summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7594.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7594.txt')
-rw-r--r--doc/rfc/rfc7594.txt3083
1 files changed, 3083 insertions, 0 deletions
diff --git a/doc/rfc/rfc7594.txt b/doc/rfc/rfc7594.txt
new file mode 100644
index 0000000..b3910c1
--- /dev/null
+++ b/doc/rfc/rfc7594.txt
@@ -0,0 +1,3083 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) P. Eardley
+Request for Comments: 7594 BT
+Category: Informational A. Morton
+ISSN: 2070-1721 AT&T Labs
+ M. Bagnulo
+ UC3M
+ T. Burbridge
+ BT
+ P. Aitken
+ Brocade
+ A. Akhter
+ Consultant
+ September 2015
+
+
+A Framework for Large-Scale Measurement of Broadband Performance (LMAP)
+
+Abstract
+
+ Measuring broadband service on a large scale requires a description
+ of the logical architecture and standardisation of the key protocols
+ that coordinate interactions between the components. This document
+ presents an overall framework for large-scale measurements. It also
+ defines terminology for LMAP (Large-Scale Measurement of Broadband
+ Performance).
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7594.
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 1]
+
+RFC 7594 LMAP Framework September 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Outline of an LMAP-Based Measurement System . . . . . . . . . 5
+ 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
+ 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 12
+ 4.1. The Measurement System Is Under the Direction of a Single
+ Organisation . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.2. Each MA May Only Have a Single Controller at Any Point in
+ Time . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13
+ 5.1. Bootstrapping Process . . . . . . . . . . . . . . . . . . 14
+ 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15
+ 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15
+ 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16
+ 5.2.3. Capabilities, Failure, and Logging Information . . . 20
+ 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 22
+ 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22
+ 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 24
+ 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 24
+ 5.4.1. Reporting of the Subscriber's Service Parameters . . 26
+ 5.5. Operation of LMAP over the Underlying Packet Transfer
+ Mechanism . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 5.6. Items beyond the Scope of the Initial LMAP Work . . . . . 27
+ 5.6.1. End-User-Controlled Measurement System . . . . . . . 28
+ 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 29
+ 6.1. Controller and the Measurement System . . . . . . . . . . 29
+ 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 30
+ 6.2.1. Measurement Agent on a Networked Device . . . . . . . 30
+ 6.2.2. Measurement Agent Embedded in a Site Gateway . . . . 31
+ 6.2.3. Measurement Agent Embedded behind a Site NAT or
+ Firewall . . . . . . . . . . . . . . . . . . . . . . 31
+
+
+
+
+Eardley, et al. Informational [Page 2]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ 6.2.4. Multihomed Measurement Agent . . . . . . . . . . . . 31
+ 6.2.5. Measurement Agent Embedded in an ISP Network . . . . 32
+ 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 32
+ 6.4. Deployment Examples . . . . . . . . . . . . . . . . . . . 33
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 36
+ 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 38
+ 8.1. Categories of Entities with Information of Interest . . . 38
+ 8.2. Examples of Sensitive Information . . . . . . . . . . . . 39
+ 8.3. Different Privacy Issues Raised by Different Sorts of
+ Measurement Methods . . . . . . . . . . . . . . . . . . . 40
+ 8.4. Privacy Analysis of the Communication Models . . . . . . 41
+ 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 41
+ 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 42
+ 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 43
+ 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 43
+ 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 45
+ 8.4.6. Storage and Reporting of Measurement Results . . . . 46
+ 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 46
+ 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 46
+ 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 47
+ 8.5.3. Correlation and Identification . . . . . . . . . . . 47
+ 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 48
+ 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 48
+ 8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 48
+ 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 49
+ 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 50
+ 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 50
+ 9. Informative References . . . . . . . . . . . . . . . . . . . 51
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 54
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
+
+1. Introduction
+
+ There is a desire to be able to coordinate the execution of broadband
+ measurements and the collection of measurement results across a large
+ scale set of Measurement Agents (MAs). These MAs could be
+ software-based agents on PCs, embedded agents in consumer devices
+ (such as TVs or gaming consoles), embedded in service-provider-
+ controlled devices such as set-top boxes and home gateways, or simply
+ dedicated probes. MAs may also be embedded on a device that is part
+ of an ISP's network, such as a DSLAM (Digital Subscriber Line Access
+ Multiplexer), router, Carrier Grade NAT (Network Address Translator),
+ or ISP Gateway. It is expected that a measurement system could
+ easily encompass a few hundred thousand or even millions of such MAs.
+ Such a scale presents unique problems in coordination, execution, and
+ measurement result collection. Several use cases have been proposed
+ for large-scale measurements including:
+
+
+
+
+Eardley, et al. Informational [Page 3]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o Operators: to help plan their network and identify faults
+
+ o Regulators: to benchmark several network operators and support
+ public policy development
+
+ Further details of the use cases can be found in [RFC7536]. The LMAP
+ framework should be useful for these, as well as other use cases,
+ such as to help end users run diagnostic checks like a network speed
+ test.
+
+ The LMAP framework has three basic elements: Measurement Agents,
+ Controllers, and Collectors.
+
+ Measurement Agents (MAs) initiate the actual measurements, which are
+ called Measurement Tasks in the LMAP terminology. In principle,
+ there are no restrictions on the type of device in which the MA
+ function resides.
+
+ The Controller instructs one or more MAs and communicates the set of
+ Measurement Tasks an MA should perform and when. For example, it may
+ instruct an MA at a home gateway: "Measure the 'UDP latency' with
+ www.example.org; repeat every hour at xx.05". The Controller also
+ manages an MA by instructing it on how to report the Measurement
+ Results, for example: "Report results once a day in a batch at 4am".
+ We refer to these as the Measurement Schedule and Report Schedule.
+
+ The Collector accepts Reports from the MAs with the Results from
+ their Measurement Tasks. Therefore, the MA is a device that gets
+ Instructions from the Controller, initiates the Measurement Tasks,
+ and reports to the Collector. The communications between these three
+ LMAP functions are structured according to a Control Protocol and a
+ Report Protocol.
+
+ The design goals are the following large-scale Measurement System
+ features:
+
+ o Standardised - in terms of the Measurement Tasks that they
+ perform, the components, the data models, and the protocols for
+ transferring information between the components. Amongst other
+ things, standardisation enables meaningful comparisons of
+ measurements made of the same Metric at different times and
+ places, and provides the operator of a Measurement System with
+ criteria for evaluation of the different solutions that can be
+ used for various purposes including buying decisions (such as
+ buying the various components from different vendors). Today's
+ systems are proprietary in some or all of these aspects.
+
+
+
+
+
+Eardley, et al. Informational [Page 4]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o Large-scale - [RFC7536] envisages Measurement Agents in every home
+ gateway and edge device such as set-top boxes and tablet
+ computers, and located throughout the Internet as well [RFC7398].
+ It is expected that a Measurement System could easily encompass a
+ few hundred thousand or even millions of Measurement Agents.
+ Existing systems have up to a few thousand MAs (without judging
+ how much further they could scale).
+
+ o Diversity - a Measurement System should handle Measurement Agents
+ from different vendors that are in wired and wireless networks,
+ can execute different sorts of Measurement Tasks, are on devices
+ with IPv4 or IPv6 addresses, and so on.
+
+ o Privacy Respecting - the protocols and procedures should respect
+ the sensitive information of all those involved in measurements.
+
+2. Outline of an LMAP-Based Measurement System
+
+ In this section, we provide an overview of the whole Measurement
+ System. New LMAP-specific terms are capitalised; Section 3 provides
+ a terminology section with a compilation of all the LMAP terms and
+ their definitions. Section 4 onwards considers the LMAP components
+ in more detail.
+
+ Other LMAP specifications will define an Information Model, the
+ associated Data Models, and select/extend one or more protocols for
+ the secure communication: firstly, a Control Protocol, for a
+ Controller to instruct Measurement Agents regarding which performance
+ Metrics to measure, when to measure them, and how/when to report the
+ measurement results to a Collector; secondly, a Report Protocol, for
+ a Measurement Agent to report the results to the Collector.
+
+ Figure 1 shows the main components of a Measurement System, and the
+ interactions of those components. Some of the components are outside
+ the scope of initial LMAP work.
+
+ The MA performs Measurement Tasks. One possibility is that the MA
+ observes existing traffic. Another possibility is for the MA to
+ generate (or receive) traffic specially created for the purpose and
+ measure some Metric associated with its transfer. Figure 1 includes
+ both possibilities (in practice, it may be more usual for an MA to do
+ one) whilst Section 6.4 shows some examples of possible arrangements
+ of the components.
+
+ The MAs are pieces of code that can be executed in specialised
+ hardware (hardware probe) or on a general-purpose device (like a PC
+ or mobile phone). A device with a Measurement Agent may have
+ multiple physical interfaces (Wi-Fi, Ethernet, DSL (Digital
+
+
+
+Eardley, et al. Informational [Page 5]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Subscriber Line); and non-physical interfaces such as PPPoE
+ (Point-to-Point Protocol over Ethernet) or IPsec) and the Measurement
+ Tasks may specify any one of these.
+
+ The Controller manages an MA through use of the Control Protocol,
+ which transfers the Instruction to the MA. This describes the
+ Measurement Tasks the MA should perform and when. For example the
+ Controller may instruct an MA at a home gateway: "Count the number of
+ TCP SYN packets observed in a 1 minute interval; repeat every hour at
+ xx.05 + Unif[0,180] seconds". The Measurement Schedule determines
+ when the Measurement Tasks are executed. The Controller also manages
+ an MA by instructing it on how to report the Measurement Results, for
+ example: "Report results once a day in a batch at 4am + Unif[0,180]
+ seconds; if the end user is active then delay the report 5 minutes."
+ The Report Schedule determines when the Reports are uploaded to the
+ Collector. The Measurement Schedule and Report Schedule can define
+ one-off (non-recurring) actions (for example, "Do measurement now",
+ "Report as soon as possible"), as well as recurring ones.
+
+ The Collector accepts a Report from an MA with the Measurement
+ Results from its Measurement Tasks. It then provides the Results to
+ a repository.
+
+ A Measurement Method defines how to measure a Metric of interest. It
+ is very useful to standardise Measurement Methods, so that it is
+ meaningful to compare measurements of the same Metric made at
+ different times and places. It is also useful to define a registry
+ for commonly used Metrics [IPPM-REG] so that a Metric and its
+ associated Measurement Method can be referred to simply by its
+ identifier in the registry. The registry will hopefully be
+ referenced by other standards organisations. The Measurement Methods
+ may be defined by the IETF, locally, or by some other standards body.
+
+ Broadly speaking there are two types of Measurement Methods. In both
+ types, a Measurement Agent measures a particular Observed Traffic
+ Flow. It may involve a single MA simply observing existing traffic
+ -- for example, the Measurement Agent could count bytes or calculate
+ the average loss for a particular flow. On the other hand, a
+ Measurement Method may observe traffic created specifically for the
+ purpose of measurement. This requires multiple network entities,
+ which perform different roles. For example, to measure the round
+ trip delay one possible Measurement Method would consist of an MA
+ sending an ICMP (Internet Control Message Protocol) ECHO request
+ ("ping") to a responder in the Internet. In LMAP terms, the
+ responder is termed a Measurement Peer (MP), meaning that it helps
+ the MA but is not managed by the Controller. Other Measurement
+ Methods involve a second MA, with the Controller instructing the MAs
+ in a coordinated manner. Traffic generated specifically as part of
+
+
+
+Eardley, et al. Informational [Page 6]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ the Measurement Method is termed Measurement Traffic; in the ping
+ example, it is the ICMP ECHO Requests and Replies. The protocols
+ used for the Measurement Traffic are out of the scope of initial LMAP
+ work and fall within the scope of other IETF WGs such as IPPM (IP
+ Performance Metrics).
+
+ A Measurement Task is the action performed by a particular MA at a
+ particular time, as the specific instance of its role in a
+ Measurement Method. LMAP is mainly concerned with Measurement Tasks,
+ for instance in terms of its Information Model and Protocols.
+
+ For Measurement Results to be truly comparable, as might be required
+ by a regulator, not only do the same Measurement Methods need to be
+ used to assess Metrics, but also the set of Measurement Tasks should
+ follow a similar Measurement Schedule and be of similar number. The
+ details of such a characterisation plan are beyond the scope of IETF
+ work, although it is certainly facilitated by the IETF's work.
+
+ Both control and report messages are transferred over a secure
+ Channel. A Control Channel is between the Controller and an MA; the
+ Control Protocol delivers Instruction Messages to the MA and
+ Capabilities, Failure, and Logging Information in the reverse
+ direction. A Report Channel is between an MA and Collector, and the
+ Report Protocol delivers Reports to the Collector.
+
+ Finally, we introduce several components that are outside the scope
+ of initial LMAP work that will be provided through existing protocols
+ or applications. They affect how the Measurement System uses the
+ Measurement Results and how it decides what set of Measurement Tasks
+ to perform. As shown in Figure 1, these components are: the
+ bootstrapper, Subscriber parameter database, data analysis tools, and
+ Results repository.
+
+ The MA needs to be bootstrapped with initial details about its
+ Controller, including authentication credentials. The LMAP work
+ considers the Bootstrap process, since it affects the Information
+ Model. However, LMAP does not define a Bootstrap protocol, since it
+ is likely to be technology specific and could be defined by the
+ Broadband Forum, CableLabs, or IEEE depending on the device.
+ Possible protocols are SNMP (Simple Network Management Protocol),
+ NETCONF (Network Configuration Protocol), or (for Home Gateways) CPE
+ WAN Management Protocol (CWMP) from the Auto Configuration Server
+ (ACS) (as specified in TR-069 [TR-069]).
+
+ A Subscriber parameter database contains information about the line,
+ such as the customer's broadband contract (perhaps 2, 40, or 80
+ Mb/s), the line technology (DSL or fibre), the time zone in which the
+ MA is located, and the type of home gateway and MA. These parameters
+
+
+
+Eardley, et al. Informational [Page 7]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ are already gathered and stored by existing operations systems. They
+ may affect the choice of what Measurement Tasks to run and how to
+ interpret the Measurement Results. For example, a download test
+ suitable for a line with an 80 Mb/s contract may overwhelm a 2 Mb/s
+ line.
+
+ A Results repository records all Measurement Results in an equivalent
+ form, for example an SQL (Structured Query Language) database, so
+ that they can easily be accessed by the data analysis tools.
+
+ The data analysis tools receive the results from the Collector or via
+ the Results repository. They might visualise the data or identify
+ which component or link is likely to be the cause of a fault or
+ degradation. This information could help the Controller decide what
+ follow-up Measurement Task to perform in order to diagnose a fault.
+ The data analysis tools also need to understand the Subscriber's
+ service information, for example, the broadband contract.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 8]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +--------+ +-----------+ +-----------+ ^
+ |End user| | | Observed | End user | |
+ | |<-----|-----------|---Traffic--->| | |
+ | | | | Flow | | |
+ | | | | | | Non-LMAP
+ | | | | Measurement | | Scope
+ | | | |<--Traffic--->| | |
+ +--------+ | | +-----------+ |
+ ................|...........|.................................V
+ <MP> |Measurement| <MP> ^
+ |Agent: | |
+ |LMAP | |
+ +----------->|interface | |
+ | +-----------+ |
+ | ^ | LMAP
+ | Instruction | | Report Scope
+ | (over Control | | (over Report Channel) |
+ | Channel) | +-----------------------+ |
+ | | | |
+ | | | |
+ | | v |
+ | +------------+ +------------+ |
+ | | Controller | | Collector | |
+ | +------------+ +------------+ v
+ | ^ ^ | ^
+ | | | | |
+ | | +--------+ | |
+ | | | v |
+ +------------+ +----------+ +--------+ +----------+ |
+ |Bootstrapper| |Subscriber|--->| data |<---| Results | Non-
+ +------------+ |parameter | |analysis| |repository| LMAP
+ |database | | tools | +----------+ Scope
+ +----------+ +--------+ |
+ |
+ v
+
+ MP: Measurement Peer
+
+ Figure 1: Schematic of main elements of an LMAP-based Measurement
+ System (showing the elements in and out of the scope of initial LMAP
+ work)
+
+3. Terminology
+
+ This section defines terminology for LMAP. Please note that defined
+ terms are capitalised throughout.
+
+
+
+
+
+Eardley, et al. Informational [Page 9]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Bootstrap: A process that integrates a Measurement Agent into a
+ Measurement System.
+
+ Capabilities: Information about the performance measurement
+ capabilities of the MA, in particular the Measurement Method roles
+ and measurement protocol roles that it can perform, and the device
+ hosting the MA, for example its interface type and speed, but not
+ dynamic information.
+
+ Channel: A bidirectional logical connection that is defined by a
+ specific Controller and MA, or Collector and MA, plus associated
+ security.
+
+ Collector: A function that receives a Report from an MA.
+
+ Configuration: A process for informing the MA about its MA-ID,
+ (optional) Group-ID, and Control Channel.
+
+ Controller: A function that provides a Measurement Agent with its
+ Instruction.
+
+ Control Channel: A Channel between a Controller and an MA over which
+ Instruction Messages and Capabilities, Failure, and Logging
+ Information are sent.
+
+ Control Protocol: The protocol delivering Instruction(s) from a
+ Controller to a Measurement Agent. It also delivers Capabilities,
+ Failure, and Logging Information from the Measurement Agent to the
+ Controller. It can also be used to update the MA's Configuration.
+ It runs over the Control Channel.
+
+ Cycle-ID: A tag that is sent by the Controller in an Instruction and
+ echoed by the MA in its Report. The same Cycle-ID is used by several
+ MAs that use the same Measurement Method for a Metric with the same
+ Input Parameters. Hence, the Cycle-ID allows the Collector to easily
+ identify Measurement Results that should be comparable.
+
+ Data Model: The implementation of an Information Model in a
+ particular data modelling language [RFC3444].
+
+ Environmental Constraint: A parameter that is measured as part of the
+ Measurement Task, its value determining whether the rest of the
+ Measurement Task proceeds.
+
+ Failure Information: Information about the MA's failure to take
+ action or execute an Instruction, whether concerning Measurement
+ Tasks or Reporting.
+
+
+
+
+Eardley, et al. Informational [Page 10]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Group-ID: An identifier of a group of MAs.
+
+ Information Model: The protocol-neutral definition of the semantics
+ of the Instructions, the Report, the status of the different elements
+ of the Measurement System, as well of the events in the system
+ [RFC3444].
+
+ Input Parameter: A parameter whose value is left open by the Metric
+ and its Measurement Method and is set to a specific value in a
+ Measurement Task. Altering the value of an Input Parameter does not
+ change the fundamental nature of the Measurement Task.
+
+ Instruction: The description of Measurement Tasks for an MA to
+ perform and the details of the Report for it to send. It is the
+ collective description of the Measurement Task configurations, the
+ configuration of the Measurement Schedules, the configuration of the
+ Report Channel(s), the configuration of Report Schedule(s), and the
+ details of any Suppression.
+
+ Instruction Message: The message that carries an Instruction from a
+ Controller to a Measurement Agent.
+
+ Logging Information: Information about the operation of the
+ Measurement Agent, which may be useful for debugging.
+
+ Measurement Agent (MA): The function that receives Instruction
+ Messages from a Controller and operates the Instruction by executing
+ Measurement Tasks (using protocols outside the scope of the initial
+ LMAP work and perhaps in concert with one or more other Measurement
+ Agents or Measurement Peers) and (if part of the Instruction) by
+ reporting Measurement Results to a Collector or Collectors.
+
+ Measurement Agent Identifier (MA-ID): a Universally Unique IDentifier
+ [RFC4122] that identifies a particular MA and is configured as part
+ of the Bootstrapping process.
+
+ Measurement Method: The process for assessing the value of a Metric;
+ the process of measuring some performance or reliability Metric
+ associated with the transfer of traffic.
+
+ Measurement Peer (MP): The function that assists a Measurement Agent
+ with Measurement Tasks and does not have an interface to the
+ Controller or Collector.
+
+ Measurement Result: The output of a single Measurement Task (the
+ value obtained for the Metric).
+
+ Measurement Schedule: The schedule for performing Measurement Tasks.
+
+
+
+Eardley, et al. Informational [Page 11]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Measurement System: The set of LMAP-defined and related components
+ that are operated by a single organisation, for the purpose of
+ measuring performance aspects of the network.
+
+ Measurement Task: The action performed by a particular Measurement
+ Agent that consists of the single assessment of a Metric through
+ operation of a Measurement Method role at a particular time, with all
+ of the role's Input Parameters set to specific values.
+
+ Measurement Traffic: the packet(s) generated by some types of
+ Measurement Method that involve measuring some parameter associated
+ with the transfer of the packet(s).
+
+ Metric: The quantity related to the performance and reliability of
+ the network that we'd like to know the value of.
+
+ Observed Traffic Flow: In RFC 7011 [RFC7011], a Traffic Flow (or
+ Flow) is defined as "a set of packets or frames passing an
+ Observation Point in the network during a certain time interval. All
+ packets belonging to a particular Flow have a set of common
+ properties," such as packet header fields, characteristics, and
+ treatments. A Flow measured by the LMAP system is termed an Observed
+ Traffic Flow. Its properties are summarised and tabulated in
+ Measurement Results (as opposed to raw capture and export).
+
+ Report: The set of Measurement Results and other associated
+ information (as defined by the Instruction). The Report is sent by a
+ Measurement Agent to a Collector.
+
+ Report Channel: A Channel between a Collector and an MA over which
+ Report messages are sent.
+
+ Report Protocol: The protocol delivering Report(s) from a Measurement
+ Agent to a Collector. It runs over the Report Channel.
+
+ Report Schedule: The schedule for sending Reports to a Collector.
+
+ Subscriber: An entity (associated with one or more users) that is
+ engaged in a subscription with a service provider.
+
+ Suppression: The temporary cessation of Measurement Tasks.
+
+4. Constraints
+
+ The LMAP framework makes some important assumptions, which constrain
+ the scope of the initial LMAP work.
+
+
+
+
+
+Eardley, et al. Informational [Page 12]
+
+RFC 7594 LMAP Framework September 2015
+
+
+4.1. The Measurement System Is Under the Direction of a Single
+ Organisation
+
+ In the LMAP framework, the Measurement System is under the direction
+ of a single organisation that is responsible for any impact that its
+ measurements have on a user's quality of experience and privacy.
+ Clear responsibility is critical given that a misbehaving large-scale
+ Measurement System could potentially harm user experience, user
+ privacy, and network security.
+
+ However, the components of an LMAP Measurement System can be deployed
+ in administrative domains that are not owned by the measuring
+ organisation. Thus, the system of functions deployed by a single
+ organisation constitutes a single LMAP domain, which may span
+ ownership or other administrative boundaries.
+
+4.2. Each MA May Only Have a Single Controller at Any Point in Time
+
+ An MA is instructed by one Controller and is in one Measurement
+ System. The constraint avoids different Controllers giving an MA
+ conflicting instructions and so means that the MA does not have to
+ manage contention between multiple Measurement (or Report) Schedules.
+ This simplifies the design of MAs (critical for a large-scale
+ infrastructure) and allows a Measurement Schedule to be tested on
+ specific types of MAs before deployment to ensure that the end-user
+ experience is not impacted (due to CPU, memory, or broadband-product
+ constraints). However, a Measurement System may have several
+ Controllers.
+
+5. Protocol Model
+
+ A protocol model [RFC4101] presents an architectural model for how
+ the protocol operates and needs to answer three basic questions:
+
+ 1. What problem is the protocol trying to address?
+
+ 2. What messages are being transmitted and what do they mean?
+
+ 3. What are the important, but not obvious [sic], features of the
+ protocol?
+
+ An LMAP system goes through the following phases:
+
+ o a Bootstrapping process before the MA can take part in the other
+ three phases.
+
+ o a Control Protocol, which delivers Instruction Messages from a
+ Controller to an MA (amongst other things).
+
+
+
+Eardley, et al. Informational [Page 13]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o the actual Measurement Tasks, which measure some performance or
+ reliability Metric(s) associated with the transfer of packets.
+
+ o a Report Protocol, which delivers Reports containing the
+ Measurement Results from an MA to a Collector.
+
+ The figures show the various LMAP messages and use the following
+ conventions:
+
+ o (optional): indicated by round brackets
+
+ o [potentially repeated]: indicated by square brackets
+
+ The protocol model is closely related to the Information Model
+ [LMAP-INFO], which is the abstract definition of the information
+ carried by the protocol. (If there is any difference between this
+ document and the Information Model, the latter is definitive.) The
+ purpose of both is to provide a protocol and device-independent view,
+ which can be implemented via specific protocols. LMAP defines a
+ specific Control Protocol and Report Protocol, but others could be
+ defined by other standards bodies or be proprietary. However, it is
+ important that they all implement the same Information Model and
+ protocol model, in order to ease the definition, operation, and
+ interoperability of large-scale Measurement Systems.
+
+5.1. Bootstrapping Process
+
+ The primary purpose of Bootstrapping is to enable an MA to be
+ integrated into a Measurement System. The MA retrieves information
+ about itself (like its identity in the Measurement System) and about
+ the Controller, the Controller learns information about the MA, and
+ they learn about security information to communicate (such as
+ certificates and credentials).
+
+ Whilst this memo considers the Bootstrapping process, it is beyond
+ the scope of initial LMAP work to define a Bootstrap mechanism, as it
+ depends on the type of device and access.
+
+ As a result of the Bootstrapping process, the MA learns the following
+ information ([LMAP-INFO] defines the consequent list of information
+ elements):
+
+ o its identifier, either its MA-ID or a device identifier such as
+ one of its Media Access Control (MAC) addresses or both.
+
+ o (optionally) a Group-ID, shared by several MAs and could be useful
+ for privacy reasons. For instance, reporting the Group-ID and not
+ the MA-ID could hinder tracking of a mobile device.
+
+
+
+Eardley, et al. Informational [Page 14]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o the Control Channel, which is defined by:
+
+ * the address that identifies the Control Channel, such as the
+ Controller's FQDN (Fully Qualified Domain Name) [RFC1035]).
+
+ * security information (for example, to enable the MA to decrypt
+ the Instruction Message and encrypt messages sent to the
+ Controller).
+
+ The details of the Bootstrapping process are device/access specific.
+ For example, the information could be in the firmware, manually
+ configured, or transferred via a protocol like that described in
+ TR-069 [TR-069]. There may be a multi-stage process where the MA
+ contacts a 'hard-coded' address, which replies with the Bootstrapping
+ information.
+
+ The MA must learn its MA-ID before getting an Instruction, either
+ during Bootstrapping or via Configuration (Section 5.2.1).
+
+5.2. Control Protocol
+
+ The primary purpose of the Control Protocol is to allow the
+ Controller to configure a Measurement Agent with an Instruction about
+ what Measurement Tasks to do, when to do them, and how to report the
+ Measurement Results (Section 5.2.2). The Measurement Agent then acts
+ on the Instruction autonomously. The Control Protocol also enables
+ the MA to inform the Controller about its Capabilities and any
+ Failure and Logging Information (Section 5.2.3). Finally, the
+ Control Protocol allows the Controller to update the MA's
+ Configuration.
+
+5.2.1. Configuration
+
+ Configuration allows the Controller to update the MA about some or
+ all of the information that it obtained during the Bootstrapping
+ process: the MA-ID, the (optional) Group-ID, and the Control Channel.
+ Figure 2 outlines the Configuration process. The Measurement System
+ might use Configuration for several reasons. For example, the
+ Bootstrapping process could 'hard code' the MA with details of an
+ initial Controller, and then the initial Controller could configure
+ the MA with details about the Controller that sends Instruction
+ Messages. (Note that an MA only has one Control Channel, so it is
+ associated with only one Controller, at any moment.)
+
+ Note that an implementation may choose to combine Configuration
+ information and an Instruction Message into a single message.
+
+
+
+
+
+Eardley, et al. Informational [Page 15]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +-----------------+ +-------------+
+ | | | Measurement |
+ | Controller |===================================| Agent |
+ +-----------------+ +-------------+
+
+ Configuration information: ->
+ (MA-ID),
+ (Group-ID),
+ (Control Channel)
+ <- Response(details)
+
+ MA: Measurement Agent
+
+ Figure 2: Outline of Configuration
+
+5.2.2. Instruction
+
+ The Instruction is the description of the Measurement Tasks for a
+ Measurement Agent to do and the details of the Measurement Reports
+ for it to send. Figure 3 outlines the Instruction process. In order
+ to update the Instruction, the Controller uses the Control Protocol
+ to send an Instruction Message over the Control Channel.
+
+ +-----------------+ +-------------+
+ | | | Measurement |
+ | Controller |===================================| Agent |
+ +-----------------+ +-------------+
+
+ Instruction: ->
+ [(Measurement Task configuration
+ URI of Metric(
+ [Input Parameter],
+ (role)
+ (interface),
+ (Cycle-ID)
+ (measurement point)),
+ (Report Channel),
+ (Schedule),
+ (Suppression information)]
+ <- Response(details)
+
+ Figure 3: Outline of Instruction
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 16]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ The Instruction defines the following information ([LMAP-INFO]
+ defines the consequent list of information elements):
+
+ o the Measurement Task configurations, each of which needs:
+
+ * the Metric, specified as a URI to a registry entry; it includes
+ the specification of a Measurement Method. The registry could
+ be defined by a standards organisation or locally by the
+ operator of the Measurement System. Note that, at the time of
+ writing, the IETF is working on such a registry specification
+ [IPPM-REG].
+
+ * the Measurement Method role. For some Measurement Methods,
+ different parties play different roles; for example, an iperf
+ sender and receiver (see Section 6.4). Each Metric and its
+ associated Measurement Method will describe all measurement
+ roles involved in the process.
+
+ * a boolean flag (suppress or do-not-suppress) indicating if such
+ a Measurement Task is impacted by a Suppression message (see
+ Section 5.2.2.1). Thus, the flag is an Input Parameter.
+
+ * any Input Parameters that need to be set for the Metric and the
+ Measurement Method. For example, the address of a Measurement
+ Peer (or other Measurement Agent) that may be involved in a
+ Measurement Task, or traffic filters associated with the
+ Observed Traffic Flow.
+
+ * the interface to use (if not defined, then the default
+ interface is used), if the device with the MA has multiple
+ interfaces.
+
+ * optionally, a Cycle-ID.
+
+ * optionally, the measurement point designation [RFC7398] of the
+ MA and, if applicable, of the MP or other MA. This can be
+ useful for reporting.
+
+ o configuration of the Schedules, each of which needs:
+
+ * the timing of when the Measurement Tasks are to be performed or
+ the Measurement Reports are to be sent. Possible types of
+ timing are periodic, calendar-based periodic, one-off
+ immediate, and one-off at a future time.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 17]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o configuration of the Report Channel(s), each of which needs:
+
+ * the address of the Collector, for instance its URL.
+
+ * security for this Report Channel, for example, the X.509
+ certificate.
+
+ o Suppression information, if any (see Section 5.2.2.1).
+
+ A single Instruction Message may contain some or all of the above
+ parts. The finest level of granularity possible in an Instruction
+ Message is determined by the implementation and operation of the
+ Control Protocol. For example, a single Instruction Message may add
+ or update an individual Measurement Schedule -- or it may only update
+ the complete set of Measurement Schedules; a single Instruction
+ Message may update both Measurement Schedules and Measurement Task
+ configurations -- or only one at a time; and so on. However,
+ Suppression information always replaces (rather than adds to) any
+ previous Suppression information.
+
+ The MA informs the Controller that it has successfully understood the
+ Instruction Message, or that it cannot take action on the Instruction
+ -- for example, if it doesn't include a parameter that is mandatory
+ for the requested Metric and Measurement Method, or if it is missing
+ details of the target Collector.
+
+ The Instruction Message instructs the MA; the Control Protocol does
+ not allow the MA to negotiate, as this would add complexity to the
+ MA, Controller, and Control Protocol for little benefit.
+
+5.2.2.1. Suppression
+
+ The Instruction may include Suppression information. The main
+ motivation for Suppression is to enable the Measurement System to
+ eliminate Measurement Traffic, because there is some unexpected
+ network issue, for example. There may be other circumstances when
+ Suppression is useful, for example, to eliminate inessential
+ Reporting traffic (even if there is no Measurement Traffic).
+ Figure 4 outlines the Suppression process.
+
+ The Suppression information may include any of the following optional
+ fields:
+
+ o a set of Measurement Tasks to suppress; the others are not
+ suppressed. For example, this could be useful if a particular
+ Measurement Task is overloading a Measurement Peer with
+ Measurement Traffic.
+
+
+
+
+Eardley, et al. Informational [Page 18]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o a set of Measurement Schedules to suppress; the others are not
+ suppressed. For example, suppose the Measurement System has
+ defined two Schedules, one with the most critical Measurement
+ Tasks and the other with less critical ones that create a lot of
+ Measurement Traffic, in which case it may only want to suppress
+ the second.
+
+ o a set of Reporting Schedules to suppress; the others are not
+ suppressed. This can be particularly useful in the case of a
+ Measurement Method that doesn't generate Measurement Traffic; it
+ may need to continue observing traffic flows but temporarily
+ suppress Reports due to the network footprint of the Reports.
+
+ o if all the previous fields are included then the MA suppresses the
+ union -- in other words, it suppresses the set of Measurement
+ Tasks, the set of Measurement Schedules, and the set of Reporting
+ Schedules.
+
+ o if the Suppression information includes neither a set of
+ Measurement Tasks nor a set of Measurement Schedules, then the MA
+ does not begin new Measurement Tasks that have the boolean flag
+ set to suppress; however, the MA does begin new Measurement Tasks
+ that have the flag set to do-not-suppress.
+
+ o a start time, at which Suppression begins. If absent, then
+ Suppression begins immediately.
+
+ o an end time, at which Suppression ends. If absent, then
+ Suppression continues until the MA receives an Un-suppress
+ message.
+
+ o a demand that the MA immediately end on-going Measurement Task(s)
+ that are tagged for Suppression. (Most likely it is appropriate
+ to delete the associated partial Measurement Result(s).) This
+ could be useful in the case of a network emergency so that the
+ operator can eliminate all inessential traffic as rapidly as
+ possible. If absent, the MA completes on-going Measurement Tasks.
+
+ An Un-suppress message instructs the MA to no longer suppress,
+ meaning that the MA once again begins new Measurement Tasks,
+ according to its Measurement Schedule.
+
+ Note that Suppression is not intended to permanently stop a
+ Measurement Task (instead, the Controller should send a new
+ Measurement Schedule), nor to permanently disable an MA (instead,
+ some kind of management action is suggested).
+
+
+
+
+
+Eardley, et al. Informational [Page 19]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +-----------------+ +-------------+
+ | | | Measurement |
+ | Controller |==============================| Agent |
+ +-----------------+ +-------------+
+
+ Suppress:
+ [(Measurement Task), ->
+ (Measurement Schedule),
+ (start time),
+ (end time),
+ (on-going suppressed?)]
+
+ Un-suppress ->
+
+ Figure 4: Outline of Suppression
+
+5.2.3. Capabilities, Failure, and Logging Information
+
+ The Control Protocol also enables the MA to inform the Controller
+ about various information, such as its Capabilities and any Failures.
+ Figure 5 outlines the process for Capabilities, Failure, and Logging
+ Information. It is also possible to use a device-specific mechanism,
+ which is beyond the scope of the initial LMAP work.
+
+ Capabilities are information about the MA that the Controller needs
+ to know in order to correctly instruct the MA, such as:
+
+ o the Measurement Method (roles) that the MA supports.
+
+ o the measurement protocol types and roles that the MA supports.
+
+ o the interfaces that the MA has.
+
+ o the version of the MA.
+
+ o the version of the hardware, firmware, or software of the device
+ with the MA.
+
+ o its Instruction (this could be useful if the Controller thinks
+ something has gone wrong and wants to check what Instruction the
+ MA is using).
+
+ o but not dynamic information like the currently unused CPU, memory,
+ or battery life of the device with the MA.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 20]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Failure Information concerns why the MA has been unable to execute a
+ Measurement Task or deliver a Report, for example:
+
+ o the Measurement Task failed to run properly because the MA
+ (unexpectedly) has no spare CPU cycles.
+
+ o the MA failed to record the Measurement Results because it
+ (unexpectedly) is out of spare memory.
+
+ o a Report failed to deliver Measurement Results because the
+ Collector (unexpectedly) is not responding.
+
+ o but not if a Measurement Task correctly doesn't start. For
+ example, the first step of some Measurement Methods is for the MA
+ to check that there is no cross-traffic.
+
+ Logging Information concerns how the MA is operating and may help
+ debugging, for example:
+
+ o the last time the MA ran a Measurement Task.
+
+ o the last time the MA sent a Measurement Report.
+
+ o the last time the MA received an Instruction Message.
+
+ o whether the MA is currently suppressing Measurement Tasks.
+
+ Capabilities, Failure, and Logging Information are sent by the MA,
+ either in response to a request from the Controller (for example, if
+ the Controller forgets what the MA can do or otherwise wants to
+ resynchronise what it knows about the MA), or on its own initiative
+ (for example, when the MA first communicates with a Controller or if
+ it becomes capable of a new Measurement Method). Another example of
+ the latter case is if the device with the MA re-boots, then the MA
+ should notify its Controller in case its Instruction needs to be
+ updated; to avoid a "mass calling event" after a widespread power
+ restoration affecting many MAs, it is sensible for an MA to pause for
+ a random delay, perhaps in the range of one minute or so.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 21]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +-----------------+ +-------------+
+ | | | Measurement |
+ | Controller |==================================| Agent |
+ +-----------------+ +-------------+
+
+ (Request Capabilities),
+ (Request Failure Information),
+ (Request Logging Information),
+ (Request Instruction) ->
+ <- (Capabilities),
+ (Failure Information),
+ (Logging Information),
+ (Instruction)
+
+ Figure 5: Outline of Capabilities, Failure, and Logging Information
+
+5.3. Operation of Measurement Tasks
+
+ This LMAP framework is neutral to what the actual Measurement Task
+ is. It does not define Metrics and Measurement Methods; these are
+ defined elsewhere.
+
+ The MA carries out the Measurement Tasks as instructed, unless it
+ gets an updated Instruction. The MA acts autonomously, in terms of
+ operation of the Measurement Tasks and reporting of the Results; it
+ doesn't do a 'safety check' with the Controller to ask whether it
+ should still continue with the requested Measurement Tasks.
+
+ The MA may operate Measurement Tasks sequentially or in parallel (see
+ Section 5.3.2).
+
+5.3.1. Starting and Stopping Measurement Tasks
+
+ This LMAP framework does not define a generic start and stop process,
+ since the correct approach depends on the particular Measurement
+ Task; the details are defined as part of each Measurement Method.
+ This section provides some general hints. The MA does not inform the
+ Controller about Measurement Tasks starting and stopping.
+
+ Before beginning a Measurement Task, the MA may want to run a
+ pre-check. (The pre-check could be defined as a separate, preceding
+ Task or as the first part of a larger Task.)
+
+ For Measurement Tasks that observe existing traffic, action could
+ include:
+
+ o checking that there is traffic of interest.
+
+
+
+
+Eardley, et al. Informational [Page 22]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o checking that the device with the MA has enough resources to
+ execute the Measurement Task reliably. Note that the designer of
+ the Measurement System should ensure that the device's resources
+ are normally sufficient to comfortably operate the Measurement
+ Tasks.
+
+ For Measurement Tasks that generate Measurement Traffic, a pre-check
+ could include:
+
+ o the MA checking that there is no cross-traffic. In other words, a
+ check that the end-user isn't already sending traffic.
+
+ o the MA checking with the Measurement Peer (or other Measurement
+ Agent) involved in the Measurement Task that it can handle a new
+ Measurement Task. For example, the Measurement Peer may already
+ be handling many Measurement Tasks with other MAs.
+
+ o sending traffic that probes the path to check it isn't overloaded.
+
+ o checking that the device with the MA has enough resources to
+ execute the Measurement Task reliably.
+
+ Similar checks may continue during the Measurement Task, in
+ particular for a Measurement Task that is long-running and/or creates
+ a lot of Measurement Traffic. If, for example, the check detects
+ that the end-user has started sending traffic, then the Measurement
+ Task can be abandoned. A Measurement Task could also be abandoned in
+ response to a "suppress" message (see Section 5.2.2.1). Action could
+ include:
+
+ o for 'upload' tests, the MA not sending traffic.
+
+ o for 'download' tests, the MA closing the TCP connection or sending
+ a TWAMP (Two-Way Active Measurement Protocol) Stop-Sessions
+ command [RFC5357].
+
+ The Controller may want an MA to run the same Measurement Task
+ indefinitely (for example, "run the 'upload speed' Measurement Task
+ once an hour until further notice"). To prevent the MA continuously
+ generating traffic after a Controller has permanently failed (or
+ communications with the Controller have failed), the MA can be
+ configured with a time limit; if the MA doesn't hear from the
+ Controller for this length of time, then it stops operating
+ Measurement Tasks.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 23]
+
+RFC 7594 LMAP Framework September 2015
+
+
+5.3.2. Overlapping Measurement Tasks
+
+ An MA may start a new Measurement Task before another Measurement
+ Task has completed. This may be intentional (the way that the
+ Measurement System has designed the Measurement Schedules), but it
+ could also be unintentional -- for instance, if a Measurement Task
+ has a 'wait for X' step that pauses for an unexpectedly long time.
+ This document makes no assumptions about the impact of one
+ Measurement Task on another.
+
+ The operator of the Measurement System can handle (or not)
+ overlapping Measurement Tasks in any way they choose -- it is a
+ policy or implementation issue and not the concern of LMAP. Some
+ possible approaches are: to configure the MA to not begin the second
+ Measurement Task; to start the second Measurement Task as usual; for
+ the action to be an Input Parameter of the Measurement Task; and so
+ on.
+
+ It may be important for the Measurement Report to include the fact
+ that the Measurement Tasks overlapped.
+
+5.4. Report Protocol
+
+ The primary purpose of the Report Protocol is to allow a Measurement
+ Agent to report its Measurement Results to a Collector, along with
+ the context in which they were obtained. Figure 6 outlines the
+ Report process.
+
+ +-----------------+ +-------------+
+ | | | Measurement |
+ | Collector |==================================| Agent |
+ +-----------------+ +-------------+
+
+ <- Report:
+ [MA-ID &/or Group-ID],
+ [Measurement Result],
+ [details of Measurement Task],
+ (Cycle-ID)
+ ACK ->
+
+ MA: Measurement Agent
+
+ Figure 6: Outline of the Report
+
+ The Report contains:
+
+ o the MA-ID or a Group-ID (to anonymise results).
+
+
+
+
+Eardley, et al. Informational [Page 24]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o the actual Measurement Results, including the time they were
+ measured. In general, the time is simply the MA's best estimate
+ and there is no guarantee on the accuracy or granularity of the
+ information. It is possible that some specific analysis of a
+ particular Measurement Method's Results will impose timing
+ requirements.
+
+ o the details of the Measurement Task (to avoid the Collector having
+ to ask the Controller for this information later), for example,
+ the interface used for the measurements.
+
+ o the Cycle-ID, if one was included in the Instruction.
+
+ o perhaps the Subscriber's service parameters (see Section 5.4.1).
+
+ o the measurement point designation of the MA and, if applicable,
+ the MP or other MA, if the information was included in the
+ Instruction. This numbering system is defined in [RFC7398] and
+ allows a Measurement Report to describe the path measured
+ abstractly (for example, "from a measurement agent at a home
+ gateway to a measurement peer at a DSLAM"). Also, the MA can
+ anonymise results by including measurement point designations
+ instead of IP addresses (Section 8.6.2).
+
+ The MA sends Reports as defined by the Instruction. The Instruction
+ may tell the MA to report the same Results to more than one
+ Collector, or to report a different subset of Results to different
+ Collectors. Also, a Measurement Task may create two (or more)
+ Measurement Results, which could be reported differently (for
+ example, one Result could be reported periodically, whilst the second
+ Result could be an alarm that is created as soon as the measured
+ value of the Metric crosses a threshold and that is reported
+ immediately).
+
+ Optionally, a Report is not sent when there are no Measurement
+ Results.
+
+ In the initial LMAP Information Model and Report Protocol, for
+ simplicity we assume that all Measurement Results are reported as-is,
+ but allow extensibility so that a Measurement System (or perhaps a
+ second phase of LMAP) could allow an MA to:
+
+ o label, or perhaps not include, Measurement Results impacted by,
+ for instance, cross-traffic or a Measurement Peer (or other
+ Measurement Agent) being busy.
+
+ o label Measurement Results obtained by a Measurement Task that
+ overlapped with another.
+
+
+
+Eardley, et al. Informational [Page 25]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o not report the Measurement Results if the MA believes that they
+ are invalid.
+
+ o detail when Suppression started and ended.
+
+ As discussed in Section 6.1, data analysis of the Results should
+ carefully consider potential bias from any Measurement Results that
+ are not reported, or from Measurement Results that are reported but
+ may be invalid.
+
+5.4.1. Reporting of the Subscriber's Service Parameters
+
+ The Subscriber's service parameters are information about his/her
+ broadband contract, line rate and so on. Such information is likely
+ to be needed to help analyse the Measurement Results, for example to
+ help decide whether the measured download speed is reasonable.
+
+ The information could be transferred directly from the Subscriber
+ parameter database to the data analysis tools. If the Subscriber's
+ service parameters are available to the MAs, they could be reported
+ with the Measurement Results in the Report Protocol. How (and if)
+ the MA knows such information is likely to depend on the device type.
+ The MA could either include the information in a Measurement Report
+ or separately.
+
+5.5. Operation of LMAP over the Underlying Packet Transfer Mechanism
+
+ The above sections have described LMAP's protocol model. Other
+ specifications will define the actual Control and Report Protocols,
+ possibly operating over an existing protocol, such as REST-style
+ [REST] HTTP(S). It is also possible that a different choice is made
+ for the Control and Report Protocols, for example NETCONF-YANG
+ [RFC6241] and IPFIX (Internet Protocol Flow Information Export)
+ [RFC7011], respectively.
+
+ From an LMAP perspective, the Controller needs to know that the MA
+ has received the Instruction Message, or at least that it needs to be
+ re-sent as it may have failed to be delivered. Similarly the MA
+ needs to know about the delivery of Capabilities, Failure, and
+ Logging Information to the Controller and Reports to the Collector.
+ How this is done depends on the design of the Control and Report
+ Protocols and the underlying packet transfer mechanism.
+
+ For the Control Protocol, the underlying packet transfer mechanism
+ could be:
+
+ o a 'push' protocol (that is, from the Controller to the MA).
+
+
+
+
+Eardley, et al. Informational [Page 26]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o a multicast protocol (from the Controller to a group of MAs).
+
+ o a 'pull' protocol. The MA periodically checks with Controller if
+ the Instruction has changed and pulls a new Instruction if
+ necessary. A pull protocol seems attractive for an MA behind a
+ NAT or firewall (as is typical for an MA on an end-user's device)
+ so that it can initiate the communications. It also seems
+ attractive for an MA on a mobile device, where the Controller
+ might not know how to reach the MA. A pull mechanism is likely to
+ require that the MA be configured with how frequently it should
+ check in with the Controller, and perhaps what it should do if the
+ Controller is unreachable after a certain number of attempts.
+
+ o a hybrid protocol. In addition to a pull protocol, the Controller
+ can also push an alert to the MA that it should immediately pull a
+ new Instruction.
+
+ For the Report Protocol, the underlying packet transfer mechanism
+ could be:
+
+ o a 'push' protocol (that is, from the MA to the Collector)
+
+ o perhaps supplemented by the ability for the Collector to 'pull'
+ Measurement Results from an MA.
+
+5.6. Items beyond the Scope of the Initial LMAP Work
+
+ There are several potential interactions between LMAP elements that
+ are beyond the scope of the initial LMAP work, which are as follows:
+
+ 1. It does not define a coordination process between MAs. Whilst a
+ Measurement System may define coordinated Measurement Schedules
+ across its various MAs, there is no direct coordination between
+ MAs.
+
+ 2. It does not define interactions between the Collector and
+ Controller. It is quite likely that there will be such
+ interactions, optionally intermediated by the data analysis
+ tools. For example, if there is an "interesting" Measurement
+ Result, then the Measurement System may want to trigger extra
+ Measurement Tasks that explore the potential cause in more
+ detail; or if the Collector unexpectedly does not hear from an
+ MA, then the Measurement System may want to trigger the
+ Controller to send a fresh Instruction Message to the MA.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 27]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ 3. It does not define coordination between different Measurement
+ Systems. For example, it does not define the interaction of an
+ MA in one Measurement System with a Controller or Collector in a
+ different Measurement System. Whilst it is likely that the
+ Control and Report Protocols could be re-used or adapted for this
+ scenario, any form of coordination between different
+ organisations involves difficult commercial and technical issues
+ and so, given the novelty of large-scale measurement efforts, any
+ form of inter-organisation coordination is outside the scope of
+ the initial LMAP work. Note that a single MA is instructed by a
+ single Controller and is only in one Measurement System.
+
+ * An interesting scenario is where a home contains two
+ independent MAs, for example one controlled by a regulator and
+ one controlled by an ISP. Then the Measurement Traffic of one
+ MA is treated by the other MA just like any other end-user
+ traffic.
+
+ 4. It does not consider how to prevent a malicious party "gaming the
+ system". For example, where a regulator is running a Measurement
+ System in order to benchmark operators, a malicious operator
+ could try to identify the broadband lines that the regulator was
+ measuring and prioritise that traffic. It is assumed that this
+ is a policy issue and would be dealt with through a code of
+ conduct for instance.
+
+ 5. It does not define how to analyse Measurement Results, including
+ how to interpret missing Results.
+
+ 6. It does not specifically define a end-user-controlled Measurement
+ System, see Section 5.6.1.
+
+5.6.1. End-User-Controlled Measurement System
+
+ This framework concentrates on the cases where an ISP or a regulator
+ runs the Measurement System. However, we expect that LMAP
+ functionality will also be used in the context of an end-user-
+ controlled Measurement System. There are at least two ways this
+ could happen (they have various pros and cons):
+
+ 1. an end-user could somehow request the ISP-run (or regulator-run)
+ Measurement System to test his/her line. The ISP (or regulator)
+ Controller would then send an Instruction to the MA in the usual
+ LMAP way.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 28]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ 2. an end-user could deploy their own Measurement System, with their
+ own MA, Controller, and Collector. For example, the user could
+ implement all three functions onto the same end-user-owned end
+ device, perhaps by downloading the functions from the ISP or
+ regulator. Then the LMAP Control and Report Protocols do not
+ need to be used, but using LMAP's Information Model would still
+ be beneficial. A Measurement Peer (or other MA involved in a
+ Measurement Task) could be in the home gateway or outside the
+ home network; in the latter case, the Measurement Peer is highly
+ likely to be run by a different organisation, which raises extra
+ privacy considerations.
+
+ In both cases, there will be some way for the end-user to initiate
+ the Measurement Task(s). The mechanism is outside the scope of the
+ initial LMAP work, but could include the user clicking a button on a
+ GUI or sending a text message. Presumably the user will also be able
+ to see the Measurement Results, perhaps summarised on a webpage. It
+ is suggested that these interfaces conform to the LMAP guidance on
+ privacy in Section 8.
+
+6. Deployment Considerations
+
+6.1. Controller and the Measurement System
+
+ The Controller should understand both the MA's LMAP Capabilities (for
+ example, what Metrics and Measurement Methods it can perform) and the
+ MA's other capabilities like processing power and memory. This
+ allows the Controller to ensure that the Measurement Schedule of
+ Measurement Tasks and the Reporting Schedule are sensible for each MA
+ that it instructs.
+
+ An Instruction is likely to include several Measurement Tasks.
+ Typically these run at different times, but it is also possible for
+ them to run at the same time. Some Tasks may be compatible in that
+ they do not affect each other's Results, whilst with others great
+ care would need to be taken. Some Tasks may be complementary. For
+ example, one Task may be followed by a traceroute Task to the same
+ destination address, in order to learn the network path that was
+ measured.
+
+ The Controller should ensure that the Measurement Tasks do not have
+ an adverse effect on the end user. Tasks, especially those that
+ generate a substantial amount of Measurement Traffic, will often
+ include a pre-check that the user isn't already sending traffic
+ (Section 5.3.1). Another consideration is whether Measurement
+ Traffic will impact a Subscriber's bill or traffic cap.
+
+
+
+
+
+Eardley, et al. Informational [Page 29]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ A Measurement System may have multiple Controllers (but note the
+ overriding principle that a single MA be instructed by a single
+ Controller at any point in time (Section 4.2)). For example, there
+ could be different Controllers for different types of MA (for
+ example, home gateways, tablets) or locations (for example, Ipswich,
+ Edinburgh, Paris), for load balancing or to cope with failure of one
+ Controller.
+
+ The measurement system also needs to consider carefully how to
+ interpret missing Results. The correct interpretation depends on why
+ the Results are missing (perhaps related to measurement Suppression
+ or delayed Report submission) and potentially on the specifics of the
+ Measurement Task and Measurement Schedule. For example, an Observed
+ Traffic Flow may be empty, but the Measurement Report may still be
+ sent according to the Report Schedule.
+
+6.2. Measurement Agent
+
+ The MA should be cautious about resuming Measurement Tasks if it
+ reboots or has been offline for some time, as its Instruction may be
+ stale. In the former case, it also needs to ensure that its clock
+ has reset correctly, so that it interprets the Schedule correctly.
+
+ If the MA runs out of storage space for Measurement Results or can't
+ contact the Controller, then the appropriate action is specific to
+ the device and Measurement System.
+
+ The Measurement Agent could take a number of forms. For example, an
+ MA could be a dedicated probe or software on a PC; it could also be
+ embedded into an appliance or even embedded into a gateway. A single
+ site (for example, home, branch office, etc.) that is participating
+ in a measurement could make use of one or multiple Measurement Agents
+ or Measurement Peers in a single measurement.
+
+ The Measurement Agent could be deployed in a variety of locations.
+ Not all deployment locations are available to every kind of
+ Measurement Agent. There are also a variety of limitations and
+ trade-offs depending on the final placement. The next sections
+ outline some of the locations a Measurement Agent may be deployed.
+ This is not an exhaustive list and combinations may also apply.
+
+6.2.1. Measurement Agent on a Networked Device
+
+ An MA may be embedded on a device that is directly connected to the
+ network, such as an MA on a smartphone. Other examples include an MA
+ downloaded and installed on a subscriber's laptop computer or tablet
+ when the network service is provided on wired or other wireless radio
+ technologies, such as Wi-Fi.
+
+
+
+Eardley, et al. Informational [Page 30]
+
+RFC 7594 LMAP Framework September 2015
+
+
+6.2.2. Measurement Agent Embedded in a Site Gateway
+
+ One of the better places the Measurement Agent could be deployed is
+ embedded within the site gateway (for example, a home router or the
+ edge router of a branch office in a managed service environment).
+ All site-to-ISP traffic would traverse through the gateway. So,
+ Measurement Methods that measure user traffic could easily be
+ performed. Similarly, due to this user traffic visibility, a
+ Measurement Method that generates Measurement Traffic could ensure it
+ does not compete with user traffic. Generally NAT and firewall
+ services are built into the gateway, allowing the Measurement Agent
+ the option to offer its Controller-facing management interface
+ outside of the NAT/firewall. This placement of the management
+ interface allows the Controller to unilaterally contact the
+ Measurement Agent with Instructions. However, a Measurement Agent on
+ a site gateway (whether end-user or service-provider owned) will
+ generally not be directly available for over-the-top providers, the
+ regulator, end users, or enterprises.
+
+6.2.3. Measurement Agent Embedded behind a Site NAT or Firewall
+
+ The Measurement Agent could also be embedded behind a NAT, a
+ firewall, or both. In this case, the Controller may not be able to
+ unilaterally contact the Measurement Agent unless either static port
+ forwarding or firewall pin holing is configured. Configuring port
+ forwarding could use protocols such as the Port Control Protocol
+ [RFC6887], the CPE WAN Management Protocol [TR-069], or Universal
+ Plug and Play [UPnP]. To open a pin hole in the firewall, the
+ Measurement Agent could send keepalives towards the Controller (and
+ perhaps use these also as a network reachability test).
+
+6.2.4. Multihomed Measurement Agent
+
+ If the device with the Measurement Agent is single homed, then there
+ is no confusion about what interface to measure. Similarly, if the
+ MA is at the gateway and the gateway only has a single WAN-side and a
+ single LAN-side interface, there is little confusion -- for
+ Measurement Methods that generate Measurement Traffic, the location
+ of the other MA or Measurement Peer determines whether the WAN or LAN
+ is measured.
+
+ However, the device with the Measurement Agent may be multihomed.
+ For example, a home or campus may be connected to multiple broadband
+ ISPs, such as a wired and wireless broadband provider, perhaps for
+ redundancy or load sharing. It may also be helpful to think of dual
+ stack IPv4 and IPv6 broadband devices as multihomed. More generally,
+ Section 3.2 of [RFC7368] describes dual-stack and multihoming
+ topologies that might be encountered in a home network, [RFC6419]
+
+
+
+Eardley, et al. Informational [Page 31]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ provides the current practices of multi-interfaces hosts, and the
+ Multiple Interfaces (mif) working group covers cases where hosts are
+ either directly attached (for example, physical or virtual) or
+ indirectly (for example, multiple default routers, etc.) to multiple
+ networks. In these cases, there needs to be clarity on which network
+ connectivity option is being measured.
+
+ One possibility is to have a Measurement Agent per interface. Then
+ the Controller's choice of MA determines which interface is measured.
+ However, if an MA can measure any of the interfaces, then the
+ Controller defines in the Instruction which interface the MA should
+ use for a Measurement Task. If the choice of interface is not
+ defined, then the MA uses the default one. Explicit definition is
+ preferred if the Measurement System wants to measure the performance
+ of a particular network, whereas using the default is better if the
+ Measurement System wants to include the impact of the MA's interface
+ selection algorithm. In any case, the Measurement Result should
+ include the network that was measured.
+
+6.2.5. Measurement Agent Embedded in an ISP Network
+
+ An MA may be embedded on a device that is part of an ISP's network,
+ such as a router or switch. Usually the network devices with an
+ embedded MA will be strategically located, such as a Carrier-Grade
+ NAT or ISP Gateway. [RFC7398] gives many examples where an MA might
+ be located within a network to provide an intermediate measurement
+ point on the end-to-end path. Other examples include a network
+ device whose primary role is to host MA functions and the necessary
+ measurement protocol.
+
+6.3. Measurement Peer
+
+ A Measurement Peer participates in some Measurement Methods. It may
+ have specific functionality to enable it to participate in a
+ particular Measurement Method. On the other hand, other Measurement
+ Methods may require no special functionality. For example, if the
+ Measurement Agent sends a ping to example.com, then the server at
+ example.com plays the role of a Measurement Peer; or if the MA
+ monitors existing traffic, then the existing end points are
+ Measurement Peers.
+
+ A device may participate in some Measurement Methods as a Measurement
+ Agent and in others as a Measurement Peer.
+
+ Measurement Schedules should account for limited resources in a
+ Measurement Peer when instructing an MA to execute measurements with
+ a Measurement Peer. In some measurement protocols, such as [RFC4656]
+ and [RFC5357], the Measurement Peer can reject a measurement session
+
+
+
+Eardley, et al. Informational [Page 32]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ or refuse a control connection prior to setting up a measurement
+ session and so protect itself from resource exhaustion. This is a
+ valuable capability because the MP may be used by more than one
+ organisation.
+
+6.4. Deployment Examples
+
+ In this section, we describe some deployment scenarios that are
+ feasible within the LMAP framework defined in this document.
+
+ A very simple example of a Measurement Peer (MP) is a web server from
+ which the MA downloads a web page (such as www.example.com) in order
+ to perform a speed test. The web server is an MP and from its
+ perspective the MA is just another client; the MP doesn't have a
+ specific function for assisting measurements. This is described in
+ Figure 7.
+
+ ^
+ +------------------+ web traffic +----------------+ non-LMAP
+ | web client |<------------>| web server | Scope
+ | | +----------------+ |
+ ...|..................|....................................V...
+ |MA:LMAP interface | <MP> ^
+ +------------------+ |
+ ^ | |
+ Instruction | | Report |
+ | +-----------------+ |
+ | | |
+ | v LMAP
+ +------------+ +------------+ Scope
+ | Controller | | Collector | |
+ +------------+ +------------+ V
+
+ MA: Measurement Agent
+ MP: Measurement Peer
+
+ Figure 7: LMAP deployment example, with Web server as Measurement
+ Peer
+
+ Another example of an MP is a TWAMP Server and TWAMP
+ Session-Reflector. This form of MP is deployed to assist the MAs
+ that perform TWAMP tests, where the MA is co-located with the TWAMP
+ Control-Client and Session-Sender. Another example, which was
+ described in Section 2, has a ping server as the Measurement Peer.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 33]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ A further example is the case of a traceroute-like measurement. In
+ this case, for each packet sent, the router where the TTL expires is
+ performing the MP function. So for a given Measurement Task, there
+ is one MA involved and several MPs, one per hop.
+
+ In Figure 8, we depict the case of an OWAMP (One-Way Active
+ Measurement Protocol) Server and Session-Receiver acting as an MP.
+ In this case, the OWAMP Server conveys results back to the OWAMP
+ Fetch-Client, thus the MP conducts both control-plane and data-plane
+ communications with its OWAMP counterparts co-located with the MA.
+
+ +------------------+ OWAMP +-----------------+ ^
+ | OWAMP |<--control--->| | |
+ | control-client |-test-traffic>| OWAMP server & | non-LMAP
+ | fetch-client & |<----fetch----| session-receiver| Scope
+ | session-sender | | | |
+ | | +-----------------+ |
+ ...|..................|.....................................v...
+ |MA:LMAP interface | <MP> ^
+ +------------------+ |
+ ^ | |
+ Instruction | | Report |
+ | +-----------------+ |
+ | | |
+ | v LMAP
+ +------------+ +------------+ Scope
+ | Controller | | Collector | |
+ +------------+ +------------+ v
+
+ MA: Measurement Agent
+ MP: Measurement Peer
+
+ Figure 8: LMAP deployment example, with OWAMP server as Measurement
+ Peer
+
+ However, it is also possible to use two Measurement Agents when
+ performing one-way Measurement Tasks, as described in Figure 9. Both
+ MAs are instructed by the Controller: MA-1 to send the traffic and
+ MA-2 to measure the received traffic and send Reports to the
+ Collector. Note that the Measurement Task at MA-2 can listen for
+ traffic from MA-1 and respond multiple times without having to be
+ rescheduled.
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 34]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +----------------+ +-------------------+ ^
+ | | | | non-LMAP
+ | iperf -u sender|-UDP traffic->| iperf -u receiver | Scope
+ | | | | v
+ ...|................|..............|...................|........
+ | MA-1: | | MA-2: | ^
+ | LMAP interface | | LMAP interface | |
+ +----------------+ +-------------------+ |
+ ^ ^ | |
+ Instruction | Instruction{Report} | | Report |
+ {Task, | +-------------------+ | |
+ Schedule} | | | |
+ | | v LMAP
+ +------------+ +------------+ Scope
+ | Controller | | Collector | |
+ +------------+ +------------+ v
+
+ MA: Measurement Agent
+
+ Figure 9: Schematic of LMAP-based Measurement System, with two
+ Measurement Agents cooperating to measure UDP traffic
+
+ Next, we consider Measurement Methods that meter the Observed Traffic
+ Flow. Traffic generated in one point in the network is flowing
+ towards a given destination and the traffic is observed in some point
+ along the path. One way to implement this is that the endpoints
+ generating and receiving the traffic are not instructed by the
+ Controller; hence they are MPs. The MA is located along the path
+ with a monitor function that measures the traffic. The MA is
+ instructed by the Controller to monitor that particular traffic and
+ to send the Report to the Collector. It is depicted in Figure 10.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 35]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ +--------+ +------------------+ +--------+ ^
+ |End user| | monitor | Observed |End user| |
+ | |<--|------------------|--Traffic-->| | non-LMAP
+ | | | | Flow | | Scope
+ +--------+ | | +--------+ |
+ ............|..................|............................v..
+ <MP> |MA:LMAP interface | <MP> ^
+ +------------------+ |
+ ^ | |
+ Instruction | | Report |
+ | +-----------------+ |
+ | | |
+ | v LMAP
+ +------------+ +------------+ Scope
+ | Controller | | Collector | |
+ +------------+ +------------+ v
+
+ MA: Measurement Agent
+ MP: Measurement Peer
+
+ Figure 10: LMAP deployment example, with a Measurement Agent
+ monitoring traffic
+
+7. Security Considerations
+
+ The security of the LMAP framework should protect the interests of
+ the measurement operator(s), the network user(s), and other actors
+ who could be impacted by a compromised measurement deployment. The
+ Measurement System must secure the various components of the system
+ from unauthorised access or corruption. Much of the general advice
+ contained in Section 6 of [RFC4656] is applicable here.
+
+ The process to upgrade the firmware in an MA is outside the scope of
+ the initial LMAP work, just as is the protocol to Bootstrap the MAs.
+ However, systems that provide remote upgrades must secure authorised
+ access and integrity of the process.
+
+ We assume that each Measurement Agent (MA) will receive its
+ Instructions from a single organisation, which operates the
+ Controller. These Instructions must be authenticated (to ensure that
+ they come from the trusted Controller), checked for integrity (to
+ ensure no one has tampered with them), and not vulnerable to replay
+ attacks. If a malicious party can gain control of the MA, they can
+ use it to launch denial-of-service (DoS) attacks at targets, create a
+ platform for pervasive monitoring [RFC7258], reduce the end-user's
+ quality of experience, and corrupt the Measurement Results that are
+ reported to the Collector. By altering the Measurement Tasks and/or
+ the address that Results are reported to, they can also compromise
+
+
+
+Eardley, et al. Informational [Page 36]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ the confidentiality of the network user and the MA environment (such
+ as information about the location of devices or their traffic). The
+ Instruction Messages also need to be encrypted to maintain
+ confidentiality, as the information might be useful to an attacker.
+
+ Reporting by the MA must be encrypted to maintain confidentiality, so
+ that only the authorised Collector can decrypt the results to prevent
+ the leakage of confidential or private information. Reporting must
+ also be authenticated (to ensure that it comes from a trusted MA and
+ that the MA reports to a genuine Collector) and not vulnerable to
+ tampering (which can be ensured through integrity and replay checks).
+ It must not be possible to fool an MA into injecting falsified data
+ and the results must also be held and processed securely after
+ collection and analysis. See Section 8.5.2 for additional
+ considerations on stored data compromise, and Section 8.6 on
+ potential mitigations for compromise.
+
+ Since Collectors will be contacted repeatedly by MAs using the Report
+ Protocol to convey their recent results, a successful attack to
+ exhaust the communication resources would prevent a critical
+ operation: reporting. Therefore, all LMAP Collectors should
+ implement technical mechanisms to:
+
+ o limit the number of reporting connections from a single MA
+ (simultaneous and established in some time period).
+
+ o limit the transmission rate from a single MA.
+
+ o limit the memory/storage consumed by a single MA's reports.
+
+ o efficiently reject reporting connections from unknown sources.
+
+ o separate resources if multiple authentication strengths are used,
+ where the resources should be separated according to each class of
+ strength.
+
+ A corrupted MA could report falsified information to the Collector.
+ Whether this can be effectively mitigated depends on the platform on
+ which the MA is deployed. However, where the MA is deployed on a
+ customer-controlled device, then the reported data is to some degree
+ inherently untrustworthy. Further, a sophisticated party could
+ distort some Measurement Methods, perhaps by dropping or delaying
+ packets for example. This suggests that the network operator should
+ be cautious about relying on Measurement Results for action such as
+ refunding fees if a service level agreement is not met.
+
+ As part of the protocol design, it will be decided how LMAP operates
+ over the underlying protocol (Section 5.5). The choice raises
+
+
+
+Eardley, et al. Informational [Page 37]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ various security issues, such as how to operate through a NAT and how
+ to protect the Controller and Collector from DoS attacks.
+
+ The security mechanisms described above may not be strictly necessary
+ if the network's design ensures the LMAP components and their
+ communications are already secured, for example potentially if they
+ are all part of an ISP's dedicated management network.
+
+ Finally, there are three other issues related to security: privacy
+ (considered in Section 8), availability, and "gaming the system".
+ While the loss of some MAs may not be considered critical, the
+ unavailability of the Collector could mean that valuable business
+ data or data critical to a regulatory process is lost. Similarly,
+ the unavailability of a Controller could mean that the MAs do not
+ operate a correct Measurement Schedule.
+
+ A malicious party could "game the system". For example, where a
+ regulator is running a Measurement System in order to benchmark
+ operators, an operator could try to identify the broadband lines that
+ the regulator was measuring and prioritise that traffic. Normally,
+ this potential issue is handled by a code of conduct. It is outside
+ the scope of the initial LMAP work to consider the issue.
+
+8. Privacy Considerations
+
+ The LMAP work considers privacy a core requirement and will ensure
+ that by default the Control and Report Protocols operate in a
+ privacy-sensitive manner and that privacy features are well defined.
+
+ This section provides a set of privacy considerations for LMAP. This
+ section benefits greatly from the publication of [RFC6973]. Privacy
+ and security (Section 7) are related. In some jurisdictions, privacy
+ is called data protection.
+
+ We begin with a set of assumptions related to protecting the
+ sensitive information of individuals and organisations participating
+ in LMAP-orchestrated measurement and data collection.
+
+8.1. Categories of Entities with Information of Interest
+
+ LMAP protocols need to protect the sensitive information of the
+ following entities, including individuals and organisations who
+ participate in measurement and collection of results.
+
+ o Individual Internet users: Persons who utilise Internet access
+ services for communications tasks, according to the terms of
+ service of a service agreement. Such persons may be a service
+
+
+
+
+Eardley, et al. Informational [Page 38]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Subscriber, or have been given permission by the Subscriber to use
+ the service.
+
+ o Internet service providers: Organisations that offer Internet
+ access service subscriptions, and thus have access to sensitive
+ information of individuals who choose to use the service. These
+ organisations desire to protect their Subscribers and their own
+ sensitive information, which may be stored in the process of
+ performing Measurement Tasks and collecting Results.
+
+ o Regulators: Public authorities responsible for exercising
+ supervision of the electronic communications sector, and which may
+ have access to sensitive information of individuals who
+ participate in a measurement campaign. Similarly, regulators
+ desire to protect the participants and their own sensitive
+ information.
+
+ o Other LMAP system operators: Organisations who operate Measurement
+ Systems or participate in measurements in some way.
+
+ Although privacy is a protection extended to individuals, we discuss
+ data protection by ISPs and other LMAP system operators in this
+ section. These organisations have sensitive information involved in
+ the LMAP system, and many of the same dangers and mitigations are
+ applicable. Further, the ISPs store information on their Subscribers
+ beyond that used in the LMAP system (for example, billing
+ information), and there should be a benefit in considering all the
+ needs and potential solutions coherently.
+
+8.2. Examples of Sensitive Information
+
+ This section gives examples of sensitive information that may be
+ measured or stored in a Measurement System, and that is to be kept
+ private by default in the LMAP core protocols.
+
+ Examples of Subscriber or authorised Internet user sensitive
+ information:
+
+ o Sub-IP-layer addresses and names (MAC address, base station ID,
+ SSID)
+
+ o IP address in use
+
+ o Personal Identification (real name)
+
+ o Location (street address, city)
+
+ o Subscribed service parameters
+
+
+
+Eardley, et al. Informational [Page 39]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ o Contents of traffic (activity, DNS queries, destinations,
+ equipment types, account info for other services, etc.)
+
+ o Status as a study volunteer and Schedule of Measurement Tasks
+
+ Examples of Internet Service Provider sensitive information:
+
+ o Measurement device identification (equipment ID and IP address)
+
+ o Measurement Instructions (choice of measurements)
+
+ o Measurement Results (some may be shared, others may be private)
+
+ o Measurement Schedule (exact times)
+
+ o Network topology (locations, connectivity, redundancy)
+
+ o Subscriber billing information, and any of the above Subscriber
+ information known to the provider.
+
+ o Authentication credentials (such as certificates)
+
+ Other organisations will have some combination of the lists above.
+ The LMAP system would not typically expose all of the information
+ above, but could expose a combination of items that could be
+ correlated with other pieces collected by an attacker (as discussed
+ in Section 8.5 on Threats).
+
+8.3. Different Privacy Issues Raised by Different Sorts of Measurement
+ Methods
+
+ Measurement Methods raise different privacy issues depending on
+ whether they measure traffic created specifically for that purpose or
+ whether they measure user traffic.
+
+ Measurement Tasks conducted on user traffic store sensitive
+ information, however briefly this storage may be. We note that some
+ authorities make a distinction on time of storage, and information
+ that is kept only temporarily to perform a communications function is
+ not subject to regulation (for example, active queue management, deep
+ packet inspection). Such Measurement Tasks could reveal all the
+ websites a Subscriber visits and the applications and/or services
+ they use. This issue is not specific to LMAP. For instance, IPFIX
+ has discussed similar issues (see Section 11.8 of [RFC7011]), but
+ mitigations described in the sections below were considered beyond
+ their scope.
+
+
+
+
+
+Eardley, et al. Informational [Page 40]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ In contrast to Measurement Tasks conducted on user traffic, other
+ Measurement Tasks use traffic which is created specifically for the
+ purpose of measurement. Even if a user host generates Measurement
+ Traffic, there is limited sensitive information about the Subscriber
+ present and stored in the Measurement System:
+
+ o IP address in use (and possibly sub-IP addresses and names)
+
+ o Status as a study volunteer and Schedule of Measurement Tasks
+
+ On the other hand, for a service provider, the sensitive information
+ like Measurement Results is the same for all Measurement Tasks.
+
+ From the Subscriber perspective, both types of Measurement Tasks
+ potentially expose the description of Internet access service and
+ specific service parameters, such as the Subscriber rate and type of
+ access.
+
+8.4. Privacy Analysis of the Communication Models
+
+ This section examines each of the protocol exchanges described at a
+ high level in Section 5 and some example Measurement Tasks, and it
+ identifies specific sensitive information that must be secured during
+ communication for each case. With the protocol-related sensitive
+ information identified, we can better consider the threats described
+ in the following section.
+
+ From the privacy perspective, all entities participating in LMAP
+ protocols can be considered "observers" according to the definition
+ in [RFC6973]. Their stored information potentially poses a threat to
+ privacy, especially if one or more of these functional entities has
+ been compromised. Likewise, all devices on the paths used for
+ control, reporting, and measurement are also observers.
+
+8.4.1. MA Bootstrapping
+
+ Section 5.1 provides the communication model for the Bootstrapping
+ process.
+
+ Although the specification of mechanisms for Bootstrapping the MA are
+ beyond the scope of the initial LMAP work, designers should recognise
+ that the Bootstrapping process is extremely powerful and could cause
+ an MA to join a new or different LMAP system with a different
+ Controller and Collector, or simply install new Metrics with
+ associated Measurement Methods (for example, to record DNS queries).
+ A Bootstrap attack could result in a breach of the LMAP system with
+ significant sensitive information exposure depending on the
+
+
+
+
+Eardley, et al. Informational [Page 41]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ capabilities of the MA, so sufficient security protections are
+ warranted.
+
+ The Bootstrapping process provides sensitive information about the
+ LMAP system and the organisation that operates it, such as
+
+ o the MA's identifier (MA-ID)
+
+ o the address that identifies the Control Channel, such as the
+ Controller's FQDN
+
+ o Security information for the Control Channel
+
+ During the Bootstrap process for an MA located at a single
+ Subscriber's service demarcation point, the MA receives an MA-ID,
+ which is a persistent pseudonym for the Subscriber. Thus, the MA-ID
+ is considered sensitive information because it could provide the link
+ between Subscriber identification and Measurements Results.
+
+ Also, the Bootstrap process could assign a Group-ID to the MA. The
+ specific definition of information represented in a Group-ID is to be
+ determined, but several examples are envisaged including use as a
+ pseudonym for a set of Subscribers, a class of service, an access
+ technology, or other important categories. Assignment of a Group-ID
+ enables anonymisation sets to be formed on the basis of service
+ type/grade/rates. Thus, the mapping between Group-ID and MA-ID is
+ considered sensitive information.
+
+8.4.2. Controller <-> Measurement Agent
+
+ The high-level communication model for interactions between the LMAP
+ Controller and Measurement Agent is illustrated in Section 5.2. The
+ primary purpose of this exchange is to authenticate and task a
+ Measurement Agent with Measurement Instructions, which the
+ Measurement Agent then acts on autonomously.
+
+ Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are
+ exchanged with a capability request, then measurement-related
+ information of interest such as the parameters, schedule, metrics,
+ and IP addresses of measurement devices. Thus, the measurement
+ Instruction contains sensitive information that must be secured. For
+ example, the fact that an ISP is running additional measurements
+ beyond the set reported externally is sensitive information, as are
+ the additional Measurements Tasks themselves. The Measurement
+ Schedule is also sensitive, because an attacker intending to bias the
+ results without being detected can use this information to great
+ advantage.
+
+
+
+
+Eardley, et al. Informational [Page 42]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ An organisation operating the Controller having no service
+ relationship with a user who hosts the Measurement Agent *could* gain
+ real-name mapping to a public IP address through user participation
+ in an LMAP system (this applies to the Measurement Collection
+ protocol, as well).
+
+8.4.3. Collector <-> Measurement Agent
+
+ The high-level communication model for interactions between the
+ Measurement Agent and Collector is illustrated in Section 5.4. The
+ primary purpose of this exchange is to authenticate and collect
+ Measurement Results from an MA, which the MA has measured
+ autonomously and stored.
+
+ The Measurement Results are the additional sensitive information
+ included in the Collector-MA exchange. Organisations collecting LMAP
+ measurements have responsibility for data control. Thus, the Results
+ and other information communicated in the Collector protocol must be
+ secured.
+
+8.4.4. Measurement Peer <-> Measurement Agent
+
+ A Measurement Method involving Measurement Traffic raises potential
+ privacy issues, although the specification of the mechanisms is
+ beyond the scope of the initial LMAP work. The high-level
+ communications model below illustrates the various exchanges to
+ execute such a Measurement Method and store the Results.
+
+ We note the potential for additional observers in the figures below
+ by indicating the possible presence of a NAT, which has additional
+ significance to the protocols and direction of initiation.
+
+ The various messages are optional, depending on the nature of the
+ Measurement Method. It may involve sending Measurement Traffic from
+ the Measurement Peer to MA, MA to Measurement Peer, or both.
+ Similarly, a second (or more) MAs may be involved. (Note: For
+ simplicity, Figure 11 and the description don't show the non-LMAP
+ functionality that is associated with the transfer of the Measurement
+ Traffic and is located at the devices with the MA and MP.)
+
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 43]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ _________________ _________________
+ | | | |
+ |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
+ |_________________| |_________________|
+
+ <- (Key Negotiation &
+ Encryption Setup)
+ (Encrypted Channel ->
+ Established)
+ (Announce capabilities ->
+ & status)
+ <- (Select capabilities)
+ ACK ->
+ <- (Measurement Request
+ (MA+MP IPAddrs,set of
+ Metrics, Schedule))
+ ACK ->
+
+ Measurement Traffic <> Measurement Traffic
+ (may/may not be encrypted) (may/may not be encrypted)
+
+ <- (Stop Measurement Task)
+
+ Measurement Results ->
+ (if applicable)
+ <- ACK, Close
+
+ Figure 11: Interactions between Measurement Peer and Measurement
+ Agent
+
+ This exchange primarily exposes the IP addresses of measurement
+ devices and the inference of measurement participation from such
+ traffic. There may be sensitive information on key points in a
+ service provider's network included. There may also be access to
+ measurement-related information of interest such as the Metrics,
+ Schedule, and intermediate results carried in the Measurement Traffic
+ (usually a set of timestamps).
+
+ The Measurement Peer may be able to use traffic analysis (perhaps
+ combined with traffic injection) to obtain interesting insights about
+ the Subscriber. As a simple example, if the Measurement Task
+ includes a pre-check that the end user isn't already sending traffic,
+ the Measurement Peer may be able to deduce when the Subscriber is
+ away on holiday.
+
+ If the Measurement Traffic is unencrypted, as found in many systems
+ today, then both timing and limited results are open to on-path
+ observers.
+
+
+
+Eardley, et al. Informational [Page 44]
+
+RFC 7594 LMAP Framework September 2015
+
+
+8.4.5. Measurement Agent
+
+ Some Measurement Methods only involve a single Measurement Agent
+ observing existing traffic. They raise potential privacy issues,
+ although the specification of the mechanisms is beyond the scope of
+ the initial LMAP work.
+
+ The high-level communications model shown in Figure 12 illustrates
+ the collection of user information of interest with the Measurement
+ Agent performing the monitoring and storage of the Results. This
+ particular exchange is for measurement of DNS Response Time, which
+ most frequently uses UDP transport. (Note: For simplicity, Figure 12
+ and its description do not show the non-LMAP functionality that is
+ associated with the transfer (export) of the observed Measurement
+ Traffic beyond the measurement devices located with the MA.)
+
+ _________________ ____________
+ | | | |
+ | DNS Server |=========== NAT ? ==========*=======| User client|
+ |_________________| ^ |____________|
+ ______|_______
+ | |
+ | Measurement |
+ | Agent |
+ |______________|
+
+ <- Name Resolution Required
+ (MA+MP IPAddrs,
+ Desired Domain Name)
+ Return Record ->
+
+ MA: Measurement Agent
+ MP: Measurement Peer
+
+ Figure 12: LMAP deployment example, with Measurement Agent monitoring
+ DNS response time
+
+ In this particular example, the MA monitors DNS messages in order to
+ measure the DNS response time. The Measurement Agent may be embedded
+ in the user host, or it may be located in another device capable of
+ observing user traffic. The MA learns the IP addresses of
+ measurement devices and the intent to communicate with or access the
+ services of a particular domain name, and perhaps also information on
+ key points in a service provider's network, such as the address of
+ one of its DNS servers.
+
+
+
+
+
+
+Eardley, et al. Informational [Page 45]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ In principle, any of the user sensitive information of interest
+ (listed above) can be collected and stored in the monitoring scenario
+ and so must be secured.
+
+ It would also be possible for a Measurement Agent to source the DNS
+ query itself, and then there are not many privacy concerns.
+
+8.4.6. Storage and Reporting of Measurement Results
+
+ Although the mechanisms for communicating results (beyond the initial
+ Collector) are beyond the scope of the initial LMAP work, there are
+ potential privacy issues related to a single organisation's storage
+ and reporting of Measurement Results. Both storage and reporting
+ functions can help to preserve privacy by implementing the
+ mitigations described below.
+
+8.5. Threats
+
+ This section indicates how each of the threats described in [RFC6973]
+ apply to the LMAP entities and their communication and storage of
+ "information of interest". DoS and other attacks described in the
+ Security section represent threats as well, and these attacks are
+ more effective when sensitive information protections have been
+ compromised.
+
+8.5.1. Surveillance
+
+ Section 5.1.1 of [RFC6973] describes surveillance as the "observation
+ or monitoring of an individual's communications or activities."
+ Hence, all Measurement Methods that measure user traffic are a form
+ of surveillance, with inherent risks.
+
+ Measurement Methods that avoid periods of user transmission
+ indirectly produce a record of times when a subscriber or authorised
+ user has used their network access service.
+
+ Measurement Methods may also utilise and store a Subscriber's
+ currently assigned IP address when conducting measurements that are
+ relevant to a specific Subscriber. Since the Measurement Results are
+ timestamped, they could provide a record of IP address assignments
+ over time.
+
+ Either of the above pieces of information could be useful in
+ correlation and identification, as described below.
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 46]
+
+RFC 7594 LMAP Framework September 2015
+
+
+8.5.2. Stored Data Compromise
+
+ Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
+ resulting from inadequate measures to secure stored data from
+ unauthorised or inappropriate access. For LMAP systems, this
+ includes deleting or modifying collected measurement records, as well
+ as data theft.
+
+ The primary LMAP entity subject to compromise is the repository,
+ which stores the Measurement Results; extensive security and privacy
+ threat mitigations are warranted. The Collector and MA also store
+ sensitive information temporarily and need protection. The
+ communications between the local storage of the Collector and the
+ repository is beyond the scope of the initial LMAP work, though this
+ communications channel will certainly need protection as will the
+ mass storage itself.
+
+ The LMAP Controller may have direct access to storage of Subscriber
+ information (for example, location, billing, service parameters,
+ etc.) and other information that the controlling organisation
+ considers private and again needs protection.
+
+ Note that there is tension between the desire to store all raw
+ results in the LMAP Collector (for reproduction and custom analysis)
+ and the need to protect the privacy of measurement participants.
+ Many of the mitigations described in Section 8.6 are most efficient
+ when deployed at the MA, therefore minimising the risks associated
+ with stored results.
+
+8.5.3. Correlation and Identification
+
+ Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as
+ combining various pieces of information to obtain desired
+ characteristics of an individual, and identification as using this
+ combination to infer identity.
+
+ The main risk is that the LMAP system could unwittingly provide a key
+ piece of the correlation chain, starting with an unknown Subscriber's
+ IP address and another piece of information. For example, a
+ Subscriber utilised Internet access from 2000 to 2310 UTC, because
+ the Measurement Tasks were deferred or sent a name resolution for
+ www.example.com at 2300 UTC.
+
+ If a user's access with another system already gave away sensitive
+ information, correlation is clearly easier and can result in
+ re-identification, even when an LMAP system conserves sensitive
+ information to great extent.
+
+
+
+
+Eardley, et al. Informational [Page 47]
+
+RFC 7594 LMAP Framework September 2015
+
+
+8.5.4. Secondary Use and Disclosure
+
+ Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as
+ unauthorised utilisation of an individual's information for a purpose
+ the individual did not intend, and disclosure as when such
+ information is revealed causing another's notions of the individual
+ to change or confidentiality to be violated.
+
+ Measurement Methods that measure user traffic are a form of secondary
+ use, and the Subscribers' permission should be obtained beforehand.
+ It may be necessary to obtain the measured ISP's permission to
+ conduct measurements (for example, when required by the terms and
+ conditions of the service agreement) and notification is considered
+ good measurement practice.
+
+ For Measurement Methods that measure Measurement Traffic the
+ Measurement Results provide some limited information about the
+ Subscriber or ISP and could result in secondary uses. For example,
+ the use of the Results in unauthorised marketing campaigns would
+ qualify as secondary use. Secondary use may break national laws and
+ regulations, and may violate an individual's expectations or desires.
+
+8.6. Mitigations
+
+ This section examines the mitigations listed in Section 6 of
+ [RFC6973] and their applicability to LMAP systems. Note that each
+ section in [RFC6973] identifies the threat categories that each
+ technique mitigates.
+
+8.6.1. Data Minimisation
+
+ Section 6.1 of [RFC6973] encourages collecting and storing the
+ minimal information needed to perform a task.
+
+ LMAP Results can be useful for general reporting about performance
+ and for specific troubleshooting. They need different levels of
+ information detail, as explained in the paragraphs below.
+
+ For general reporting, the results can be aggregated into large
+ categories (for example, the month of March, all US subscribers West
+ of the Mississippi River). In this case, all individual
+ identifications (including IP address of the MA) can be excluded, and
+ only relevant results are provided. However, this implies a
+ filtering process to reduce the information fields, because greater
+ detail was needed to conduct the Measurement Tasks in the first
+ place.
+
+
+
+
+
+Eardley, et al. Informational [Page 48]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ For troubleshooting, so that a network operator or end user can
+ identify a performance issue or failure, potentially all the network
+ information (for example, IP addresses, equipment IDs, location),
+ Measurement Schedules, service configurations, Measurement Results,
+ and other information may assist in the process. This includes the
+ information needed to conduct the Measurements Tasks, and represents
+ a need where the maximum relevant information is desirable;
+ therefore, the greatest protections should be applied. This level of
+ detail is greater than needed for general performance monitoring.
+
+ As regards Measurement Methods that measure user traffic, we note
+ that a user may give temporary permission (to enable detailed
+ troubleshooting), but withhold permission for them in general. Here
+ the greatest breadth of sensitive information is potentially exposed,
+ and the maximum privacy protection must be provided. The Collector
+ may perform pre-storage minimisation and other mitigations
+ (Section 8.6.4) to help preserve privacy.
+
+ For MAs with access to the sensitive information of users (for
+ example, within a home or a personal host/handset), it is desirable
+ for the Results collection to minimise the data reported, but also to
+ balance this desire with the needs of troubleshooting when a service
+ subscription exists between the user and organisation operating the
+ measurements.
+
+8.6.2. Anonymity
+
+ Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in
+ which anonymity is achieved: "there must exist a set of individuals
+ that appear to have the same attribute(s) as the individual."
+
+ Experimental methods for anonymisation of user-identifiable data (and
+ so particularly applicable to Measurement Methods that measure user
+ traffic) have been identified in [RFC6235]. However, the findings of
+ several of the same authors is that "there is increasing evidence
+ that anonymization applied to network trace or flow data on its own
+ is insufficient for many data protection applications as in [Bur10]."
+ Essentially, the details of such Measurement Methods can only be
+ accessed by closed organisations, and unknown injection attacks are
+ always less expensive than the protections from them. However, some
+ forms of summary may protect the user's sensitive information
+ sufficiently well, and so each Metric must be evaluated in the light
+ of privacy.
+
+ The techniques in [RFC6235] could be applied more successfully in
+ Measurement Methods that generate Measurement Traffic, where there
+ are protections from injection attack. The successful attack would
+ require breaking the integrity protection of the LMAP Reporting
+
+
+
+Eardley, et al. Informational [Page 49]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Protocol and injecting Measurement Results (known fingerprint, see
+ Section 3.2 of [RFC6973]) for inclusion with the shared and
+ anonymised results, then fingerprinting those records to ascertain
+ the anonymisation process.
+
+ Beside anonymisation of measured Results for a specific user or
+ provider, the value of sensitive information can be further diluted
+ by summarising the Results over many individuals or areas served by
+ the provider. There is an opportunity enabled by forming anonymity
+ sets [RFC6973] based on the reference path measurement points in
+ [RFC7398]. For example, all measurements from a Subscriber device
+ can be identified as "mp000", instead of using the IP address or
+ other device information. The same anonymisation applies to the
+ Internet Service Provider, where their Internet gateway would be
+ referred to as "mp190".
+
+ Another anonymisation technique is for the MA to include its Group-ID
+ instead of its MA-ID in its Measurement Reports, with several MAs
+ sharing the same Group-ID.
+
+8.6.3. Pseudonymity
+
+ Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
+ are a possible mitigation to revealing one's true identity, since
+ there is no requirement to use real names in almost all protocols.
+
+ A pseudonym for a measurement device's IP address could be an
+ LMAP-unique equipment ID. However, this would likely be a permanent
+ handle for the device, and long-term use weakens a pseudonym's power
+ to obscure identity.
+
+8.6.4. Other Mitigations
+
+ Data can be depersonalised by blurring it, for example by adding
+ synthetic data, data-swapping, or perturbing the values in ways that
+ can be reversed or corrected.
+
+ Sections 6.2 and 6.3 of [RFC6973] describe user participation and
+ security, respectively.
+
+ Where LMAP measurements involve devices on the subscriber's premises
+ or Subscriber-owned equipment, it is essential to secure the
+ Subscriber's permission with regard to the specific information that
+ will be collected. The informed consent of the Subscriber (and, if
+ different, the end user) may be needed, including the specific
+ purpose of the measurements. The approval process could involve
+ showing the Subscriber their measured information and results before
+ instituting periodic collection, or before all instances of
+
+
+
+Eardley, et al. Informational [Page 50]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ collection, with the option to cancel collection temporarily or
+ permanently.
+
+ It should also be clear who is legally responsible for data
+ protection (privacy); in some jurisdictions, this role is called the
+ 'data controller'. It is always good practice to limit the time that
+ personal information is stored.
+
+ Although the details of verification would be impenetrable to most
+ subscribers, the MA could be architected as an "app" with open source
+ code, pre-download and embedded terms of use and agreement on
+ measurements, and protection from code modifications usually provided
+ by the app stores. Further, the app itself could provide data
+ reduction and temporary storage mitigations as appropriate and
+ certified through code review.
+
+ LMAP protocols, devices, and the information they store clearly need
+ to be secure from unauthorised access. This is the hand-off between
+ privacy and security considerations (Section 7). The data controller
+ is responsible (legally) for maintaining data protections described
+ in the Subscriber's agreement and agreements with other
+ organisations.
+
+ Finally, it is recommended that each entity described in Section 8.1,
+ (for example, individuals, ISPs, regulators, others) assess the risks
+ of LMAP data collection by conducting audits of their data protection
+ methods.
+
+9. Informative References
+
+ [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
+ "The Role of Network Trace anonymisation Under Attack",
+ January 2010.
+
+ [IPPM-REG] Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A.
+ Akhter, "Registry for Performance Metrics", Work in
+ Progress, draft-ietf-ippm-metric-registry-04, July 2015.
+
+ [LMAP-INFO]
+ Burbridge, T., Eardley, P., Bagnulo, M., and J.
+ Schoenwaelder, "Information Model for Large-Scale
+ Measurement Platforms (LMAP)", Work in Progress,
+ draft-ietf-lmap-information-model-06, July 2015.
+
+ [REST] Wikipedia, "Representational state transfer", July 2015,
+ <https://en.wikipedia.org/w/index.php?
+ title=Representational_state_transfer&oldid=673799183>.
+
+
+
+
+Eardley, et al. Informational [Page 51]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
+ November 1987, <http://www.rfc-editor.org/info/rfc1035>.
+
+ [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
+ Information Models and Data Models", RFC 3444,
+ DOI 10.17487/RFC3444, January 2003,
+ <http://www.rfc-editor.org/info/rfc3444>.
+
+ [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
+ DOI 10.17487/RFC4101, June 2005,
+ <http://www.rfc-editor.org/info/rfc4101>.
+
+ [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
+ Unique IDentifier (UUID) URN Namespace", RFC 4122,
+ DOI 10.17487/RFC4122, July 2005,
+ <http://www.rfc-editor.org/info/rfc4122>.
+
+ [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
+ Zekauskas, "A One-way Active Measurement Protocol
+ (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
+ <http://www.rfc-editor.org/info/rfc4656>.
+
+ [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
+ Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
+ RFC 5357, DOI 10.17487/RFC5357, October 2008,
+ <http://www.rfc-editor.org/info/rfc5357>.
+
+ [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
+ Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
+ <http://www.rfc-editor.org/info/rfc6235>.
+
+ [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
+ and A. Bierman, Ed., "Network Configuration Protocol
+ (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
+ <http://www.rfc-editor.org/info/rfc6241>.
+
+ [RFC6419] Wasserman, M. and P. Seite, "Current Practices for
+ Multiple-Interface Hosts", RFC 6419, DOI 10.17487/RFC6419,
+ November 2011, <http://www.rfc-editor.org/info/rfc6419>.
+
+ [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
+ P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
+ DOI 10.17487/RFC6887, April 2013,
+ <http://www.rfc-editor.org/info/rfc6887>.
+
+
+
+
+
+
+Eardley, et al. Informational [Page 52]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
+ Morris, J., Hansen, M., and R. Smith, "Privacy
+ Considerations for Internet Protocols", RFC 6973,
+ DOI 10.17487/RFC6973, July 2013,
+ <http://www.rfc-editor.org/info/rfc6973>.
+
+ [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
+ "Specification of the IP Flow Information Export (IPFIX)
+ Protocol for the Exchange of Flow Information", STD 77,
+ RFC 7011, DOI 10.17487/RFC7011, September 2013,
+ <http://www.rfc-editor.org/info/rfc7011>.
+
+ [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
+ Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258,
+ May 2014, <http://www.rfc-editor.org/info/rfc7258>.
+
+ [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
+ Weil, "IPv6 Home Networking Architecture Principles",
+ RFC 7368, DOI 10.17487/RFC7368, October 2014,
+ <http://www.rfc-editor.org/info/rfc7368>.
+
+ [RFC7398] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
+ A. Morton, "A Reference Path and Measurement Points for
+ Large-Scale Measurement of Broadband Performance",
+ RFC 7398, DOI 10.17487/RFC7398, February 2015,
+ <http://www.rfc-editor.org/info/rfc7398>.
+
+ [RFC7536] Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
+ "Large-Scale Broadband Measurement Use Cases", RFC 7536,
+ DOI 10.17487/RFC7536, May 2015,
+ <http://www.rfc-editor.org/info/rfc7536>.
+
+ [TR-069] The Broadband Forum, "CPE WAN Management Protocol", TR-069
+ Amendment 5, November 2013,
+ <https://www.broadband-forum.org/technical/download/
+ TR-069_Amendment-5.pdf>.
+
+ [UPnP] UPnP Forum, "UPnP Device Architecture 2.0", February 2015,
+ <http://www.iso.org/iso/home/store/catalogue_ics/
+ catalogue_detail_ics.htm?csnumber=57195>.
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 53]
+
+RFC 7594 LMAP Framework September 2015
+
+
+Acknowledgments
+
+ This document originated as a merger of three individual drafts:
+ "Terminology for Large MeAsurement Platforms (LMAP)" (July 2013), "A
+ Framework and Inventory for a Large Scale Measurement System" (July
+ 2013), and "A framework for large-scale measurements" (July 2013).
+
+ Thanks to Juergen Schoenwaelder for his detailed review of the
+ terminology. Thanks to Charles Cook for a very detailed review of an
+ early draft of this document. Thanks to Barbara Stark and Ken Ko for
+ many helpful comments about later draft versions.
+
+ Thanks to numerous people for much discussion, directly and on the
+ LMAP list (apologies to those unintentionally omitted): Alan Clark,
+ Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
+ Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen,
+ Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay,
+ Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner,
+ Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael
+ Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter,
+ Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey,
+ Vaibhav Bajpai, Vero Zheng, and William Lupton.
+
+ Philip Eardley, Trevor Burbridge and Marcelo Bagnulo worked in part
+ on the Leone research project, which received funding from the
+ European Union Seventh Framework Programme under grant agreement
+ number 317647.
+
+Authors' Addresses
+
+ Philip Eardley
+ BT
+ Adastral Park, Martlesham Heath
+ Ipswich
+ England
+
+ Email: philip.eardley@bt.com
+
+
+ Al Morton
+ AT&T Labs
+ 200 Laurel Avenue South
+ Middletown, NJ
+ United States
+
+ Email: acmorton@att.com
+
+
+
+
+
+Eardley, et al. Informational [Page 54]
+
+RFC 7594 LMAP Framework September 2015
+
+
+ Marcelo Bagnulo
+ Universidad Carlos III de Madrid
+ Av. Universidad 30
+ Leganes, Madrid 28911
+ Spain
+
+ Phone: 34 91 6249500
+ Email: marcelo@it.uc3m.es
+ URI: http://www.it.uc3m.es
+
+
+ Trevor Burbridge
+ BT
+ Adastral Park, Martlesham Heath
+ Ipswich
+ England
+
+ Email: trevor.burbridge@bt.com
+
+
+ Paul Aitken
+ Brocade Communications Systems, Inc.
+ 19a Canning Street, Level 3
+ Edinburgh, Scotland EH3 8EG
+ United Kingdom
+
+ Email: paitken@brocade.com
+
+
+ Aamer Akhter
+ Consultant
+ 118 Timber Hitch
+ Cary, NC
+ United States
+
+ Email: aakhter@gmail.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eardley, et al. Informational [Page 55]
+