summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4656.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc4656.txt')
-rw-r--r--doc/rfc/rfc4656.txt3139
1 files changed, 3139 insertions, 0 deletions
diff --git a/doc/rfc/rfc4656.txt b/doc/rfc/rfc4656.txt
new file mode 100644
index 0000000..59b3bbd
--- /dev/null
+++ b/doc/rfc/rfc4656.txt
@@ -0,0 +1,3139 @@
+
+
+
+
+
+
+Network Working Group S. Shalunov
+Request for Comments: 4656 B. Teitelbaum
+Category: Standards Track A. Karp
+ J. Boote
+ M. Zekauskas
+ Internet2
+ September 2006
+
+
+ A One-way Active Measurement Protocol (OWAMP)
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ The One-Way Active Measurement Protocol (OWAMP) measures
+ unidirectional characteristics such as one-way delay and one-way
+ loss. High-precision measurement of these one-way IP performance
+ metrics became possible with wider availability of good time sources
+ (such as GPS and CDMA). OWAMP enables the interoperability of these
+ measurements.
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 1.1. Relationship of Test and Control Protocols .................3
+ 1.2. Logical Model ..............................................4
+ 2. Protocol Overview ...............................................5
+ 3. OWAMP-Control ...................................................6
+ 3.1. Connection Setup ...........................................6
+ 3.2. Integrity Protection (HMAC) ...............................11
+ 3.3. Values of the Accept Field ................................11
+ 3.4. OWAMP-Control Commands ....................................12
+ 3.5. Creating Test Sessions ....................................13
+ 3.6. Send Schedules ............................................18
+ 3.7. Starting Test Sessions ....................................19
+ 3.8. Stop-Sessions .............................................20
+ 3.9. Fetch-Session .............................................24
+
+
+
+Shalunov, et al. Standards Track [Page 1]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ 4. OWAMP-Test .....................................................27
+ 4.1. Sender Behavior ...........................................28
+ 4.1.1. Packet Timings .....................................28
+ 4.1.2. OWAMP-Test Packet Format and Content ...............29
+ 4.2. Receiver Behavior .........................................33
+ 5. Computing Exponentially Distributed Pseudo-Random Numbers ......35
+ 5.1. High-Level Description of the Algorithm ...................35
+ 5.2. Data Types, Representation, and Arithmetic ................36
+ 5.3. Uniform Random Quantities .................................37
+ 6. Security Considerations ........................................38
+ 6.1. Introduction ..............................................38
+ 6.2. Preventing Third-Party Denial of Service ..................38
+ 6.3. Covert Information Channels ...............................39
+ 6.4. Requirement to Include AES in Implementations .............39
+ 6.5. Resource Use Limitations ..................................39
+ 6.6. Use of Cryptographic Primitives in OWAMP ..................40
+ 6.7. Cryptographic Primitive Replacement .......................42
+ 6.8. Long-term Manually Managed Keys ...........................43
+ 6.9. (Not) Using Time as Salt ..................................44
+ 6.10. The Use of AES-CBC and HMAC ..............................44
+ 7. Acknowledgements ...............................................45
+ 8. IANA Considerations ............................................45
+ 9. Internationalization Considerations ............................46
+ 10. References ....................................................46
+ 10.1. Normative References .....................................46
+ 10.2. Informative References ...................................47
+ Appendix A: Sample C Code for Exponential Deviates ................49
+ Appendix B: Test Vectors for Exponential Deviates .................54
+
+1. Introduction
+
+ The IETF IP Performance Metrics (IPPM) working group has defined
+ metrics for one-way packet delay [RFC2679] and loss [RFC2680] across
+ Internet paths. Although there are now several measurement platforms
+ that implement collection of these metrics [SURVEYOR] [SURVEYOR-INET]
+ [RIPE] [BRIX], there is not currently a standard that would permit
+ initiation of test streams or exchange of packets to collect
+ singleton metrics in an interoperable manner.
+
+ With the increasingly wide availability of affordable global
+ positioning systems (GPS) and CDMA-based time sources, hosts
+ increasingly have available to them very accurate time sources,
+ either directly or through their proximity to Network Time Protocol
+ (NTP) primary (stratum 1) time servers. By standardizing a technique
+ for collecting IPPM one-way active measurements, we hope to create an
+ environment where IPPM metrics may be collected across a far broader
+ mesh of Internet paths than is currently possible. One particularly
+ compelling vision is of widespread deployment of open OWAMP servers
+
+
+
+Shalunov, et al. Standards Track [Page 2]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ that would make measurement of one-way delay as commonplace as
+ measurement of round-trip time using an ICMP-based tool like ping.
+
+ Additional design goals of OWAMP include: being hard to detect and
+ manipulate, security, logical separation of control and test
+ functionality, and support for small test packets. (Being hard to
+ detect makes interference with measurements more difficult for
+ intermediaries in the middle of the network.)
+
+ OWAMP test traffic is hard to detect because it is simply a stream of
+ UDP packets from and to negotiated port numbers, with potentially
+ nothing static in the packets (size is negotiated, as well). OWAMP
+ also supports an encrypted mode that further obscures the traffic and
+ makes it impossible to alter timestamps undetectably.
+
+ Security features include optional authentication and/or encryption
+ of control and test messages. These features may be useful to
+ prevent unauthorized access to results or man-in-the-middle attacks
+ that attempt to provide special treatment to OWAMP test streams or
+ that attempt to modify sender-generated timestamps to falsify test
+ results.
+
+ In this document, the key words "MUST", "REQUIRED", "SHOULD",
+ "RECOMMENDED", and "MAY" are to be interpreted as described in
+ [RFC2119].
+
+1.1. Relationship of Test and Control Protocols
+
+ OWAMP actually consists of two inter-related protocols: OWAMP-Control
+ and OWAMP-Test. OWAMP-Control is used to initiate, start, and stop
+ test sessions and to fetch their results, whereas OWAMP-Test is used
+ to exchange test packets between two measurement nodes.
+
+ Although OWAMP-Test may be used in conjunction with a control
+ protocol other than OWAMP-Control, the authors have deliberately
+ chosen to include both protocols in the same RFC to encourage the
+ implementation and deployment of OWAMP-Control as a common
+ denominator control protocol for one-way active measurements. Having
+ a complete and open one-way active measurement solution that is
+ simple to implement and deploy is crucial to ensuring a future in
+ which inter-domain one-way active measurement could become as
+ commonplace as ping. We neither anticipate nor recommend that
+ OWAMP-Control form the foundation of a general-purpose extensible
+ measurement and monitoring control protocol.
+
+ OWAMP-Control is designed to support the negotiation of one-way
+ active measurement sessions and results retrieval in a
+ straightforward manner. At session initiation, there is a
+
+
+
+Shalunov, et al. Standards Track [Page 3]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ negotiation of sender and receiver addresses and port numbers,
+ session start time, session length, test packet size, the mean
+ Poisson sampling interval for the test stream, and some attributes of
+ the very general [RFC 2330] notion of packet type, including packet
+ size and per-hop behavior (PHB) [RFC2474], which could be used to
+ support the measurement of one-way network characteristics across
+ differentiated services networks. Additionally, OWAMP-Control
+ supports per-session encryption and authentication for both test and
+ control traffic, measurement servers that can act as proxies for test
+ stream endpoints, and the exchange of a seed value for the pseudo-
+ random Poisson process that describes the test stream generated by
+ the sender.
+
+ We believe that OWAMP-Control can effectively support one-way active
+ measurement in a variety of environments, from publicly accessible
+ measurement beacons running on arbitrary hosts to network monitoring
+ deployments within private corporate networks. If integration with
+ Simple Network Management Protocol (SNMP) or proprietary network
+ management protocols is required, gateways may be created.
+
+1.2. Logical Model
+
+ Several roles are logically separated to allow for broad flexibility
+ in use. Specifically, we define the following:
+
+ Session-Sender The sending endpoint of an OWAMP-Test session;
+
+ Session-Receiver The receiving endpoint of an OWAMP-Test session;
+
+ Server An end system that manages one or more OWAMP-Test
+ sessions, is capable of configuring per-session
+ state in session endpoints, and is capable of
+ returning the results of a test session;
+
+ Control-Client An end system that initiates requests for
+ OWAMP-Test sessions, triggers the start of a set
+ of sessions, and may trigger their termination;
+ and
+
+ Fetch-Client An end system that initiates requests to fetch
+ the results of completed OWAMP-Test sessions.
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 4]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ One possible scenario of relationships between these roles is shown
+ below.
+
+ +----------------+ +------------------+
+ | Session-Sender |--OWAMP-Test-->| Session-Receiver |
+ +----------------+ +------------------+
+ ^ ^
+ | |
+ | |
+ | |
+ | +----------------+<----------------+
+ | | Server |<-------+
+ | +----------------+ |
+ | ^ |
+ | | |
+ | OWAMP-Control OWAMP-Control
+ | | |
+ v v v
+ +----------------+ +-----------------+
+ | Control-Client | | Fetch-Client |
+ +----------------+ +-----------------+
+
+ (Unlabeled links in the figure are unspecified by this document and
+ may be proprietary protocols.)
+
+ Different logical roles can be played by the same host. For example,
+ in the figure above, there could actually be only two hosts: one
+ playing the roles of Control-Client, Fetch-Client, and Session-
+ Sender, and the other playing the roles of Server and Session-
+ Receiver. This is shown below.
+
+ +-----------------+ +------------------+
+ | Control-Client |<--OWAMP-Control-->| Server |
+ | Fetch-Client | | |
+ | Session-Sender |---OWAMP-Test----->| Session-Receiver |
+ +-----------------+ +------------------+
+
+ Finally, because many Internet paths include segments that transport
+ IP over ATM, delay and loss measurements can include the effects of
+ ATM segmentation and reassembly (SAR). Consequently, OWAMP has been
+ designed to allow for small test packets that would fit inside the
+ payload of a single ATM cell (this is only achieved in
+ unauthenticated mode).
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 5]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+2. Protocol Overview
+
+ As described above, OWAMP consists of two inter-related protocols:
+ OWAMP-Control and OWAMP-Test. The former is layered over TCP and is
+ used to initiate and control measurement sessions and to fetch their
+ results. The latter protocol is layered over UDP and is used to send
+ singleton measurement packets along the Internet path under test.
+
+ The initiator of the measurement session establishes a TCP connection
+ to a well-known port, 861, on the target point and this connection
+ remains open for the duration of the OWAMP-Test sessions. An OWAMP
+ server SHOULD listen to this well-known port.
+
+ OWAMP-Control messages are transmitted only before OWAMP-Test
+ sessions are actually started and after they are completed (with the
+ possible exception of an early Stop-Sessions message).
+
+ The OWAMP-Control and OWAMP-Test protocols support three modes of
+ operation: unauthenticated, authenticated, and encrypted. The
+ authenticated or encrypted modes require that endpoints possess a
+ shared secret.
+
+ All multi-octet quantities defined in this document are represented
+ as unsigned integers in network byte order unless specified
+ otherwise.
+
+3. OWAMP-Control
+
+ The type of each OWAMP-Control message can be found after reading the
+ first 16 octets. The length of each OWAMP-Control message can be
+ computed upon reading its fixed-size part. No message is shorter
+ than 16 octets.
+
+ An implementation SHOULD expunge unused state to prevent denial-of-
+ service attacks, or unbounded memory usage, on the server. For
+ example, if the full control message is not received within some
+ number of minutes after it is expected, the TCP connection associated
+ with the OWAMP-Control session SHOULD be dropped. In absence of
+ other considerations, 30 minutes seems like a reasonable upper bound.
+
+3.1. Connection Setup
+
+ Before either a Control-Client or a Fetch-Client can issue commands
+ to a Server, it has to establish a connection to the server.
+
+ First, a client opens a TCP connection to the server on a well-known
+ port 861. The server responds with a server greeting:
+
+
+
+
+Shalunov, et al. Standards Track [Page 6]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Unused (12 octets) |
+ | |
+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Modes |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Challenge (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Salt (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Count (4 octets) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | MBZ (12 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The following Mode values are meaningful: 1 for unauthenticated, 2
+ for authenticated, and 4 for encrypted. The value of the Modes field
+ sent by the server is the bit-wise OR of the mode values that it is
+ willing to support during this session. Thus, the last three bits of
+ the Modes 32-bit value are used. The first 29 bits MUST be zero. A
+ client MUST ignore the values in the first 29 bits of the Modes
+ value. (This way, the bits are available for future protocol
+ extensions. This is the only intended extension mechanism.)
+
+ Challenge is a random sequence of octets generated by the server; it
+ is used subsequently by the client to prove possession of a shared
+ secret in a manner prescribed below.
+
+ Salt and Count are parameters used in deriving a key from a shared
+ secret as described below.
+
+ Salt MUST be generated pseudo-randomly (independently of anything
+ else in this document).
+
+ Count MUST be a power of 2. Count MUST be at least 1024. Count
+ SHOULD be increased as more computing power becomes common.
+
+
+
+
+Shalunov, et al. Standards Track [Page 7]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ If the Modes value is zero, the server does not wish to communicate
+ with the client and MAY close the connection immediately. The client
+ SHOULD close the connection if it receives a greeting with Modes
+ equal to zero. The client MAY close the connection if the client's
+ desired mode is unavailable.
+
+ Otherwise, the client MUST respond with the following Set-Up-Response
+ message:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Mode |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . KeyID (80 octets) .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Token (64 octets) .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Client-IV (16 octets) .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Here Mode is the mode that the client chooses to use during this
+ OWAMP-Control session. It will also be used for all OWAMP-Test
+ sessions started under control of this OWAMP-Control session. In
+ Mode, one or zero bits MUST be set within last three bits. If it is
+ one bit that is set within the last three bits, this bit MUST
+ indicate a mode that the server agreed to use (i.e., the same bit
+ MUST have been set by the server in the server greeting). The first
+ 29 bits of Mode MUST be zero. A server MUST ignore the values of the
+ first 29 bits. If zero Mode bits are set by the client, the client
+ indicates that it will not continue with the session; in this case,
+ the client and the server SHOULD close the TCP connection associated
+ with the OWAMP-Control session.
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 8]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ In unauthenticated mode, KeyID, Token, and Client-IV are unused.
+ Otherwise, KeyID is a UTF-8 string, up to 80 octets in length (if the
+ string is shorter, it is padded with zero octets), that tells the
+ server which shared secret the client wishes to use to authenticate
+ or encrypt, while Token is the concatenation of a 16-octet challenge,
+ a 16-octet AES Session-key used for encryption, and a 32-octet HMAC-
+ SHA1 Session-key used for authentication. The token itself is
+ encrypted using the AES (Advanced Encryption Standard) [AES] in
+ Cipher Block Chaining (CBC). Encryption MUST be performed using an
+ Initialization Vector (IV) of zero and a key derived from the shared
+ secret associated with KeyID. (Both the server and the client use
+ the same mappings from KeyIDs to shared secrets. The server, being
+ prepared to conduct sessions with more than one client, uses KeyIDs
+ to choose the appropriate secret key; a client would typically have
+ different secret keys for different servers. The situation is
+ analogous to that with passwords.)
+
+ The shared secret is a passphrase; it MUST not contain newlines. The
+ secret key is derived from the passphrase using a password-based key
+ derivation function PBKDF2 (PKCS #5) [RFC2898]. The PBKDF2 function
+ requires several parameters: the PRF is HMAC-SHA1 [RFC2104]; the salt
+ and count are as transmitted by the server.
+
+ AES Session-key, HMAC Session-key and Client-IV are generated
+ randomly by the client. AES Session-key and HMAC Session-key MUST be
+ generated with sufficient entropy not to reduce the security of the
+ underlying cipher [RFC4086]. Client-IV merely needs to be unique
+ (i.e., it MUST never be repeated for different sessions using the
+ same secret key; a simple way to achieve that without the use of
+ cumbersome state is to generate the Client-IV values using a
+ cryptographically secure pseudo-random number source: if this is
+ done, the first repetition is unlikely to occur before 2^64 sessions
+ with the same secret key are conducted).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 9]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ The server MUST respond with the following Server-Start message:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | MBZ (15 octets) |
+ | |
+ | +-+-+-+-+-+-+-+-+
+ | | Accept |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Server-IV (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Start-Time (Timestamp) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | MBZ (8 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The MBZ parts MUST be zero. The client MUST ignore their value. MBZ
+ (MUST be zero) fields here and after have the same semantics: the
+ party that sends the message MUST set the field so that all bits are
+ equal to zero; the party that interprets the message MUST ignore the
+ value. (This way, the field could be used for future extensions.)
+
+ Server-IV is generated randomly by the server. In unauthenticated
+ mode, Server-IV is unused.
+
+ The Accept field indicates the server's willingness to continue
+ communication. A zero value in the Accept field means that the
+ server accepts the authentication and is willing to conduct further
+ transactions. Non-zero values indicate that the server does not
+ accept the authentication or, for some other reason, is not willing
+ to conduct further transactions in this OWAMP-Control session. The
+ full list of available Accept values is described in Section 3.3,
+ "Values of the Accept Field".
+
+ If a negative (non-zero) response is sent, the server MAY (and the
+ client SHOULD) close the connection after this message.
+
+ Start-Time is a timestamp representing the time when the current
+ instantiation of the server started operating. (For example, in a
+ multi-user general purpose operating system, it could be the time
+ when the server process was started.) If Accept is non-zero, Start-
+
+
+
+Shalunov, et al. Standards Track [Page 10]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ Time SHOULD be set so that all of its bits are zeros. In
+ authenticated and encrypted modes, Start-Time is encrypted as
+ described in Section 3.4, "OWAMP-Control Commands", unless Accept is
+ non-zero. (Authenticated and encrypted mode cannot be entered unless
+ the control connection can be initialized.)
+
+ Timestamp format is described in Section 4.1.2. The same
+ instantiation of the server SHOULD report the same exact Start-Time
+ value to each client in each session.
+
+ The previous transactions constitute connection setup.
+
+3.2. Integrity Protection (HMAC)
+
+ Authentication of each message (also referred to as a command in this
+ document) in OWAMP-Control is accomplished by adding an HMAC to it.
+ The HMAC that OWAMP uses is HMAC-SHA1 truncated to 128 bits. Thus,
+ all HMAC fields are 16 octets. An HMAC needs a key. The HMAC
+ Session-key is communicated along with the AES Session-key during
+ OWAMP-Control connection setup. The HMAC Session-key SHOULD be
+ derived independently of the AES Session-key (an implementation, of
+ course, MAY use the same mechanism to generate the random bits for
+ both keys). Each HMAC sent covers everything sent in a given
+ direction between the previous HMAC (but not including it) and up to
+ the beginning of the new HMAC. This way, once encryption is set up,
+ each bit of the OWAMP-Control connection is authenticated by an HMAC
+ exactly once.
+
+ When encrypting, authentication happens before encryption, so HMAC
+ blocks are encrypted along with the rest of the stream. When
+ decrypting, the order, of course, is reversed: first one decrypts,
+ then one checks the HMAC, then one proceeds to use the data.
+
+ The HMAC MUST be checked as early as possible to avoid using and
+ propagating corrupt data.
+
+ In open mode, the HMAC fields are unused and have the same semantics
+ as MBZ fields.
+
+3.3. Values of the Accept Field
+
+ Accept values are used throughout the OWAMP-Control protocol to
+ communicate the server response to client requests. The full set of
+ valid Accept field values are as follows:
+
+ 0 OK.
+
+ 1 Failure, reason unspecified (catch-all).
+
+
+
+Shalunov, et al. Standards Track [Page 11]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ 2 Internal error.
+
+ 3 Some aspect of request is not supported.
+
+ 4 Cannot perform request due to permanent resource limitations.
+
+ 5 Cannot perform request due to temporary resource limitations.
+
+ All other values are reserved. The sender of the message MAY use the
+ value of 1 for all non-zero Accept values. A message sender SHOULD
+ use the correct Accept value if it is going to use other values. The
+ message receiver MUST interpret all values of Accept other than these
+ reserved values as 1. This way, other values are available for
+ future extensions.
+
+3.4. OWAMP-Control Commands
+
+ In authenticated or encrypted mode (which are identical as far as
+ OWAMP-Control is concerned, and only differ in OWAMP-Test), all
+ further communications are encrypted with the AES Session-key (using
+ CBC mode) and authenticated with HMAC Session-key. The client
+ encrypts everything it sends through the just-established OWAMP-
+ Control connection using stream encryption with Client-IV as the IV.
+ Correspondingly, the server encrypts its side of the connection using
+ Server-IV as the IV.
+
+ The IVs themselves are transmitted in cleartext. Encryption starts
+ with the block immediately following the block containing the IV.
+ The two streams (one going from the client to the server and one
+ going back) are encrypted independently, each with its own IV, but
+ using the same key (the AES Session-key).
+
+ The following commands are available for the client: Request-Session,
+ Start-Sessions, Stop-Sessions, and Fetch-Session. The command Stop-
+ Sessions is available to both the client and the server. (The server
+ can also send other messages in response to commands it receives.)
+
+ After the client sends the Start-Sessions command and until it both
+ sends and receives (in an unspecified order) the Stop-Sessions
+ command, it is said to be conducting active measurements. Similarly,
+ the server is said to be conducting active measurements after it
+ receives the Start-Sessions command and until it both sends and
+ receives (in an unspecified order) the Stop-Sessions command.
+
+ While conducting active measurements, the only command available is
+ Stop-Sessions.
+
+ These commands are described in detail below.
+
+
+
+Shalunov, et al. Standards Track [Page 12]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+3.5. Creating Test Sessions
+
+ Individual one-way active measurement sessions are established using
+ a simple request/response protocol. An OWAMP client MAY issue zero
+ or more Request-Session messages to an OWAMP server, which MUST
+ respond to each with an Accept-Session message. An Accept-Session
+ message MAY refuse a request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 13]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ The format of Request-Session message is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 1 | MBZ | IPVN | Conf-Sender | Conf-Receiver |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Schedule Slots |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Packets |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sender Port | Receiver Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sender Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Sender Address (cont.) or MBZ (12 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Receiver Address |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Receiver Address (cont.) or MBZ (12 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | SID (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Padding Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Start Time |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timeout, (8 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type-P Descriptor |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | MBZ (8 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+Shalunov, et al. Standards Track [Page 14]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ This is immediately followed by one or more schedule slot
+ descriptions (the number of schedule slots is specified in the
+ "Number of Schedule Slots" field above):
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Slot Type | |
+ +-+-+-+-+-+-+-+-+ MBZ (7 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Slot Parameter (Timestamp) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ These are immediately followed by HMAC:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ All these messages constitute one logical message: the Request-
+ Session command.
+
+ Above, the first octet (1) indicates that this is the Request-Session
+ command.
+
+ IPVN is the IP version numbers for Sender and Receiver. When the IP
+ version number is 4, 12 octets follow the 4-octet IPv4 address stored
+ in Sender Address and Receiver Address. These octets MUST be set to
+ zero by the client and MUST be ignored by the server. Currently
+ meaningful IPVN values are 4 and 6.
+
+ Conf-Sender and Conf-Receiver MUST be set to 0 or 1 by the client.
+ The server MUST interpret any non-zero value as 1. If the value is
+ 1, the server is being asked to configure the corresponding agent
+ (sender or receiver). In this case, the corresponding Port value
+ SHOULD be disregarded by the server. At least one of Conf-Sender and
+ Conf-Receiver MUST be 1. (Both can be set, in which case the server
+ is being asked to perform a session between two hosts it can
+ configure.)
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 15]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ Number of Schedule Slots, as mentioned before, specifies the number
+ of slot records that go between the two blocks of HMAC. It is used
+ by the sender to determine when to send test packets (see next
+ section).
+
+ Number of Packets is the number of active measurement packets to be
+ sent during this OWAMP-Test session (note that either the server or
+ the client can abort the session early).
+
+ If Conf-Sender is not set, Sender Port is the UDP port from which
+ OWAMP-Test packets will be sent. If Conf-Receiver is not set,
+ Receiver Port is the UDP port OWAMP-Test to which packets are
+ requested to be sent.
+
+ The Sender Address and Receiver Address fields contain, respectively,
+ the sender and receiver addresses of the end points of the Internet
+ path over which an OWAMP test session is requested.
+
+ SID is the session identifier. It can be used in later sessions as
+ an argument for the Fetch-Session command. It is meaningful only if
+ Conf-Receiver is 0. This way, the SID is always generated by the
+ receiving side. See the end of the section for information on how
+ the SID is generated.
+
+ Padding length is the number of octets to be appended to the normal
+ OWAMP-Test packet (see more on padding in discussion of OWAMP-Test).
+
+ Start Time is the time when the session is to be started (but not
+ before Start-Sessions command is issued). This timestamp is in the
+ same format as OWAMP-Test timestamps.
+
+ Timeout (or a loss threshold) is an interval of time (expressed as a
+ timestamp). A packet belonging to the test session that is being set
+ up by the current Request-Session command will be considered lost if
+ it is not received during Timeout seconds after it is sent.
+
+ Type-P Descriptor covers only a subset of (very large) Type-P space.
+ If the first two bits of the Type-P Descriptor are 00, then the
+ subsequent six bits specify the requested Differentiated Services
+ Codepoint (DSCP) value of sent OWAMP-Test packets, as defined in
+ [RFC2474]. If the first two bits of Type-P descriptor are 01, then
+ the subsequent 16 bits specify the requested PHB Identification Code
+ (PHB ID), as defined in [RFC2836].
+
+ Therefore, the value of all zeros specifies the default best-effort
+ service.
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 16]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ If Conf-Sender is set, the Type-P Descriptor is to be used to
+ configure the sender to send packets according to its value. If
+ Conf-Sender is not set, the Type-P Descriptor is a declaration of how
+ the sender will be configured.
+
+ If Conf-Sender is set and the server does not recognize the Type-P
+ Descriptor, or it cannot or does not wish to set the corresponding
+ attributes on OWAMP-Test packets, it SHOULD reject the session
+ request. If Conf-Sender is not set, the server SHOULD accept or
+ reject the session, paying no attention to the value of the Type-P
+ Descriptor.
+
+ To each Request-Session message, an OWAMP server MUST respond with an
+ Accept-Session message:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Accept | MBZ | Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ | |
+ | SID (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | MBZ (12 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ In this message, zero in the Accept field means that the server is
+ willing to conduct the session. A non-zero value indicates rejection
+ of the request. The full list of available Accept values is
+ described in Section 3.3, "Values of the Accept Field".
+
+ If the server rejects a Request-Session message, it SHOULD not close
+ the TCP connection. The client MAY close it if it receives a
+ negative response to the Request-Session message.
+
+ The meaning of Port in the response depends on the values of Conf-
+ Sender and Conf-Receiver in the query that solicited the response.
+ If both were set, the Port field is unused. If only Conf-Sender was
+ set, Port is the port from which to expect OWAMP-Test packets. If
+
+
+
+Shalunov, et al. Standards Track [Page 17]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ only Conf-Receiver was set, Port is the port to which OWAMP-Test
+ packets are sent.
+
+ If only Conf-Sender was set, the SID field in the response is unused.
+ Otherwise, SID is a unique server-generated session identifier. It
+ can be used later as handle to fetch the results of a session.
+
+ SIDs SHOULD be constructed by concatenation of the 4-octet IPv4 IP
+ number belonging to the generating machine, an 8-octet timestamp, and
+ a 4-octet random value. To reduce the probability of collisions, if
+ the generating machine has any IPv4 addresses (with the exception of
+ loopback), one of them SHOULD be used for SID generation, even if all
+ communication is IPv6-based. If it has no IPv4 addresses at all, the
+ last four octets of an IPv6 address MAY be used instead. Note that
+ SID is always chosen by the receiver. If truly random values are not
+ available, it is important that the SID be made unpredictable, as
+ knowledge of the SID might be used for access control.
+
+3.6. Send Schedules
+
+ The sender and the receiver both need to know the same send schedule.
+ This way, when packets are lost, the receiver knows when they were
+ supposed to be sent. It is desirable to compress common schedules
+ and still to be able to use an arbitrary one for the test sessions.
+ In many cases, the schedule will consist of repeated sequences of
+ packets: this way, the sequence performs some test, and the test is
+ repeated a number of times to gather statistics.
+
+ To implement this, we have a schedule with a given number of slots.
+ Each slot has a type and a parameter. Two types are supported:
+ exponentially distributed pseudo-random quantity (denoted by a code
+ of 0) and a fixed quantity (denoted by a code of 1). The parameter
+ is expressed as a timestamp and specifies a time interval. For a
+ type 0 slot (exponentially distributed pseudo-random quantity), this
+ interval is the mean value (or 1/lambda if the distribution density
+ function is expressed as lambda*exp(-lambda*x) for positive values of
+ x). For a type 1 (fixed quantity) slot, the parameter is the delay
+ itself. The sender starts with the beginning of the schedule and
+ executes the instructions in the slots: for a slot of type 0, wait an
+ exponentially distributed time with a mean of the specified parameter
+ and then send a test packet (and proceed to the next slot); for a
+ slot of type 1, wait the specified time and send a test packet (and
+ proceed to the next slot). The schedule is circular: when there are
+ no more slots, the sender returns to the first slot.
+
+ The sender and the receiver need to be able to reproducibly execute
+ the entire schedule (so, if a packet is lost, the receiver can still
+ attach a send timestamp to it). Slots of type 1 are trivial to
+
+
+
+Shalunov, et al. Standards Track [Page 18]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ reproducibly execute. To reproducibly execute slots of type 0, we
+ need to be able to generate pseudo-random exponentially distributed
+ quantities in a reproducible manner. The way this is accomplished is
+ discussed later in Section 5, "Computing Exponentially Distributed
+ Pseudo-Random Numbers".
+
+ Using this mechanism, one can easily specify common testing
+ scenarios. The following are some examples:
+
+ + Poisson stream: a single slot of type 0.
+
+ + Periodic stream: a single slot of type 1.
+
+ + Poisson stream of back-to-back packet pairs: two slots, type 0
+ with a non-zero parameter and type 1 with a zero parameter.
+
+ Further, a completely arbitrary schedule can be specified (albeit
+ inefficiently) by making the number of test packets equal to the
+ number of schedule slots. In this case, the complete schedule is
+ transmitted in advance of an OWAMP-Test session.
+
+3.7. Starting Test Sessions
+
+ Having requested one or more test sessions and received affirmative
+ Accept-Session responses, an OWAMP client MAY start the execution of
+ the requested test sessions by sending a Start-Sessions message to
+ the server.
+
+ The format of this message is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 2 | |
+ +-+-+-+-+-+-+-+-+ |
+ | MBZ (15 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The server MUST respond with an Start-Ack message (which SHOULD be
+ sent as quickly as possible). Start-Ack messages have the following
+ format:
+
+
+
+Shalunov, et al. Standards Track [Page 19]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Accept | |
+ +-+-+-+-+-+-+-+-+ |
+ | MBZ (15 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ If Accept is non-zero, the Start-Sessions request was rejected; zero
+ means that the command was accepted. The full list of available
+ Accept values is described in Section 3.3, "Values of the Accept
+ Field". The server MAY, and the client SHOULD, close the connection
+ in the case of a rejection.
+
+ The server SHOULD start all OWAMP-Test streams immediately after it
+ sends the response or immediately after their specified start times,
+ whichever is later. If the client represents a Sender, the client
+ SHOULD start its OWAMP-Test streams immediately after it sees the
+ Start-Ack response from the Server (if the Start-Sessions command was
+ accepted) or immediately after their specified start times, whichever
+ is later. See more on OWAMP-Test sender behavior in a separate
+ section below.
+
+3.8. Stop-Sessions
+
+ The Stop-Sessions message may be issued by either the Control-Client
+ or the Server. The format of this command is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 3 | Accept | MBZ |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Sessions |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | MBZ (8 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ This is immediately followed by zero or more session description
+ records (the number of session description records is specified in
+
+
+
+Shalunov, et al. Standards Track [Page 20]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ the "Number of Sessions" field above). The session description
+ record is used to indicate which packets were actually sent by the
+ sender process (rather than skipped). The header of the session
+ description record is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ | |
+ | SID (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Next Seqno |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Skip Ranges |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ This is immediately followed by zero or more Skip Range descriptions
+ as specified by the "Number of Skip Ranges" field above. Skip Ranges
+ are simply two sequence numbers that, together, indicate a range of
+ packets that were not sent:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ | First Seqno Skipped |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Last Seqno Skipped |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Skip Ranges MUST be in order. The last (possibly full, possibly
+ incomplete) block (16 octets) of data MUST be padded with zeros, if
+ necessary. This ensures that the next session description record
+ starts on a block boundary.
+
+ Finally, a single block (16 octets) of HMAC is concatenated on the
+ end to complete the Stop-Sessions message.
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ All these records comprise one logical message: the Stop-Sessions
+ command.
+
+
+
+Shalunov, et al. Standards Track [Page 21]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ Above, the first octet (3) indicates that this is the Stop-Sessions
+ command.
+
+ Non-zero Accept values indicate a failure of some sort. Zero values
+ indicate normal (but possibly premature) completion. The full list
+ of available Accept values is described in Section 3.3, "Values of
+ the Accept Field".
+
+ If Accept had a non-zero value (from either party), results of all
+ OWAMP-Test sessions spawned by this OWAMP-Control session SHOULD be
+ considered invalid, even if a Fetch-Session with SID from this
+ session works for a different OWAMP-Control session. If Accept was
+ not transmitted at all (for whatever reason, including the TCP
+ connection used for OWAMP-Control breaking), the results of all
+ OWAMP-Test sessions spawned by this OWAMP-control session MAY be
+ considered invalid.
+
+ Number of Sessions indicates the number of session description
+ records that immediately follow the Stop-Sessions header.
+
+ Number of Sessions MUST contain the number of send sessions started
+ by the local side of the control connection that have not been
+ previously terminated by a Stop-Sessions command (i.e., the Control-
+ Client MUST account for each accepted Request-Session where Conf-
+ Receiver was set; the Control-Server MUST account for each accepted
+ Request-Session where Conf-Sender was set). If the Stop-Sessions
+ message does not account for exactly the send sessions controlled by
+ that side, then it is to be considered invalid and the connection
+ SHOULD be closed and any results obtained considered invalid.
+
+ Each session description record represents one OWAMP-Test session.
+
+ SID is the session identifier (SID) used to indicate which send
+ session is being described.
+
+ Next Seqno indicates the next sequence number that would have been
+ sent from this send session. For completed sessions, this will equal
+ NumPackets from the Request-Session.
+
+ Number of Skip Ranges indicates the number of holes that actually
+ occurred in the sending process. This is a range of packets that
+ were never actually sent by the sending process. For example, if a
+ send session is started too late for the first 10 packets to be sent
+ and this is the only hole in the schedule, then "Number of Skip
+ Ranges" would be 1. The single Skip Range description will have
+ First Seqno Skipped equal to 0 and Last Seqno Skipped equal to 9.
+ This is described further in the "Sender Behavior" section.
+
+
+
+
+Shalunov, et al. Standards Track [Page 22]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ If the OWAMP-Control connection breaks when the Stop-Sessions command
+ is sent, the receiver MAY not completely invalidate the session
+ results. It MUST discard all record of packets that follow (in other
+ words, that have greater sequence number than) the last packet that
+ was actually received before any lost packet records. This will help
+ differentiate between packet losses that occurred in the network and
+ packets the sending process may have never sent.
+
+ If a receiver of an OWAMP-Test session learns, through an OWAMP-
+ Control Stop-Sessions message, that the OWAMP-Test sender's last
+ sequence number is lower than any sequence number actually received,
+ the results of the complete OWAMP-Test session MUST be invalidated.
+
+ A receiver of an OWAMP-Test session, upon receipt of an OWAMP-Control
+ Stop-Sessions command, MUST discard any packet records -- including
+ lost packet records -- with a (computed) send time that falls between
+ the current time minus Timeout and the current time. This ensures
+ statistical consistency for the measurement of loss and duplicates in
+ the event that the Timeout is greater than the time it takes for the
+ Stop-Sessions command to take place.
+
+ To effect complete sessions, each side of the control connection
+ SHOULD wait until all sessions are complete before sending the Stop-
+ Sessions message. The completed time of each session is determined
+ as Timeout after the scheduled time for the last sequence number.
+ Endpoints MAY add a small increment to the computed completed time
+ for send endpoints to ensure that the Stop-Sessions message reaches
+ the receiver endpoint after Timeout.
+
+ To effect a premature stop of sessions, the party that initiates this
+ command MUST stop its OWAMP-Test send streams to send the Session
+ Packets Sent values before sending this command. That party SHOULD
+ wait until receiving the response Stop-Sessions message before
+ stopping the receiver streams so that it can use the values from the
+ received Stop-Sessions message to validate the data.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 23]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+3.9. Fetch-Session
+
+ The format of this client command is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 4 | |
+ +-+-+-+-+-+-+-+-+ |
+ | MBZ (7 octets) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Begin Seq |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | End Seq |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | SID (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Begin Seq is the sequence number of the first requested packet. End
+ Seq is the sequence number of the last requested packet. If Begin
+ Seq is all zeros and End Seq is all ones, complete session is said to
+ be requested.
+
+ If a complete session is requested and the session is still in
+ progress or has terminated in any way other than normally, the
+ request to fetch session results MUST be denied. If an incomplete
+ session is requested, all packets received so far that fall into the
+ requested range SHOULD be returned. Note that, since no commands can
+ be issued between Start-Sessions and Stop-Sessions, incomplete
+ requests can only happen on a different OWAMP-Control connection
+ (from the same or different host as Control-Client).
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 24]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ The server MUST respond with a Fetch-Ack message. The format of this
+ server response is as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Accept | Finished | MBZ (2 octets) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Next Seqno |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Skip Ranges |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Number of Records |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Again, non-zero in the Accept field means a rejection of command.
+ The server MUST specify zero for all remaining fields if Accept is
+ non-zero. The client MUST ignore all remaining fields (except for
+ the HMAC) if Accept is non-zero. The full list of available Accept
+ values is described in Section 3.3, "Values of the Accept Field".
+
+ Finished is non-zero if the OWAMP-Test session has terminated.
+
+ Next Seqno indicates the next sequence number that would have been
+ sent from this send session. For completed sessions, this will equal
+ NumPackets from the Request-Session. This information is only
+ available if the session has terminated. If Finished is zero, then
+ Next Seqno MUST be set to zero by the server.
+
+ Number of Skip Ranges indicates the number of holes that actually
+ occurred in the sending process. This information is only available
+ if the session has terminated. If Finished is zero, then Skip Ranges
+ MUST be set to zero by the server.
+
+ Number of Records is the number of packet records that fall within
+ the requested range. This number might be less than the Number of
+ Packets in the reproduction of the Request-Session command because of
+ a session that ended prematurely, or it might be greater because of
+ duplicates.
+
+ If Accept was non-zero, this concludes the response to the Fetch-
+ Session message. If Accept was 0, the server then MUST immediately
+ send the OWAMP-Test session data in question.
+
+
+
+Shalunov, et al. Standards Track [Page 25]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ The OWAMP-Test session data consists of the following (concatenated):
+
+ + A reproduction of the Request-Session command that was used to
+ start the session; it is modified so that actual sender and
+ receiver port numbers that were used by the OWAMP-Test session
+ always appear in the reproduction.
+
+ + Zero or more (as specified) Skip Range descriptions. The last
+ (possibly full, possibly incomplete) block (16 octets) of Skip
+ Range descriptions is padded with zeros, if necessary.
+
+ + 16 octets of HMAC.
+
+ + Zero or more (as specified) packet records. The last (possibly
+ full, possibly incomplete) block (16 octets) of data is padded
+ with zeros, if necessary.
+
+ + 16 octets of HMAC.
+
+ Skip Range descriptions are simply two sequence numbers that,
+ together, indicate a range of packets that were not sent:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+ | First Seqno Skipped |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Last Seqno Skipped |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Skip Range descriptions should be sent out in order, as sorted by
+ First Seqno. If any Skip Ranges overlap or are out of order, the
+ session data is to be considered invalid and the connection SHOULD be
+ closed and any results obtained considered invalid.
+
+ Each packet record is 25 octets and includes 4 octets of sequence
+ number, 8 octets of send timestamp, 2 octets of send timestamp error
+ estimate, 8 octets of receive timestamp, 2 octets of receive
+ timestamp error estimate, and 1 octet of Time To Live (TTL), or Hop
+ Limit in IPv6:
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 26]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 00| Seq Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 04| Send Error Estimate | Receive Error Estimate |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 08| Send Timestamp |
+ 12| |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 16| Receive Timestamp |
+ 20| |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ 24| TTL |
+ +-+-+-+-+-+-+-+-+
+
+ Packet records are sent out in the same order the actual packets were
+ received. Therefore, the data is in arrival order.
+
+ Note that lost packets (if any losses were detected during the
+ OWAMP-Test session) MUST appear in the sequence of packets. They can
+ appear either at the point when the loss was detected or at any later
+ point. Lost packet records are distinguished as follows:
+
+ + A send timestamp filled with the presumed send time (as computed
+ by the send schedule).
+
+ + A send error estimate filled with Multiplier=1, Scale=64, and S=0
+ (see the OWAMP-Test description for definition of these quantities
+ and explanation of timestamp format and error estimate format).
+
+ + A normal receive error estimate as determined by the error of the
+ clock being used to declare the packet lost. (It is declared lost
+ if it is not received by the Timeout after the presumed send time,
+ as determined by the receiver's clock.)
+
+ + A receive timestamp consisting of all zero bits.
+
+ + A TTL value of 255.
+
+4. OWAMP-Test
+
+ This section describes OWAMP-Test protocol. It runs over UDP, using
+ sender and receiver IP and port numbers negotiated during the
+ Request-Session exchange.
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 27]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ As with OWAMP-Control, OWAMP-Test has three modes: unauthenticated,
+ authenticated, and encrypted. All OWAMP-Test sessions that are
+ spawned by an OWAMP-Control session inherit its mode.
+
+ OWAMP-Control client, OWAMP-Control server, OWAMP-Test sender, and
+ OWAMP-Test receiver can potentially all be different machines. (In a
+ typical case, we expect that there will be only two machines.)
+
+4.1. Sender Behavior
+
+4.1.1. Packet Timings
+
+ Send schedules based on slots, described previously, in conjunction
+ with scheduled session start time, enable the sender and the receiver
+ to compute the same exact packet sending schedule independently of
+ each other. These sending schedules are independent for different
+ OWAMP-Test sessions, even if they are governed by the same OWAMP-
+ Control session.
+
+ Consider any OWAMP-Test session. Once Start-Sessions exchange is
+ complete, the sender is ready to start sending packets. Under normal
+ OWAMP use circumstances, the time to send the first packet is in the
+ near future (perhaps a fraction of a second away). The sender SHOULD
+ send packets as close as possible to their scheduled time, with the
+ following exception: if the scheduled time to send is in the past,
+ and is separated from the present by more than Timeout time, the
+ sender MUST NOT send the packet. (Indeed, such a packet would be
+ considered lost by the receiver anyway.) The sender MUST keep track
+ of which packets it does not send. It will use this to tell the
+ receiver what packets were not sent by setting Skip Ranges in the
+ Stop-Sessions message from the sender to the receiver upon completion
+ of the test. The Skip Ranges are also sent to a Fetch-Client as part
+ of the session data results. These holes in the sending schedule can
+ happen if a time in the past was specified in the Request-Session
+ command, or if the Start-Sessions exchange took unexpectedly long, or
+ if the sender could not start serving the OWAMP-Test session on time
+ due to internal scheduling problems of the OS. Packets that are in
+ the past but are separated from the present by less than Timeout
+ value SHOULD be sent as quickly as possible. With normal test rates
+ and timeout values, the number of packets in such a burst is limited.
+ Nevertheless, hosts SHOULD NOT intentionally schedule sessions so
+ that such bursts of packets occur.
+
+ Regardless of any scheduling delays, each packet that is actually
+ sent MUST have the best possible approximation of its real time of
+ departure as its timestamp (in the packet).
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 28]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+4.1.2. OWAMP-Test Packet Format and Content
+
+ The sender sends the receiver a stream of packets with the schedule
+ specified in the Request-Session command. The sender SHOULD set the
+ TTL in IPv4 (or Hop Limit in IPv6) in the UDP packet to 255. The
+ format of the body of a UDP packet in the stream depends on the mode
+ being used.
+
+ For unauthenticated mode:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timestamp |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Error Estimate | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+ | |
+ . .
+ . Packet Padding .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 29]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ For authenticated and encrypted modes:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | MBZ (12 octets) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Timestamp |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Error Estimate | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+ | MBZ (6 octets) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | HMAC (16 octets) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ . .
+ . Packet Padding .
+ . .
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The format of the timestamp is the same as in [RFC1305] and is as
+ follows: the first 32 bits represent the unsigned integer number of
+ seconds elapsed since 0h on 1 January 1900; the next 32 bits
+ represent the fractional part of a second that has elapsed since
+ then.
+
+ So, Timestamp is represented as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Integer part of seconds |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Fractional part of seconds |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 30]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ The Error Estimate specifies the estimate of the error and
+ synchronization. It has the following format:
+
+ 0 1
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |S|Z| Scale | Multiplier |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ The first bit, S, SHOULD be set if the party generating the timestamp
+ has a clock that is synchronized to UTC using an external source
+ (e.g., the bit should be set if GPS hardware is used and it indicates
+ that it has acquired current position and time or if NTP is used and
+ it indicates that it has synchronized to an external source, which
+ includes stratum 0 source, etc.). If there is no notion of external
+ synchronization for the time source, the bit SHOULD NOT be set. The
+ next bit has the same semantics as MBZ fields elsewhere: it MUST be
+ set to zero by the sender and ignored by everyone else. The next six
+ bits, Scale, form an unsigned integer; Multiplier is an unsigned
+ integer as well. They are interpreted as follows: the error estimate
+ is equal to Multiplier*2^(-32)*2^Scale (in seconds). (Notation
+ clarification: 2^Scale is two to the power of Scale.) Multiplier
+ MUST NOT be set to zero. If Multiplier is zero, the packet SHOULD be
+ considered corrupt and discarded.
+
+ Sequence numbers start with zero and are incremented by one for each
+ subsequent packet.
+
+ The minimum data segment length is, therefore, 14 octets in
+ unauthenticated mode, and 48 octets in both authenticated mode and
+ encrypted modes.
+
+ The OWAMP-Test packet layout is the same in authenticated and
+ encrypted modes. The encryption and authentication operations are,
+ however, different. The difference is that in encrypted mode both
+ the sequence number and the timestamp are protected to provide
+ maximum data confidentiality and integrity protection, whereas in
+ authenticated mode the sequence number is protected while the
+ timestamp is sent in clear text. Sending the timestamp in clear text
+ in authenticated mode allows one to reduce the time between when a
+ timestamp is obtained by a sender and when the packet is shipped out.
+ In encrypted mode, the sender has to fetch the timestamp, encrypt it,
+ and send it; in authenticated mode, the middle step is removed,
+ potentially improving accuracy (the sequence number can be encrypted
+ and authenticated before the timestamp is fetched).
+
+ In authenticated mode, the first block (16 octets) of each packet is
+ encrypted using AES Electronic Cookbook (ECB) mode.
+
+
+
+Shalunov, et al. Standards Track [Page 31]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ Similarly to each OWAMP-Control session, each OWAMP-Test session has
+ two keys: an AES Session-key and an HMAC Session-key. However, there
+ is a difference in how the keys are obtained: in the case of OWAMP-
+ Control, the keys are generated by the client and communicated (as
+ part of the Token) during connection setup as part of Set-Up-Response
+ message; in the case of OWAMP-Test, described here, the keys are
+ derived from the OWAMP-Control keys and the SID.
+
+ The OWAMP-Test AES Session-key is obtained as follows: the OWAMP-
+ Control AES Session-key (the same AES Session-key as is used for the
+ corresponding OWAMP-Control session, where it is used in a different
+ chaining mode) is encrypted, using AES, with the 16-octet session
+ identifier (SID) as the key; this is a single-block ECB encryption;
+ its result is the OWAMP-Test AES Session-key to use in encrypting
+ (and decrypting) the packets of the particular OWAMP-Test session.
+ Note that all of OWAMP-Test AES Session-key, OWAMP-Control AES
+ Session-key, and the SID are comprised of 16 octets.
+
+ The OWAMP-Test HMAC Session-key is obtained as follows: the OWAMP-
+ Control HMAC Session-key (the same HMAC Session-key as is used for
+ the corresponding OWAMP-Control session) is encrypted, using AES,
+ with the 16-octet session identifier (SID) as the key; this is a
+ two-block CBC encryption, always performed with IV=0; its result is
+ the OWAMP-Test HMAC Session-key to use in authenticating the packets
+ of the particular OWAMP-Test session. Note that all of OWAMP-Test
+ HMAC Session-key and OWAMP-Control HMAC Session-key are comprised of
+ 32 octets, while the SID is 16 octets.
+
+ ECB mode used for encrypting the first block of OWAMP-Test packets in
+ authenticated mode does not involve any actual chaining; this way,
+ lost, duplicated, or reordered packets do not cause problems with
+ deciphering any packet in an OWAMP-Test session.
+
+ In encrypted mode, the first two blocks (32 octets) are encrypted
+ using AES CBC mode. The AES Session-key to use is obtained in the
+ same way as the key for authenticated mode. Each OWAMP-Test packet
+ is encrypted as a separate stream, with just one chaining operation;
+ chaining does not span multiple packets so that lost, duplicated, or
+ reordered packets do not cause problems. The initialization vector
+ for the CBC encryption is a value with all bits equal to zero.
+
+ Implementation note: Naturally, the key schedule for each OWAMP-Test
+ session MAY be set up only once per session, not once per packet.
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 32]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ HMAC in OWAMP-Test only covers the part of the packet that is also
+ encrypted. So, in authenticated mode, HMAC covers the first block
+ (16 octets); in encrypted mode, HMAC covers two first blocks (32
+ octets). In OWAMP-Test HMAC is not encrypted (note that this is
+ different from OWAMP-Control, where encryption in stream mode is
+ used, so everything including the HMAC blocks ends up being
+ encrypted).
+
+ In unauthenticated mode, no encryption or authentication is applied.
+
+ Packet Padding in OWAMP-Test SHOULD be pseudo-random (it MUST be
+ generated independently of any other pseudo-random numbers mentioned
+ in this document). However, implementations MUST provide a
+ configuration parameter, an option, or a different means of making
+ Packet Padding consist of all zeros.
+
+ The time elapsed between packets is computed according to the slot
+ schedule as mentioned in Request-Session command description. At
+ that point, we skipped over the issue of computing exponentially
+ distributed pseudo-random numbers in a reproducible fashion. It is
+ discussed later in a separate section.
+
+4.2. Receiver Behavior
+
+ The receiver knows when the sender will send packets. The following
+ parameter is defined: Timeout (from Request-Session). Packets that
+ are delayed by more than Timeout are considered lost (or "as good as
+ lost"). Note that there is never an actual assurance of loss by the
+ network: a "lost" packet might still be delivered at any time. The
+ original specification for IPv4 required that packets be delivered
+ within TTL seconds or never (with TTL having a maximum value of 255).
+ To the best of the authors' knowledge, this requirement was never
+ actually implemented (and, of course, only a complete and universal
+ implementation would ensure that packets do not travel for longer
+ than TTL seconds). In fact, in IPv6, the name of this field has
+ actually been changed to Hop Limit. Further, IPv4 specification
+ makes no claims about the time it takes the packet to traverse the
+ last link of the path.
+
+ The choice of a reasonable value of Timeout is a problem faced by a
+ user of OWAMP protocol, not by an implementor. A value such as two
+ minutes is very safe. Note that certain applications (such as
+ interactive "one-way ping" might wish to obtain the data faster than
+ that.
+
+ As packets are received,
+
+ + timestamp the received packet;
+
+
+
+Shalunov, et al. Standards Track [Page 33]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ + in authenticated or encrypted mode, decrypt and authenticate as
+ necessary (packets for which authentication fails MUST be
+ discarded); and
+
+ + store the packet sequence number, send time, receive time, and the
+ TTL for IPv4 (or Hop Limit for IPv6) from the packet IP header for
+ the results to be transferred.
+
+ Packets not received within the Timeout are considered lost. They
+ are recorded with their true sequence number, presumed send time,
+ receive time value with all bits being zero, and a TTL (or Hop Limit)
+ of 255.
+
+ Implementations SHOULD fetch the TTL/Hop Limit value from the IP
+ header of the packet. If an implementation does not fetch the actual
+ TTL value (the only good reason not to do so is an inability to
+ access the TTL field of arriving packets), it MUST record the TTL
+ value as 255.
+
+ Packets that are actually received are recorded in the order of
+ arrival. Lost packet records serve as indications of the send times
+ of lost packets. They SHOULD be placed either at the point where the
+ receiver learns about the loss or at any later point; in particular,
+ one MAY place all the records that correspond to lost packets at the
+ very end.
+
+ Packets that have send time in the future MUST be recorded normally,
+ without changing their send timestamp, unless they have to be
+ discarded. (Send timestamps in the future would normally indicate
+ clocks that differ by more than the delay. Some data -- such as
+ jitter -- can be extracted even without knowledge of time difference.
+ For other kinds of data, the adjustment is best handled by the data
+ consumer on the basis of the complete information in a measurement
+ session, as well as, possibly, external data.)
+
+ Packets with a sequence number that was already observed (duplicate
+ packets) MUST be recorded normally. (Duplicate packets are sometimes
+ introduced by IP networks. The protocol has to be able to measure
+ duplication.)
+
+ If any of the following is true, the packet MUST be discarded:
+
+ + Send timestamp is more than Timeout in the past or in the future.
+
+ + Send timestamp differs by more than Timeout from the time when the
+ packet should have been sent according to its sequence number.
+
+ + In authenticated or encrypted mode, HMAC verification fails.
+
+
+
+Shalunov, et al. Standards Track [Page 34]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+5. Computing Exponentially Distributed Pseudo-Random Numbers
+
+ Here we describe the way exponential random quantities used in the
+ protocol are generated. While there is a fair number of algorithms
+ for generating exponential random variables, most of them rely on
+ having logarithmic function as a primitive, resulting in potentially
+ different values, depending on the particular implementation of the
+ math library. We use algorithm 3.4.1.S from [KNUTH], which is free
+ of the above-mentioned problem, and which guarantees the same output
+ on any implementation. The algorithm belongs to the ziggurat family
+ developed in the 1970s by G. Marsaglia, M. Sibuya, and J. H. Ahrens
+ [ZIGG]. It replaces the use of logarithmic function by clever bit
+ manipulation, still producing the exponential variates on output.
+
+5.1. High-Level Description of the Algorithm
+
+ For ease of exposition, the algorithm is first described with all
+ arithmetic operations being interpreted in their natural sense.
+ Later, exact details on data types, arithmetic, and generation of the
+ uniform random variates used by the algorithm are given. It is an
+ almost verbatim quotation from [KNUTH], p.133.
+
+ Algorithm S: Given a real positive number "mu", produce an
+ exponential random variate with mean "mu".
+
+ First, the constants
+
+ Q[k] = (ln2)/(1!) + (ln2)^2/(2!) + ... + (ln2)^k/(k!), 1 <= k <= 11
+
+ are computed in advance. The exact values which MUST be used by all
+ implementations are given in the next section. This is necessary to
+ ensure that exactly the same pseudo-random sequences are produced by
+ all implementations.
+
+ S1. [Get U and shift.] Generate a 32-bit uniform random binary
+ fraction
+
+ U = (.b0 b1 b2 ... b31) [note the binary point]
+
+ Locate the first zero bit b_j and shift off the leading (j+1) bits,
+ setting U <- (.b_{j+1} ... b31)
+
+ Note: In the rare case that the zero has not been found, it is
+ prescribed that the algorithm return (mu*32*ln2).
+
+ S2. [Immediate acceptance?] If U < ln2, set X <- mu*(j*ln2 + U) and
+ terminate the algorithm. (Note that Q[1] = ln2.)
+
+
+
+
+Shalunov, et al. Standards Track [Page 35]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ S3. [Minimize.] Find the least k >= 2 such that U < Q[k]. Generate k
+ new uniform random binary fractions U1,...,Uk and set V <-
+ min(U1,...,Uk).
+
+ S4. [Deliver the answer.] Set X <- mu*(j + V)*ln2.
+
+5.2. Data Types, Representation, and Arithmetic
+
+ The high-level algorithm operates on real numbers, typically
+ represented as floating point numbers. This specification prescribes
+ that unsigned 64-bit integers be used instead.
+
+ u_int64_t integers are interpreted as real numbers by placing the
+ decimal point after the first 32 bits. In other words, conceptually,
+ the interpretation is given by the following map:
+
+ u_int64_t u;
+
+ u |--> (double)u / (2**32)
+
+ The algorithm produces a sequence of such u_int64_t integers that,
+ for any given value of SID, is guaranteed to be the same on any
+ implementation.
+
+ We specify that the u_int64_t representations of the first 11 values
+ of the Q array in the high-level algorithm MUST be as follows:
+
+ #1 0xB17217F8,
+ #2 0xEEF193F7,
+ #3 0xFD271862,
+ #4 0xFF9D6DD0,
+ #5 0xFFF4CFD0,
+ #6 0xFFFEE819,
+ #7 0xFFFFE7FF,
+ #8 0xFFFFFE2B,
+ #9 0xFFFFFFE0,
+ #10 0xFFFFFFFE,
+ #11 0xFFFFFFFF
+
+ For example, Q[1] = ln2 is indeed approximated by 0xB17217F8/(2**32)
+ = 0.693147180601954; for j > 11, Q[j] is 0xFFFFFFFF.
+
+ Small integer j in the high-level algorithm is represented as
+ u_int64_t value j * (2**32).
+
+ Operation of addition is done as usual on u_int64_t numbers; however,
+ the operation of multiplication in the high-level algorithm should be
+ replaced by
+
+
+
+Shalunov, et al. Standards Track [Page 36]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ (u, v) |---> (u * v) >> 32.
+
+ Implementations MUST compute the product (u * v) exactly. For
+ example, a fragment of unsigned 128-bit arithmetic can be implemented
+ for this purpose (see the sample implementation in Appendix A).
+
+5.3. Uniform Random Quantities
+
+ The procedure for obtaining a sequence of 32-bit random numbers (such
+ as U in algorithm S) relies on using AES encryption in counter mode.
+ To describe the exact working of the algorithm, we introduce two
+ primitives from Rijndael. Their prototypes and specification are
+ given below, and they are assumed to be provided by the supporting
+ Rijndael implementation, such as [RIJN].
+
+ + A function that initializes a Rijndael key with bytes from seed
+ (the SID will be used as the seed):
+
+ void KeyInit(unsigned char seed[16]);
+
+ + A function that encrypts the 16-octet block inblock with the
+ specified key, returning a 16-octet encrypted block. Here,
+ keyInstance is an opaque type used to represent Rijndael keys:
+
+ void BlockEncrypt(keyInstance key, unsigned char inblock[16]);
+
+ Algorithm Unif: given a 16-octet quantity seed, produce a sequence of
+ unsigned 32-bit pseudo-random uniformly distributed integers. In
+ OWAMP, the SID (session ID) from Control protocol plays the role of
+ seed.
+
+ U1. [Initialize Rijndael key] key <- KeyInit(seed) [Initialize an
+ unsigned 16-octet (network byte order) counter] c <- 0
+
+ U2. [Need more random bytes?] Set i <- c mod 4. If (i == 0) set s
+ <- BlockEncrypt(key, c)
+
+ U3. [Increment the counter as unsigned 16-octet quantity] c <- c + 1
+
+ U4. [Do output] Output the i_th quartet of octets from s starting
+ from high-order octets, converted to native byte order and
+ represented as OWPNum64 value (as in 3.b).
+
+ U5. [Loop] Go to step U2.
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 37]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+6. Security Considerations
+
+6.1. Introduction
+
+ The goal of authenticated mode is to let one passphrase-protect the
+ service provided by a particular OWAMP-Control server. One can
+ imagine a variety of circumstances where this could be useful.
+ Authenticated mode is designed to prohibit theft of service.
+
+ An additional design objective of the authenticated mode was to make
+ it impossible for an attacker who cannot read traffic between OWAMP-
+ Test sender and receiver to tamper with test results in a fashion
+ that affects the measurements, but not other traffic.
+
+ The goal of encrypted mode is quite different: to make it hard for a
+ party in the middle of the network to make results look "better" than
+ they should be. This is especially true if one of client and server
+ does not coincide with either sender or receiver.
+
+ Encryption of OWAMP-Control using AES CBC mode with blocks of HMAC
+ after each message aims to achieve two goals: (i) to provide secrecy
+ of exchange, and (ii) to provide authentication of each message.
+
+6.2. Preventing Third-Party Denial of Service
+
+ OWAMP-Test sessions directed at an unsuspecting party could be used
+ for denial of service (DoS) attacks. In unauthenticated mode,
+ servers SHOULD limit receivers to hosts they control or to the OWAMP-
+ Control client.
+
+ Unless otherwise configured, the default behavior of servers MUST be
+ to decline requests where the Receiver Address field is not equal to
+ the address that the control connection was initiated from or an
+ address of the server (or an address of a host it controls). Given
+ the TCP handshake procedure and sequence numbers in the control
+ connection, this ensures that the hosts that make such requests are
+ actually those hosts themselves, or at least on the path towards
+ them. If either this test or the handshake procedure were omitted,
+ it would become possible for attackers anywhere in the Internet to
+ request that large amounts of test packets be directed against victim
+ nodes somewhere else.
+
+ In any case, OWAMP-Test packets with a given source address MUST only
+ be sent from the node that has been assigned that address (i.e.,
+ address spoofing is not permitted).
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 38]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+6.3. Covert Information Channels
+
+ OWAMP-Test sessions could be used as covert channels of information.
+ Environments that are worried about covert channels should take this
+ into consideration.
+
+6.4. Requirement to Include AES in Implementations
+
+ Notice that AES, in counter mode, is used for pseudo-random number
+ generation, so implementation of AES MUST be included even in a
+ server that only supports unauthenticated mode.
+
+6.5. Resource Use Limitations
+
+ An OWAMP server can consume resources of various kinds. The two most
+ important kinds of resources are network capacity and memory (primary
+ or secondary) for storing test results.
+
+ Any implementation of OWAMP server MUST include technical mechanisms
+ to limit the use of network capacity and memory. Mechanisms for
+ managing the resources consumed by unauthenticated users and users
+ authenticated with a KeyID and passphrase SHOULD be separate. The
+ default configuration of an implementation MUST enable these
+ mechanisms and set the resource use limits to conservatively low
+ values.
+
+ One way to design the resource limitation mechanisms is as follows:
+ assign each session to a user class. User classes are partially
+ ordered with "includes" relation, with one class ("all users") that
+ is always present and that includes any other class. The assignment
+ of a session to a user class can be based on the presence of
+ authentication of the session, the KeyID, IP address range, time of
+ day, and, perhaps, other factors. Each user class would have a limit
+ for usage of network capacity (specified in units of bit/second) and
+ memory for storing test results (specified in units of octets).
+ Along with the limits for resource use, current use would be tracked
+ by the server. When a session is requested by a user in a specific
+ user class, the resources needed for this session are computed: the
+ average network capacity use (based on the sending schedule) and the
+ maximum memory use (based on the number of packets and number of
+ octets each packet would need to be stored internally -- note that
+ outgoing sessions would not require any memory use). These resource
+ use numbers are added to the current resource use numbers for the
+ given user class; if such addition would take the resource use
+ outside of the limits for the given user class, the session is
+ rejected. When resources are reclaimed, corresponding measures are
+ subtracted from the current use. Network capacity is reclaimed as
+ soon as the session ends. Memory is reclaimed when the data is
+
+
+
+Shalunov, et al. Standards Track [Page 39]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ deleted. For unauthenticated sessions, memory consumed by an OWAMP-
+ Test session SHOULD be reclaimed after the OWAMP-Control connection
+ that initiated the session is closed (gracefully or otherwise). For
+ authenticated sessions, the administrator who configures the service
+ should be able to decide the exact policy, but useful policy
+ mechanisms that MAY be implemented are the ability to automatically
+ reclaim memory when the data is retrieved and the ability to reclaim
+ memory after a certain configurable (based on user class) period of
+ time passes after the OWAMP-Test session terminates.
+
+6.6. Use of Cryptographic Primitives in OWAMP
+
+ At an early stage in designing the protocol, we considered using
+ Transport Layer Security (TLS) [RFC2246, RFC3546] and IPsec [RFC2401]
+ as cryptographic security mechanisms for OWAMP; later, we also
+ considered DTLS. The disadvantages of those are as follows (not an
+ exhaustive list):
+
+ Regarding TLS:
+
+ + TLS could be used to secure TCP-based OWAMP-Control, but it would
+ be difficult to use it to secure UDP-based OWAMP-Test: OWAMP-Test
+ packets, if lost, are not resent, so packets have to be
+ (optionally) encrypted and authenticated while retaining
+ individual usability. Stream-based TLS cannot be easily used for
+ this.
+
+ + Dealing with streams, TLS does not authenticate individual
+ messages (even in OWAMP-Control). The easiest way out would be to
+ add some known-format padding to each message and to verify that
+ the format of the padding is intact before using the message. The
+ solution would thus lose some of its appeal ("just use TLS"). It
+ would also be much more difficult to evaluate the security of this
+ scheme with the various modes and options of TLS; it would almost
+ certainly not be secure with all. The capacity of an attacker to
+ replace parts of messages (namely, the end) with random garbage
+ could have serious security implications and would need to be
+ analyzed carefully. Suppose, for example, that a parameter that
+ is used in some form to control the rate were replaced by random
+ garbage; chances are that the result (an unsigned integer) would
+ be quite large.
+
+ + Dependent on the mode of use, one can end up with a requirement
+ for certificates for all users and a PKI. Even if one is to
+ accept that PKI is desirable, there just isn't a usable one today.
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 40]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ + TLS requires a fairly large implementation. OpenSSL, for example,
+ is larger than our implementation of OWAMP as a whole. This can
+ matter for embedded implementations.
+
+ Regarding DTLS:
+
+ + Duplication and, similarly, reordering are network phenomena that
+ OWAMP needs to be able to measure; yet anti-replay measures and
+ reordering protection of DTLS would prevent the duplicated and
+ reordered packets from reaching the relevant part of the OWAMP
+ code. One could, of course, modify DTLS so that these protections
+ are weakened or even specify examining the messages in a carefully
+ crafted sequence somewhere in between DTLS checks; but then, of
+ course, the advantage of using an existing protocol would not be
+ realized.
+
+ + In authenticated mode, the timestamp is in the clear and is not
+ protected cryptographically in any way, while the rest of the
+ message has the same protection as in encrypted mode. This mode
+ allows one to trade off cryptographic protection against accuracy
+ of timestamps. For example, the APAN hardware implementation of
+ OWAMP [APAN] is capable of supporting authenticated mode. The
+ accuracy of these measurements is in the sub-microsecond range.
+ The errors in OWAMP measurements of Abilene [Abilene] (done using
+ a software implementation, in its encrypted mode) exceed 10us.
+ Users in different environments have different concerns, and some
+ might very well care about every last microsecond of accuracy. At
+ the same time, users in these same environments might care about
+ access control to the service. Authenticated mode permits them to
+ control access to the server yet to use unprotected timestamps,
+ perhaps generated by a hardware device.
+
+ Regarding IPsec:
+
+ + What we now call authenticated mode would not be possible (in
+ IPsec you can't authenticate part of a packet).
+
+ + The deployment paths of IPsec and OWAMP could be separate if OWAMP
+ does not depend on IPsec. After nine years of IPsec, only 0.05%
+ of traffic on an advanced backbone network, such as Abilene, uses
+ IPsec (for comparison purposes with encryption above layer 4, SSH
+ use is at 2-4% and HTTPS use is at 0.2-0.6%). It is desirable to
+ be able to deploy OWAMP on as large a number of different
+ platforms as possible.
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 41]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ + The deployment problems of a protocol dependent on IPsec would be
+ especially acute in the case of lightweight embedded devices.
+ Ethernet switches, DSL "modems", and other such devices mostly do
+ not support IPsec.
+
+ + The API for manipulating IPsec from an application is currently
+ poorly understood. Writing a program that needs to encrypt some
+ packets, to authenticate some packets, and to leave some open --
+ for the same destination -- would become more of an exercise in
+ IPsec than in IP measurement.
+
+ For the enumerated reasons, we decided to use a simple cryptographic
+ protocol (based on a block cipher in CBC mode) that is different from
+ TLS and IPsec.
+
+6.7. Cryptographic Primitive Replacement
+
+ It might become necessary in the future to replace AES, or the way it
+ is used in OWAMP, with a new cryptographic primitive, or to make
+ other security-related changes to the protocol. OWAMP provides a
+ well-defined point of extensibility: the Modes word in the server
+ greeting and the Mode response in the Set-Up-Response message. For
+ example, if a simple replacement of AES with a different block cipher
+ with a 128-bit block is needed, this could be accomplished as
+ follows: take two bits from the reserved (MBZ) part of the Modes word
+ of the server greeting; use one of these bits to indicate encrypted
+ mode with the new cipher and another one to indicate authenticated
+ mode with the new cipher. (Bit consumption could, in fact, be
+ reduced from two to one, if the client is allowed to return a mode
+ selection with more than a single bit set: one could designate a
+ single bit to mean that the new cipher is supported (in the case of
+ the server) or selected (in the case of the client) and continue to
+ use already allocated bits for authenticated and encrypted modes;
+ this optimization is unimportant conceptually, but it could be useful
+ in practice to make the best use of bits.) Then, if the new cipher
+ is negotiated, all subsequent operations simply use it instead of
+ AES. Note that the normal transition sequence would be used in such
+ a case: implementations would probably first start supporting and
+ preferring the new cipher, and then drop support for the old cipher
+ (presumably no longer considered secure).
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 42]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ If the need arises to make more extensive changes (perhaps to replace
+ AES with a 256-bit-block cipher), this would be more difficult and
+ would require changing the layout of the messages. However, the
+ change can still be conducted within the framework of OWAMP
+ extensibility using the Modes/Mode words. The semantics of the new
+ bits (or single bit, if the optimization described above is used)
+ would include the change to message layout as well as the change in
+ the cryptographic primitive.
+
+ Each of the bits in the Modes word can be used for an independent
+ extension. The extensions signaled by various bits are orthogonal;
+ for example, one bit might be allocated to change from AES-128 to
+ some other cipher, another bit might be allocated to add a protocol
+ feature (such as, e.g., support for measuring over multicast), yet
+ another might be allocated to change a key derivation function, etc.
+ The progression of versions is not a linear order, but rather a
+ partial order. An implementation can implement any subset of these
+ features (of course, features can be made mandatory to implement,
+ e.g., new more secure ciphers if they are needed).
+
+ Should a cipher with a different key size (say, a 256-bit key) become
+ needed, a new key derivation function for OWAMP-Test keys would also
+ be needed. The semantics of change in the cipher SHOULD then in the
+ future be tied to the semantics of change in the key derivation
+ function (KDF). One KDF that might be considered for the purpose
+ might be a pseudo-random function (PRF) with appropriately sized
+ output, such as 256 bits (perhaps HMAC-SHA256, if it is then still
+ considered a secure PRF), which could then be used to derive the
+ OWAMP-Test session keys from the OWAMP-Control session key by using
+ the OWAMP-Control session key as the HMAC key and the SID as HMAC
+ message.
+
+ Note that the replacement scheme outlined above is trivially
+ susceptible to downgrade attacks: a malicious party in the middle can
+ flip modes bits as the mode is negotiated so that the oldest and
+ weakest mode supported by the two parties is used. If this is deemed
+ problematic at the time of cryptographic primitive replacement, the
+ scheme might be augmented with a measure to prevent such an attack
+ (by perhaps exchanging the modes again once a secure communications
+ channel is established, comparing the two sets of mode words, and
+ dropping the connection should they not match).
+
+6.8. Long-term Manually Managed Keys
+
+ OWAMP-Control uses long-term keys with manual management. These keys
+ are used to automatically negotiate session keys for each OWAMP-
+ Control session running in authenticated or encrypted mode. The
+ number of these keys managed by a server scales linearly with (and,
+
+
+
+Shalunov, et al. Standards Track [Page 43]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ in fact, is equal to) the number of administratively different users
+ (perhaps particular humans, roles, or robots representing sites) that
+ need to connect to this server. Similarly, the number of different
+ manual keys managed by each client is the number of different servers
+ that the client needs to connect to. This use of manual long-term
+ keys is compliant with [BCP107].
+
+6.9. (Not) Using Time as Salt
+
+ A natural idea is to use the current time as salt when deriving
+ session keys. Unfortunately, this appears to be too limiting.
+
+ Although OWAMP is often run on hosts with well-synchronized clocks,
+ it is also possible to run it on hosts with clocks completely
+ untrained. The delays obtained thus are, of course, not directly
+ usable; however, some metrics, such as unidirectional loss,
+ reordering, measures of congestion such as the median delay minus
+ minimum, and many others are usable directly and immediately (and
+ improve upon the information that would have been provided by a
+ round-trip measurement). Further, even delay information can be
+ useful with appropriate post-processing. Indeed, one can even argue
+ that running the clocks free and post-processing the results of a
+ mesh of measurements will result in better accuracy, as more
+ information is available a posteriori and correlation of data from
+ different hosts is possible in post-processing, but not with online
+ clock training.
+
+ Given this, time is not used as salt in key derivation.
+
+6.10. The Use of AES-CBC and HMAC
+
+ OWAMP relies on AES-CBC for confidentiality and on HMAC-SHA1
+ truncated to 128 bits for message authentication. Random IV choice
+ is important for prevention of a codebook attack on the first block
+ (it should also be noted that, with its 128-bit block size, AES is
+ more resistant to codebook attacks than are ciphers with shorter
+ blocks; we use random IV anyway).
+
+ HMAC MUST verify. It is crucial to check for this before using the
+ message; otherwise, existential forgery becomes possible. The
+ complete message for which HMAC verification fails MUST be discarded
+ (both for short messages consisting of a few blocks and potentially
+ for long messages, such as a response to the Fetch-Session command).
+ If such a message is part of OWAMP-Control, the connection MUST be
+ dropped.
+
+ Since OWAMP messages can have different numbers of blocks, the
+ existential forgery attack described in example 9.62 of [MENEZES]
+
+
+
+Shalunov, et al. Standards Track [Page 44]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ becomes a concern. To prevent it (and to simplify implementation),
+ the length of any message becomes known after decrypting its first
+ block.
+
+ A special case is the first (fixed-length) message sent by the
+ client. There, the token is a concatenation of the 128-bit challenge
+ (transmitted by the server in the clear), a 128-bit AES Session-key
+ (generated randomly by the client, encrypted with AES-CBC with IV=0),
+ and a 256-bit HMAC-SHA1 Session-key used for authentication. Since
+ IV=0, the challenge (a single cipher block) is simply encrypted with
+ the secret key. Therefore, we rely on resistance of AES to chosen
+ plaintext attacks (as the challenge could be substituted by an
+ attacker). It should be noted that the number of blocks of chosen
+ plaintext an attacker can have encrypted with the secret key is
+ limited by the number of sessions the client wants to initiate. An
+ attacker who knows the encryption of a server's challenge can produce
+ an existential forgery of the session key and thus disrupt the
+ session; however, any attacker can disrupt a session by corrupting
+ the protocol messages in an arbitrary fashion. Therefore, no new
+ threat is created here; nevertheless, we require that the server
+ never issues the same challenge twice. (If challenges are generated
+ randomly, a repetition would occur, on average, after 2^64 sessions;
+ we deem this satisfactory as this is enough even for an implausibly
+ busy server that participates in 1,000,000 sessions per second to go
+ without repetitions for more than 500 centuries.) With respect to
+ the second part of the token, an attacker can produce an existential
+ forgery of the session key by modifying the second half of the
+ client's token while leaving the first part intact. This forgery,
+ however, would be immediately discovered by the client when the HMAC
+ on the server's next message (acceptance or rejection of the
+ connection) does not verify.
+
+7. Acknowledgements
+
+ We would like to thank Guy Almes, Mark Allman, Jari Arkko, Hamid
+ Asgari, Steven Van den Berghe, Eric Boyd, Robert Cole, Joan
+ Cucchiara, Stephen Donnelly, Susan Evett, Sam Hartman, Kaynam
+ Hedayat, Petri Helenius, Scott Hollenbeck, Russ Housley, Kitamura
+ Yasuichi, Daniel H. T. R. Lawson, Will E. Leland, Bruce A. Mah,
+ Allison Mankin, Al Morton, Attila Pasztor, Randy Presuhn, Matthew
+ Roughan, Andy Scherrer, Henk Uijterwaal, and Sam Weiler for their
+ comments, suggestions, reviews, helpful discussion and proof-reading.
+
+8. IANA Considerations
+
+ IANA has allocated a well-known TCP port number (861) for the OWAMP-
+ Control part of the OWAMP protocol.
+
+
+
+
+Shalunov, et al. Standards Track [Page 45]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+9. Internationalization Considerations
+
+ The protocol does not carry any information in a natural language,
+ with the possible exception of the KeyID in OWAMP-Control, which is
+ encoded in UTF-8.
+
+10. References
+
+10.1. Normative References
+
+ [AES] Advanced Encryption Standard (AES),
+ http://csrc.nist.gov/encryption/aes/
+
+ [BCP107] Bellovin, S. and R. Housley, "Guidelines for
+ Cryptographic Key Management", BCP 107, RFC 4107,
+ June 2005.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
+ Keyed-Hashing for Message Authentication", RFC 2104,
+ February 1997.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2330] Paxson, V., Almes, G., Mahdavi, J., and M. Mathis,
+ "Framework for IP Performance Metrics", RFC 2330, May
+ 1998.
+
+ [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
+ "Definition of the Differentiated Services Field (DS
+ Field) in the IPv4 and IPv6 Headers", RFC 2474,
+ December 1998.
+
+ [RFC2679] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-
+ way Delay Metric for IPPM", RFC 2679, September 1999.
+
+ [RFC2680] Almes, G., Kalidindi, S., and M. Zekauskas, "A One-
+ way Packet Loss Metric for IPPM", RFC 2680, September
+ 1999.
+
+ [RFC2836] Brim, S., Carpenter, B., and F. Le Faucheur, "Per Hop
+ Behavior Identification Codes", RFC 2836, May 2000.
+
+ [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
+ Specification Version 2.0", RFC 2898, September 2000.
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 46]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+10.2. Informative References
+
+ [APAN] Z. Shu and K. Kobayashi, "HOTS: An OWAMP-Compliant
+ Hardware Packet Timestamper", In Proceedings of PAM
+ 2005, http://www.springerlink.com/index/
+ W4GBD39YWC11GQTN.pdf
+
+ [BRIX] Brix Networks, http://www.brixnet.com/
+
+ [ZIGG] J. H. Ahrens, U. Dieter, "Computer methods for
+ sampling from the exponential and normal
+ distributions", Communications of ACM, volume 15,
+ issue 10, 873-882, 1972.
+ http://doi.acm.org/10.1145/355604.361593
+
+ [MENEZES] A. J. Menezes, P. C. van Oorschot, and S. A.
+ Vanstone, Handbook of Applied Cryptography, CRC
+ Press, revised reprint with updates, 1997.
+
+ [KNUTH] D. Knuth, The Art of Computer Programming, vol.2, 3rd
+ edition, 1998.
+
+ [Abilene] One-way Latency Measurement (OWAMP),
+ http://e2epi.internet2.edu/owamp/
+
+ [RIJN] Reference ANSI C Implementation of Rijndael,
+ http://www.esat.kuleuven.ac.be/~rijmen/
+ rijndael/rijndaelref.zip
+
+ [RIPE] RIPE NCC Test-Traffic Measurements home,
+ http://www.ripe.net/test-traffic/.
+
+ [SURVEYOR] Surveyor Home Page,
+ http://www.advanced.org/surveyor/.
+
+ [SURVEYOR-INET] S. Kalidindi and M. Zekauskas, "Surveyor: An
+ Infrastructure for Network Performance Measurements",
+ Proceedings of INET'99, June 1999.
+ http://www.isoc.org/inet99/proceedings/4h/4h_2.htm
+
+ [RFC1305] Mills, D., "Network Time Protocol (Version 3)
+ Specification, Implementation and Analysis", RFC
+ 1305, March 1992.
+
+ [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version
+ 1.0", RFC 2246, January 1999.
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 47]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
+ the Internet Protocol", RFC 2401, November 1998.
+
+ [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D.,
+ Mikkelsen, J., and T. Wright, "Transport Layer
+ Security (TLS) Extensions", RFC 3546, June 2003.
+
+ [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
+ "Randomness Requirements for Security", BCP 106, RFC
+ 4086, June 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 48]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+Appendix A: Sample C Code for Exponential Deviates
+
+ The values in array Q[] are the exact values that MUST be used by all
+ implementations (see Sections 5.1 and 5.2). This appendix only
+ serves for illustrative purposes.
+
+ /*
+ ** Example usage: generate a stream of exponential (mean 1)
+ ** random quantities (ignoring error checking during initialization).
+ ** If a variate with some mean mu other than 1 is desired, the output
+ ** of this algorithm can be multiplied by mu according to the rules
+ ** of arithmetic we described.
+
+ ** Assume that a 16-octet 'seed' has been initialized
+ ** (as the shared secret in OWAMP, for example)
+ ** unsigned char seed[16];
+
+ ** OWPrand_context next;
+
+ ** (initialize state)
+ ** OWPrand_context_init(&next, seed);
+
+ ** (generate a sequence of exponential variates)
+ ** while (1) {
+ ** u_int64_t num = OWPexp_rand64(&next);
+ <do something with num here>
+ ...
+ ** }
+ */
+
+ #include <stdlib.h>
+
+ typedef u_int64_t u_int64_t;
+
+ /* (K - 1) is the first k such that Q[k] > 1 - 1/(2^32). */
+ #define K 12
+
+ #define BIT31 0x80000000UL /* See if first bit in the lower
+ 32 bits is zero. */
+ #define MASK32(n) ((n) & 0xFFFFFFFFUL)
+
+ #define EXP2POW32 0x100000000ULL
+
+ typedef struct OWPrand_context {
+ unsigned char counter[16];/* Counter (network byte order).*/
+ keyInstance key; /* Key to encrypt the counter.*/
+ unsigned char out[16]; /* The encrypted block.*/
+
+
+
+
+Shalunov, et al. Standards Track [Page 49]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ } OWPrand_context;
+
+ /*
+ ** The array has been computed according to the formula:
+ **
+ ** Q[k] = (ln2)/(1!) + (ln2)^2/(2!) + ... + (ln2)^k/(k!)
+ **
+ ** as described in algorithm S. (The values below have been
+ ** multiplied by 2^32 and rounded to the nearest integer.)
+ ** These exact values MUST be used so that different implementation
+ ** produce the same sequences.
+ */
+ static u_int64_t Q[K] = {
+ 0, /* Placeholder - so array indices start from 1. */
+ 0xB17217F8,
+ 0xEEF193F7,
+ 0xFD271862,
+ 0xFF9D6DD0,
+ 0xFFF4CFD0,
+ 0xFFFEE819,
+ 0xFFFFE7FF,
+ 0xFFFFFE2B,
+ 0xFFFFFFE0,
+ 0xFFFFFFFE,
+ 0xFFFFFFFF
+ };
+
+ /* this element represents ln2 */
+ #define LN2 Q[1]
+
+ /*
+ ** Convert an unsigned 32-bit integer into a u_int64_t number.
+ */
+ u_int64_t
+ OWPulong2num64(u_int32_t a)
+ {
+ return ((u_int64_t)1 << 32) * a;
+ }
+
+ /*
+ ** Arithmetic functions on u_int64_t numbers.
+ */
+
+ /*
+ ** Addition.
+ */
+ u_int64_t
+ OWPnum64_add(u_int64_t x, u_int64_t y)
+
+
+
+Shalunov, et al. Standards Track [Page 50]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ {
+ return x + y;
+ }
+
+ /*
+ ** Multiplication. Allows overflow. Straightforward implementation
+ ** of Algorithm 4.3.1.M (p.268) from [KNUTH].
+ */
+ u_int64_t
+ OWPnum64_mul(u_int64_t x, u_int64_t y)
+ {
+ unsigned long w[4];
+ u_int64_t xdec[2];
+ u_int64_t ydec[2];
+
+ int i, j;
+ u_int64_t k, t, ret;
+
+ xdec[0] = MASK32(x);
+ xdec[1] = MASK32(x>>32);
+ ydec[0] = MASK32(y);
+ ydec[1] = MASK32(y>>32);
+
+ for (j = 0; j < 4; j++)
+ w[j] = 0;
+
+ for (j = 0; j < 2; j++) {
+ k = 0;
+ for (i = 0; ; ) {
+ t = k + (xdec[i]*ydec[j]) + w[i + j];
+ w[i + j] = t%EXP2POW32;
+ k = t/EXP2POW32;
+ if (++i < 2)
+ continue;
+ else {
+ w[j + 2] = k;
+ break;
+ }
+ }
+ }
+
+ ret = w[2];
+ ret <<= 32;
+ return w[1] + ret;
+ }
+
+
+ /*
+
+
+
+Shalunov, et al. Standards Track [Page 51]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ ** Seed the random number generator using a 16-byte quantity 'seed'
+ ** (== the session ID in OWAMP). This function implements step U1
+ ** of algorithm Unif.
+ */
+
+ void
+ OWPrand_context_init(OWPrand_context *next, unsigned char *seed)
+ {
+ int i;
+
+ /* Initialize the key */
+ rijndaelKeyInit(next->key, seed);
+
+ /* Initialize the counter with zeros */
+ memset(next->out, 0, 16);
+ for (i = 0; i < 16; i++)
+ next->counter[i] = 0UL;
+ }
+
+
+ /*
+ ** Random number generating functions.
+ */
+
+ /*
+ ** Generate and return a 32-bit uniform random value (saved in the
+ **less significant half of the u_int64_t). This function implements
+ **steps U2-U4 of the algorithm Unif.
+ */
+ u_int64_t
+ OWPunif_rand64(OWPrand_context *next)
+ {
+ int j;
+ u_int8_t *buf;
+ u_int64_t ret = 0;
+
+ /* step U2 */
+ u_int8_t i = next->counter[15] & (u_int8_t)3;
+ if (!i)
+ rijndaelEncrypt(next->key, next->counter, next->out);
+
+ /* Step U3. Increment next.counter as a 16-octet single
+ quantity in network byte order for AES counter mode. */
+ for (j = 15; j >= 0; j--)
+ if (++next->counter[j])
+ break;
+
+ /* Step U4. Do output. The last 4 bytes of ret now contain
+
+
+
+Shalunov, et al. Standards Track [Page 52]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ the random integer in network byte order */
+ buf = &next->out[4*i];
+ for (j=0; j<4; j++) {
+ ret <<= 8;
+ ret += *buf++;
+ }
+ return ret;
+ }
+
+ /*
+ ** Generate an exponential deviate with mean 1.
+ */
+ u_int64_t
+ OWPexp_rand64(OWPrand_context *next)
+ {
+ unsigned long i, k;
+ u_int32_t j = 0;
+ u_int64_t U, V, J, tmp;
+
+ /* Step S1. Get U and shift */
+ U = OWPunif_rand64(next);
+
+ while ((U & BIT31) && (j < 32)) { /* Shift until first 0. */
+ U <<= 1;
+ j++;
+ }
+ /* Remove the 0 itself. */
+ U <<= 1;
+
+ U = MASK32(U); /* Keep only the fractional part. */
+ J = OWPulong2num64(j);
+
+ /* Step S2. Immediate acceptance? */
+ if (U < LN2) /* return (j*ln2 + U) */
+ return OWPnum64_add(OWPnum64_mul(J, LN2), U);
+
+ /* Step S3. Minimize. */
+ for (k = 2; k < K; k++)
+ if (U < Q[k])
+ break;
+ V = OWPunif_rand64(next);
+ for (i = 2; i <= k; i++) {
+ tmp = OWPunif_rand64(next);
+ if (tmp < V)
+ V = tmp;
+ }
+
+ /* Step S4. Return (j+V)*ln2 */
+
+
+
+Shalunov, et al. Standards Track [Page 53]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+ return OWPnum64_mul(OWPnum64_add(J, V), LN2);
+ }
+
+Appendix B: Test Vectors for Exponential Deviates
+
+ It is important that the test schedules generated by different
+ implementations from identical inputs be identical. The non-trivial
+ part is the generation of pseudo-random exponentially distributed
+ deviates. To aid implementors in verifying interoperability, several
+ test vectors are provided. For each of the four given 128-bit values
+ of SID represented as hexadecimal numbers, 1,000,000 exponentially
+ distributed 64-bit deviates are generated as described above. As
+ they are generated, they are all added to each other. The sum of all
+ 1,000,000 deviates is given as a hexadecimal number for each SID. An
+ implementation MUST produce exactly these hexadecimal numbers. To
+ aid in the verification of the conversion of these numbers to values
+ of delay in seconds, approximate values are given (assuming
+ lambda=1). An implementation SHOULD produce delay values in seconds
+ that are close to the ones given below.
+
+ SID = 0x2872979303ab47eeac028dab3829dab2
+ SUM[1000000] = 0x000f4479bd317381 (1000569.739036 seconds)
+
+ SID = 0x0102030405060708090a0b0c0d0e0f00
+ SUM[1000000] = 0x000f433686466a62 (1000246.524512 seconds)
+
+ SID = 0xdeadbeefdeadbeefdeadbeefdeadbeef
+ SUM[1000000] = 0x000f416c8884d2d3 (999788.533277 seconds)
+
+ SID = 0xfeed0feed1feed2feed3feed4feed5ab
+ SUM[1000000] = 0x000f3f0b4b416ec8 (999179.293967 seconds)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 54]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+Authors' Addresses
+
+ Stanislav Shalunov
+ Internet2
+ 1000 Oakbrook Drive, Suite 300
+ Ann Arbor, MI 48104
+
+ EMail: shalunov@internet2.edu
+ WWW: http://www.internet2.edu/~shalunov/
+
+
+ Benjamin Teitelbaum
+ Internet2
+ 1000 Oakbrook Drive, Suite 300
+ Ann Arbor, MI 48104
+
+ EMail: ben@internet2.edu
+ WWW: http://people.internet2.edu/~ben/
+
+
+ Anatoly Karp
+ Computer Sciences Department
+ University of Wisconsin-Madison
+ Madison, WI 53706
+
+ EMail: akarp@cs.wisc.edu
+
+
+ Jeff W. Boote
+ Internet2
+ 1000 Oakbrook Drive, Suite 300
+ Ann Arbor, MI 48104
+
+ EMail: boote@internet2.edu
+
+
+ Matthew J. Zekauskas
+ Internet2
+ 1000 Oakbrook Drive, Suite 300
+ Ann Arbor, MI 48104
+
+ EMail: matt@internet2.edu
+
+
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 55]
+
+RFC 4656 One-way Active Measurement Protocol September 2006
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2006).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+
+
+Shalunov, et al. Standards Track [Page 56]
+