Instruction contains 1891 sensitive information which must be secured. For example, the fact 1892 that an ISP is running additional measurements beyond the set 1893 reported externally is sensitive information, as are the additional 1894 Measurements Tasks themselves. The Measurement Schedule is also 1895 sensitive, because an attacker intending to bias the results without 1896 being detected can use this information to great advantage. 1898 An organisation operating the Controller having no service 1899 relationship with a user who hosts the Measurement Agent *could* gain 1900 real-name mapping to a public IP address through user participation 1901 in an LMAP system (this applies to the Measurement Collection 1902 protocol, as well). 1904 8.4.3. Collector <-> Measurement Agent 1906 The high-level communication model for interactions between the 1907 Measurement Agent and Collector is illustrated in Section 5.4. The 1908 primary purpose of this exchange is to authenticate and collect 1909 Measurement Results from a MA, which the MA has measured autonomously 1910 and stored. 1912 The Measurement Results are the additional sensitive information 1913 included in the Collector-MA exchange. Organisations collecting LMAP 1914 measurements have the responsibility for data control. Thus, the 1915 Results and other information communicated in the Collector protocol 1916 must be secured. 1918 8.4.4. Measurement Peer <-> Measurement Agent 1920 A Measurement Method involving Measurement Traffic raises potential 1921 privacy issues, although the specification of the mechanisms is 1922 beyond the scope of the initial LMAP work. The high-level 1923 communications model below illustrates the various exchanges to 1924 execute such a Measurement Method and store the Results. 1926 We note the potential for additional observers in the figures below 1927 by indicating the possible presence of a NAT, which has additional 1928 significance to the protocols and direction of initiation. 1930 The various messages are optional, depending on the nature of the 1931 Measurement Method. It may involve sending Measurement Traffic from 1932 the Measurement Peer to MA, MA to Measurement Peer, or both. 1933 Similarly, a second (or more) MAs may be involved. (Note: For 1934 simplicity, the Figure and description don't show the non-LMAP 1935 functionality that is associated with the transfer of the Measurement 1936 Traffic and is located at the devices with the MA and MP.) 1937 _________________ _________________ 1938 | | | | 1939 |Measurement Peer |=========== NAT ? ==========|Measurement Agent| 1940 |_________________| |_________________| 1942 <- (Key Negotiation & 1943 Encryption Setup) 1944 (Encrypted Channel -> 1945 Established) 1946 (Announce capabilities -> 1947 & status) 1948 <- (Select capabilities) 1949 ACK -> 1950 <- (Measurement Request 1951 (MA+MP IPAddrs,set of 1952 Metrics, Schedule)) 1953 ACK -> 1955 Measurement Traffic <> Measurement Traffic 1956 (may/may not be encrypted) (may/may not be encrypted) 1958 <- (Stop Measurement Task) 1960 Measurement Results -> 1961 (if applicable) 1962 <- ACK, Close 1964 This exchange primarily exposes the IP addresses of measurement 1965 devices and the inference of measurement participation from such 1966 traffic. There may be sensitive information on key points in a 1967 service provider's network included. There may also be access to 1968 measurement-related information of interest such as the Metrics, 1969 Schedule, and intermediate results carried in the Measurement Traffic 1970 (usually a set of timestamps). 1972 The Measurement Peer may be able to use traffic analysis (perhaps 1973 combined with traffic injection) to obtain interesting insights about 1974 the Subscriber. As a simple example, if the Measurement Task 1975 includes a pre-check that the end-user isn't already sending traffic, 1976 the Measurement Peer may be able to deduce when the Subscriber is 1977 away on holiday, for example. 1979 If the Measurement Traffic is unencrypted, as found in many systems 1980 today, then both timing and limited results are open to on-path 1981 observers. 1983 8.4.5. Measurement Agent 1985 Some Measurement Methods only involve a single Measurement Agent 1986 observing existing traffic. They raise potential privacy issues, 1987 although the specification of the mechanisms is beyond the scope of 1988 the initial LMAP work. 1990 The high-level communications model below illustrates the collection 1991 of user information of interest with the Measurement Agent performing 1992 the monitoring and storage of the Results. This particular exchange 1993 is for measurement of DNS Response Time, which most frequently uses 1994 UDP transport. (Note: For simplicity, the Figure and description 1995 don't show the non-LMAP functionality that is associated with the 1996 transfer of the Measurement Traffic and is located at the devices 1997 with the MA.) 1999 _________________ ____________ 2000 | | | | 2001 | DNS Server |=========== NAT ? ==========*=======| User client| 2002 |_________________| ^ |____________| 2003 ______|_______ 2004 | | 2005 | Measurement | 2006 | Agent | 2007 |______________| 2009 <- Name Resolution Req 2010 (MA+MP IPAddrs, 2011 Desired Domain Name) 2012 Return Record -> 2014 In this particular example, the MA monitors DNS messages in order to 2015 measure that DNS response time. The Measurement Agent may be 2016 embedded in the user host, or it may be located in another device 2017 capable of observing user traffic. The MA learns the IP addresses of 2018 measurement devices and the intent to communicate with or access the 2019 services of a particular domain name, and perhaps also information on 2020 key points in a service provider's network, such as the address of 2021 one of its DNS servers. 2023 In principle, any of the user sensitive information of interest 2024 (listed above) can be collected and stored in the monitoring scenario 2025 and so must be secured. 2027 It would also be possible for a Measurement Agent to source the DNS 2028 query itself. But then there are few privacy concerns. 2030 8.4.6. Storage and reporting of Measurement Results 2032 Although the mechanisms for communicating results (beyond the initial 2033 Collector) are beyond the initial LMAP work scope, there are 2034 potential privacy issues related to a single organisation's storage 2035 and reporting of Measurement Results. Both storage and reporting 2036 functions can help to preserve privacy by implementing the 2037 mitigations described below. 2039 8.5. Threats 2041 This section indicates how each of the threats described in [RFC6973] 2042 apply to the LMAP entities and their communication and storage of 2043 "information of interest". Denial of Service (DOS) and other attacks 2044 described in the Security section represent threats as well, and 2045 these attacks are more effective when sensitive information 2046 protections have been compromised. 2048 8.5.1. Surveillance 2050 Section 5.1.1 of [RFC6973] describes Surveillance as the "observation 2051 or monitoring of and individual's communications or activities." 2052 Hence all Measurement Methods that measure user traffic are a form of 2053 surveillance, with inherent risks. 2055 Measurement Methods which avoid periods of user transmission 2056 indirectly produce a record of times when a subscriber or authorised 2057 user has used their network access service. 2059 Measurement Methods may also utilise and store a Subscriber's 2060 currently assigned IP address when conducting measurements that are 2061 relevant to a specific Subscriber. Since the Measurement Results are 2062 time-stamped, they could provide a record of IP address assignments 2063 over time. 2065 Either of the above pieces of information could be useful in 2066 correlation and identification, described below. 2068 8.5.2. Stored data compromise 2070 Section 5.1.2 of [RFC6973] describes Stored Data Compromise as 2071 resulting from inadequate measures to secure stored data from 2072 unauthorised or inappropriate access. For LMAP systems this includes 2073 deleting or modifying collected measurement records, as well as data 2074 theft. 2076 The primary LMAP entity subject to compromise is the repository, 2077 which stores the Measurement Results; extensive security and privacy 2078 threat mitigations are warranted. The Collector and MA also store 2079 sensitive information temporarily, and need protection. The 2080 communications between the local storage of the Collector and the 2081 repository is beyond the scope of the initial LMAP work, though this 2082 communications channel will certainly need protection as well as the 2083 mass storage itself. 2085 The LMAP Controller may have direct access to storage of Subscriber 2086 information (location, billing, service parameters, etc.) and other 2087 information which the controlling organisation considers private, and 2088 again needs protection. 2090 Note that there is tension between the desire to store all raw 2091 results in the LMAP Collector (for reproducibility and custom 2092 analysis), and the need to protect the privacy of measurement 2093 participants. Many of the compromise mitigations described in 2094 section 8.6 below are most efficient when deployed at the MA, 2095 therefore minimising the risks with stored results. 2097 8.5.3. Correlation and identification 2099 Sections 5.2.1 and 5.2.2 of [RFC6973] describe Correlation as 2100 combining various pieces of information to obtain desired 2101 characteristics of an individual, and Identification as using this 2102 combination to infer identity. 2104 The main risk is that the LMAP system could unwittingly provide a key 2105 piece of the correlation chain, starting with an unknown Subscriber's 2106 IP address and another piece of information. For example, a 2107 Subscriber utilised Internet access from 2000 to 2310 UTC, because 2108 the Measurement Tasks were deferred, or sent a name resolution for 2109 www.example.com at 2300 UTC. 2111 If a user's access with another system already gave away sensitive 2112 info, correlation is clearly easier and can result in re- 2113 identification, even when an LMAP conserves sensitive information to 2114 great extent. 2116 8.5.4. Secondary use and disclosure 2118 Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as 2119 unauthorised utilisation of an individual's information for a purpose 2120 the individual did not intend, and Disclosure is when such 2121 information is revealed causing other's notions of the individual to 2122 change, or confidentiality to be violated. 2124 Measurement Methods that measure user traffic are a form of Secondary 2125 Use, and the Subscribers' permission should be obtained beforehand. 2127 It may be necessary to obtain the measured ISP's permission to 2128 conduct measurements, for example when required by the terms and 2129 conditions of the service agreement, and notification is considered 2130 good measurement practice. 2132 For Measurement Methods that measure Measurement Traffic the 2133 Measurement Results provide some limited information about the 2134 Subscriber or ISP and could result in Secondary Uses. For example, 2135 the use of the Results in unauthorised marketing campaigns would 2136 qualify as Secondary Use. Secondary use may break national laws and 2137 regulations, and may violate individual's expectations or desires. 2139 8.6. Mitigations 2141 This section examines the mitigations listed in section 6 of 2142 [RFC6973] and their applicability to LMAP systems. Note that each 2143 section in [RFC6973] identifies the threat categories that each 2144 technique mitigates. 2146 8.6.1. Data minimisation 2148 Section 6.1 of [RFC6973] encourages collecting and storing the 2149 minimal information needed to perform a task. 2151 LMAP results can be useful for general reporting about performance 2152 and for specific troubleshooting. They need different levels of 2153 information detail, as explained in the paragraphs below. 2155 For general results, the results can be aggregated into large 2156 categories (the month of March, all subscribers West of the 2157 Mississippi River). In this case, all individual identifications 2158 (including IP address of the MA) can be excluded, and only relevant 2159 results are provided. However, this implies a filtering process to 2160 reduce the information fields, because greater detail was needed to 2161 conduct the Measurement Tasks in the first place. 2163 For troubleshooting, so that a network operator or end user can 2164 identify a performance issue or failure, potentially all the network 2165 information (IP addresses, equipment IDs, location), Measurement 2166 Schedule, service configuration, Measurement Results, and other 2167 information may assist in the process. This includes the information 2168 needed to conduct the Measurements Tasks, and represents a need where 2169 the maximum relevant information is desirable, therefore the greatest 2170 protections should be applied. This level of detail is greater than 2171 needed for general performance monitoring. 2173 As regards Measurement Methods that measure user traffic, we note 2174 that a user may give temporary permission (to enable detailed 2175 troubleshooting), but withhold permission for them in general. Here 2176 the greatest breadth of sensitive information is potentially exposed, 2177 and the maximum privacy protection must be provided. The Collector 2178 may perform pre-storage minimisation and other mitigations (below) to 2179 help preserve privacy. 2181 For MAs with access to the sensitive information of users (e.g., 2182 within a home or a personal host/handset), it is desirable for the 2183 results collection to minimise the data reported, but also to balance 2184 this desire with the needs of troubleshooting when a service 2185 subscription exists between the user and organisation operating the 2186 measurements. 2188 8.6.2. Anonymity 2190 Section 6.1.1 of [RFC6973] describes a way in which anonymity is 2191 achieved: "there must exist a set of individuals that appear to have 2192 the same attributes as the individual", defined as an "anonymity 2193 set". 2195 Experimental methods for anonymisation of user identifiable data (and 2196 so particularly applicable to Measurement Methods that measure user 2197 traffic) have been identified in [RFC6235]. However, the findings of 2198 several of the same authors is that "there is increasing evidence 2199 that anonymisation applied to network trace or flow data on its own 2200 is insufficient for many data protection applications as in [Bur10]." 2201 Essentially, the details of such Measurement Methods can only be 2202 accessed by closed organisations, and unknown injection attacks are 2203 always less expensive than the protections from them. However, some 2204 forms of summary may protect the user's sensitive information 2205 sufficiently well, and so each Metric must be evaluated in the light 2206 of privacy. 2208 The techniques in [RFC6235] could be applied more successfully in 2209 Measurement Methods that generate Measurement Traffic, where there 2210 are protections from injection attack. The successful attack would 2211 require breaking the integrity protection of the LMAP Reporting 2212 Protocol and injecting Measurement Results (known fingerprint, see 2213 section 3.2 of [RFC6973]) for inclusion with the shared and 2214 anonymised results, then fingerprinting those records to ascertain 2215 the anonymisation process. 2217 Beside anonymisation of measured Results for a specific user or 2218 provider, the value of sensitive information can be further diluted 2219 by summarising the results over many individuals or areas served by 2220 the provider. There is an opportunity enabled by forming anonymity 2221 sets [RFC6973] based on the reference path measurement points in 2222 [RFC7398]. For example, all measurements from the Subscriber device 2223 can be identified as "mp000", instead of using the IP address or 2224 other device information. The same anonymisation applies to the 2225 Internet Service Provider, where their Internet gateway would be 2226 referred to as "mp190". 2228 Another anonymisation technique is for the MA to include its Group-ID 2229 instead of its MA-ID in its Measurement Reports, with several MAs 2230 sharing the same Group-ID. 2232 8.6.3. Pseudonymity 2234 Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, 2235 are a possible mitigation to revealing one's true identity, since 2236 there is no requirement to use real names in almost all protocols. 2238 A pseudonym for a measurement device's IP address could be an LMAP- 2239 unique equipment ID. However, this would likely be a permanent 2240 handle for the device, and long-term use weakens a pseudonym's power 2241 to obscure identity. 2243 8.6.4. Other mitigations 2245 Data can be de-personalised by blurring it, for example by adding 2246 synthetic data, data-swapping, or perturbing the values in ways that 2247 can be reversed or corrected. 2249 Sections 6.2 and 6.3 of [RFC6973] describe User Participation and 2250 Security, respectively. 2252 Where LMAP measurements involve devices on the Subscriber's premises 2253 or Subscriber-owned equipment, it is essential to secure the 2254 Subscriber's permission with regard to the specific information that 2255 will be collected. The informed consent of the Subscriber (and, if 2256 different, the end user) may be needed, including the specific 2257 purpose of the measurements. The approval process could involve 2258 showing the Subscriber their measured information and results before 2259 instituting periodic collection, or before all instances of 2260 collection, with the option to cancel collection temporarily or 2261 permanently. 2263 It should also be clear who is legally responsible for data 2264 protection (privacy); in some jurisdictions this role is called the 2265 'data controller'. It is always good practice to limit the time of 2266 personal information storage. 2268 Although the details of verification would be impenetrable to most 2269 subscribers, the MA could be architected as an "app" with open 2270 source-code, pre-download and embedded terms of use and agreement on 2271 measurements, and protection from code modifications usually provided 2272 by the app-stores. Further, the app itself could provide data 2273 reduction and temporary storage mitigations as appropriate and 2274 certified through code review. 2276 LMAP protocols, devices, and the information they store clearly need 2277 to be secure from unauthorised access. This is the hand-off between 2278 privacy and security considerations (Section 7). The Data Controller 2279 has the (legal) responsibility to maintain data protections described 2280 in the Subscriber's agreement and agreements with other 2281 organisations. 2283 Finally, it is recommended that each entity in section 8.1, 2284 (individuals, ISPs, Regulators, others) assess the risks of LMAP data 2285 collection by conducting audits of their data protection methods. 2287 9. IANA considerations 2289 There are no IANA considerations in this memo. 2291 10. Acknowledgments 2293 This document originated as a merger of three individual drafts: 2294 draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, 2295 and draft-eardley-lmap-framework-02. 2297 Thanks to Juergen Schoenwaelder for his detailed review of the 2298 terminology. Thanks to Charles Cook for a very detailed review of 2299 -02. Thanks to Barbara Stark and Ken Ko for many helpful comments 2300 about later versions. 2302 Thanks to numerous people for much discussion, directly and on the 2303 LMAP list (apologies to those unintentionally omitted): Alan Clark, 2304 Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian 2305 Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen, 2306 Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay, 2307 Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, 2308 Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael 2309 Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter, 2310 Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey, 2311 Vaibhav Bajpai, Vero Zheng, William Lupton. 2313 Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on 2314 the Leone research project, which receives funding from the European 2315 Union Seventh Framework Programme [FP7/2007-2013] under grant 2316 agreement number 317647. 2318 11. History 2320 First WG version, copy of draft-folks-lmap-framework-00. 2322 11.1. From -00 to -01 2324 o new sub-section of possible use of Group-IDs for privacy 2326 o tweak to definition of Control protocol 2328 o fix typo in figure in S5.4 2330 11.2. From -01 to -02 2332 o change to INFORMATIONAL track (previous version had typo'd 2333 Standards track) 2335 o new definitions for Capabilities Information and Failure 2336 Information 2338 o clarify that diagrams show LMAP-level information flows. 2339 Underlying protocol could do other interactions, eg to get through 2340 NAT or for Collector to pull a Report 2342 o add hint that after a re-boot should pause random time before re- 2343 register (to avoid mass calling event) 2345 o delete the open issue "what happens if a Controller fails" (normal 2346 methods can handle) 2348 o add some extra words about multiple Tasks in one Schedule 2350 o clarify that new Schedule replaces (rather than adds to) and old 2351 one. Similarly for new configuration of Measurement Tasks or 2352 Report Channels. 2354 o clarify suppression is temporary stop; send a new Schedule to 2355 permanently stop Tasks 2357 o alter suppression so it is ACKed 2359 o add un-suppress message 2361 o expand the text on error reporting, to mention Reporting failures 2362 (as well as failures to action or execute Measurement Task & 2363 Schedule) 2365 o add some text about how to have Tasks running indefinitely 2366 o add that optionally a Report is not sent when there are no 2367 Measurement Results 2369 o add that a Measurement Task may create more than one Measurement 2370 Result 2372 o clarify /amend /expand that Reports include the "raw" Measurement 2373 Results - any pre-processing is left for lmap2.0 2375 o add some cautionary words about what if the Collector unexpectedly 2376 doesn't hear from a MA 2378 o add some extra words about the potential impact of Measurement 2379 Tasks 2381 o clarified various aspects of the privacy section 2383 o updated references 2385 o minor tweaks 2387 11.3. From -02 to -03 2389 o alignment with the Information Model [burbridge-lmap-information- 2390 model] as this is agreed as a WG document 2392 o One-off and periodic Measurement Schedules are kept separate, so 2393 that they can be updated independently 2395 o Measurement Suppression in a separate sub-section. Can now 2396 optionally include particular Measurement Tasks &/or Schedules to 2397 suppress, and start/stop time 2399 o for clarity, concept of Channel split into Control, Report and MA- 2400 to-Controller Channels 2402 o numerous editorial changes, mainly arising from a very detailed 2403 review by Charles Cook 2405 o 2407 11.4. From -03 to -04 2409 o updates following the WG Last Call, with the proposed consensus on 2410 the various issues as detailed in 2411 http://tools.ietf.org/agenda/89/slides/slides-89-lmap-2.pdf. In 2412 particular: 2414 o tweaked definitions, especially of Measurement Agent and 2415 Measurement Peer 2417 o Instruction - left to each implementation & deployment of LMAP to 2418 decide on the granularity at which an Instruction Message works 2420 o words added about overlapping Measurement Tasks (Measurement 2421 System can handle any way they choose; Report should mention if 2422 the Task overlapped with another) 2424 o Suppression: no defined impact on Passive Measurement Task; extra 2425 option to suppress on-going Active Measurement Tasks; suppression 2426 doesn't go to Measurement Peer, since they don't understand 2427 Instructions 2429 o new concept of Data Transfer Task (and therefore adjustment of the 2430 Channel concept) 2432 o enhancement of Results with Subscriber's service parameters - 2433 could be useful, don't define how but can be included in Report to 2434 various other sections 2436 o various other smaller improvements, arising from the WGLC 2438 o Appendix added with examples of Measurement Agents and Peers in 2439 various deployment scenarios. To help clarify what these terms 2440 mean. 2442 11.5. From -04 to -05 2444 o clarified various scoping comments by using the phrase "scope of 2445 initial LMAP work" (avoiding "scope of LMAP WG" since this may 2446 change in the future) 2448 o added a Configuration Protocol - allows the Controller to update 2449 the MA about information that it obtained during the bootstrapping 2450 process (for consistency with Information Model) 2452 o Removed over-detailed information about the relationship between 2453 the different items in Instruction, as this seems more appropriate 2454 for the information model. Clarified that the lists given are 2455 about the aims and not a list of information elements (these will 2456 be defined in draft-ietf-information-model). 2458 o the Measurement Method, specified as a URI to a registry entry - 2459 rather than a URN 2461 o MA configured with time limit after which, if it hasn't heard from 2462 Controller, then it stops running Measurement Tasks (rather than 2463 this being part of a Schedule) 2465 o clarified there is no distinction between how capabilities, 2466 failure and logging information are transferred (all can be when 2467 requested by Controller or by MA on its own initiative). 2469 o removed mention of Data Transfer Tasks. This abstraction is left 2470 to the information model i-d 2472 o added Deployment sub-section about Measurement Agent embedded in 2473 ISP Network 2475 o various other smaller improvements, arising from the 2nd WGLC 2477 11.6. From -05 to -06 2479 o clarified terminlogy around Measurement Methods and Tasks. Since 2480 within a Method there may be several different roles (requester 2481 and responder, for instance) 2483 o Suppression: there is now the concept of a flag (boolean) which 2484 indicates whether a Task is by default gets suppressed or not. 2485 The optional suppression message (with list of specific tasks 2486 /schedules to suppress) over-rides this flag. 2488 o The previous bullet also means there is no need to make a 2489 distinction between active and passive Measurement Tasks, so this 2490 distinction is removed. 2492 o removed Configuration Protocol - Configuration is part of the 2493 Instruction and so uses the Control Protocol. 2495 11.7. From -06 to -07 2497 o Clarifications and nits 2499 11.8. From -07 to -08 2501 o Clarifications resulting from WG 3rd LC, as discussed in 2502 https://tools.ietf.org/agenda/90/slides/slides-90-lmap-0.pdf, plus 2503 comments made in the IETF-90 meeting. 2505 o added mention of "measurement point designations" in Measurement 2506 Task configuration and Report Protocol. 2508 11.9. From -08 to -09 2510 o Clarifications and changes from the AD review (Benoit Claise) and 2511 security directorate review (Radia Perlman). 2513 11.10. From -09 to -10 2515 o More changes from the AD review (Benoit Claise). 2517 11.11. From -10 to -11 2519 o More changes from the AD review (Benoit Claise). 2521 11.12. From -11 to -12 2523 o Fixing nits from IETF Last call and authors. 2525 12. Informative References 2527 [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, 2528 "The Role of Network Trace anonymisation Under Attack", 2529 January 2010. 2531 [TR-069] TR-069, , "CPE WAN Management Protocol", 2532 http://www.broadband-forum.org/technical/trlist.php, 2533 November 2013. 2535 [UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP 2536 Device Control Protocols specifications", 2537 http://upnp.org/sdcps-and-certification/standards/, 2011. 2539 [RFC1035] Mockapetris, P., "Domain names - implementation and 2540 specification", STD 13, RFC 1035, November 1987. 2542 [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, 2543 June 2005. 2545 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2546 Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2547 2005. 2549 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 2550 Bierman, "Network Configuration Protocol (NETCONF)", RFC 2551 6241, June 2011. 2553 [RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of 2554 the IP Flow Information Export (IPFIX) Protocol for the 2555 Exchange of Flow Information", STD 77, RFC 7011, September 2556 2013. 2558 [RFC7368] Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, 2559 "IPv6 Home Networking Architecture Principles", RFC 7368, 2560 October 2014. 2562 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 2563 Attack", BCP 188, RFC 7258, May 2014. 2565 [I-D.ietf-lmap-use-cases] 2566 Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, 2567 "Large-Scale Broadband Measurement Use Cases", draft-ietf- 2568 lmap-use-cases-06 (work in progress), February 2015. 2570 [I-D.ietf-ippm-metric-registry] 2571 Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A. 2572 Akhter, "Registry for Performance Metrics", draft-ietf- 2573 ippm-metric-registry-02 (work in progress), February 2015. 2575 [RFC6419] Wasserman, M. and P. Seite, "Current Practices for 2576 Multiple-Interface Hosts", RFC 6419, November 2011. 2578 [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. 2579 Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2580 2013. 2582 [I-D.ietf-lmap-information-model] 2583 Burbridge, T., Eardley, P., Bagnulo, M., and J. 2584 Schoenwaelder, "Information Model for Large-Scale 2585 Measurement Platforms (LMAP)", draft-ietf-lmap- 2586 information-model-05 (work in progress), April 2015. 2588 [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization 2589 Support", RFC 6235, May 2011. 2591 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 2592 Morris, J., Hansen, M., and R. Smith, "Privacy 2593 Considerations for Internet Protocols", RFC 6973, July 2594 2013. 2596 [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. 2597 Zekauskas, "A One-way Active Measurement Protocol 2598 (OWAMP)", RFC 4656, September 2006. 2600 [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. 2601 Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", 2602 RFC 5357, October 2008. 2604 [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between 2605 Information Models and Data Models", RFC 3444, January 2606 2003. 2608 [RFC7398] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and 2609 A. Morton, "A Reference Path and Measurement Points for 2610 Large-Scale Measurement of Broadband Performance", RFC 2611 7398, February 2015. 2613 Authors' Addresses 2615 Philip Eardley 2616 BT 2617 Adastral Park, Martlesham Heath 2618 Ipswich 2619 ENGLAND 2621 Email: philip.eardley@bt.com 2623 Al Morton 2624 AT&T Labs 2625 200 Laurel Avenue South 2626 Middletown, NJ 2627 USA 2629 Email: acmorton@att.com 2631 Marcelo Bagnulo 2632 Universidad Carlos III de Madrid 2633 Av. Universidad 30 2634 Leganes, Madrid 28911 2635 SPAIN 2637 Phone: 34 91 6249500 2638 Email: marcelo@it.uc3m.es 2639 URI: http://www.it.uc3m.es 2640 Trevor Burbridge 2641 BT 2642 Adastral Park, Martlesham Heath 2643 Ipswich 2644 ENGLAND 2646 Email: trevor.burbridge@bt.com 2648 Paul Aitken 2649 Brocade 2650 Edinburgh, Scotland 2651 UK 2653 Email: paitken@brocade.com 2655 Aamer Akhter 2656 Consultant 2657 118 Timber Hitch 2658 Cary, NC 2659 USA 2661 Email: aakhter@gmail.com