draft-ietf-lmap-framework-01.txt   draft-ietf-lmap-framework-02.txt 
Network Working Group P. Eardley Network Working Group P. Eardley
Internet-Draft BT Internet-Draft BT
Intended status: Standards Track A. Morton Intended status: Informational A. Morton
Expires: April 24, 2014 AT&T Labs Expires: June 9, 2014 AT&T Labs
M. Bagnulo M. Bagnulo
UC3M UC3M
T. Burbridge T. Burbridge
BT BT
P. Aitken P. Aitken
A. Akhter A. Akhter
Cisco Systems Cisco Systems
October 21, 2013 December 6, 2013
A framework for large-scale measurement platforms (LMAP) A framework for large-scale measurement platforms (LMAP)
draft-ietf-lmap-framework-01 draft-ietf-lmap-framework-02
Abstract Abstract
Measuring broadband service on a large scale requires standardisation Measuring broadband service on a large scale requires a description
of the logical architecture and a description of the key protocols of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document that coordinate interactions between the components. The document
presents an overall framework for large-scale measurements. It also presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (large-scale measurement platforms). defines terminology for LMAP (large-scale measurement platforms).
The document is a contribution towards the LMAP working group's
milestone.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 24, 2014. This Internet-Draft will expire on June 9, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Outline of an LMAP-based measurement system . . . . . . . . . 5
3. Outline of an LMAP-based measurement system . . . . . . . . . 7 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. Measurement system is under the direction of a single 4.1. Measurement system is under the direction of a single
organisation . . . . . . . . . . . . . . . . . . . . . . 11 organisation . . . . . . . . . . . . . . . . . . . . . . 10
4.2. Each MA may only have a single Controller at any point in 4.2. Each MA may only have a single Controller at any point in
time . . . . . . . . . . . . . . . . . . . . . . . . . . 11 time . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 11 5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 11
5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 12 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 12
5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 14 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 14
5.3. Starting and stopping Measurement Tasks . . . . . . . . . 16 5.3. Starting and stopping Measurement Tasks . . . . . . . . . 16
5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 17 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 17
5.5. Items beyond the scope of the LMAP Protocol Model . . . . 18 5.5. Items beyond the scope of the LMAP Protocol Model . . . . 19
5.5.1. User-controlled measurement system . . . . . . . . . 19 5.5.1. User-controlled measurement system . . . . . . . . . 20
6. Details of the LMAP framework . . . . . . . . . . . . . . . . 20 6. MA Deployment considerations . . . . . . . . . . . . . . . . 20
6.1. Measurement Agent (MA) . . . . . . . . . . . . . . . . . 20 6.1. Measurement Agent embedded in site gateway . . . . . . . 21
6.1.1. Measurement Agent embedded in site gateway . . . . . 20 6.2. Measurement Agent embedded behind Site NAT /Firewall . . 21
6.1.2. Measurement Agent embedded behind Site NAT /Firewall 21 6.3. Measurement Agent in multi homed site . . . . . . . . . . 21
6.1.3. Measurement Agent in-line with site gateway . . . . . 21 7. Security considerations . . . . . . . . . . . . . . . . . . . 22
6.1.4. Measurement Agent in multi homed site . . . . . . . . 22 8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 23
6.2. Measurement Peer (MP) . . . . . . . . . . . . . . . . . . 22 8.1. Categories of Entities with Information of Interest . . . 23
6.3. Controller . . . . . . . . . . . . . . . . . . . . . . . 23 8.2. Examples of Sensitive Information . . . . . . . . . . . . 24
6.4. Collector . . . . . . . . . . . . . . . . . . . . . . . . 23
7. Security considerations . . . . . . . . . . . . . . . . . . . 23
8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 24
8.1. Categories of Entities with Information of Interest . . . 25
8.2. Examples of Sensitive Information . . . . . . . . . . . . 25
8.3. Key Distinction Between Active and Passive Measurement 8.3. Key Distinction Between Active and Passive Measurement
Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.4. Communications Model (for Privacy) . . . . . . . . . . . 26 8.4. Privacy analysis of the Communications Models . . . . . . 26
8.4.1. Controller <-> Measurement Agent . . . . . . . . . . 27 8.4.1. MA Bootstrapping and Registration . . . . . . . . . . 26
8.4.2. Collector <-> Measurement Agent . . . . . . . . . . . 28 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 27
8.4.3. Active Measurement Peer <-> Measurement Agent . . . . 28 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 27
8.4.4. Passive Measurement Peer <-> Measurement Agent . . . 29 8.4.4. Active Measurement Peer <-> Measurement Agent . . . . 28
8.4.5. Result Storage and Reporting . . . . . . . . . . . . 30 8.4.5. Passive Measurement Peer <-> Measurement Agent . . . 29
8.4.6. Result Storage and Reporting . . . . . . . . . . . . 29
8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 30 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 30
8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 31 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 30
8.5.3. Correlation and Identification . . . . . . . . . . . 31 8.5.3. Correlation and Identification . . . . . . . . . . . 31
8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 31 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 31
8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 32 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 31
8.6.1. Data Minimization . . . . . . . . . . . . . . . . . . 32 8.6.1. Data Minimization . . . . . . . . . . . . . . . . . . 32
8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 33 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 32
8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 34 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 33
8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 34 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 34
8.7. The potential role of a Group-ID for privacy . . . . . . 34 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 35
11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 37 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 35
12. Informative References . . . . . . . . . . . . . . . . . . . 37 12. Informative References . . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37
1. Introduction 1. Introduction
There is a desire to be able to coordinate the execution of broadband There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large measurements and the collection of measurement results across a large
scale set of diverse devices. These devices could be software based scale set of diverse devices. These devices could be software based
agents on PCs, embedded agents in consumer devices (e.g. blu-ray agents on PCs, embedded agents in consumer devices (e.g. blu-ray
players), service provider controlled devices such as set-top players players), service provider controlled devices such as set-top players
and home gateways, or simply dedicated probes. It is expected that and home gateways, or simply dedicated probes. It is expected that
such a system could easily comprise 100k devices. Such a scale such a system could easily comprise 100k devices. Such a scale
presents unique problems in coordination, execution and measurement presents unique problems in coordination, execution and measurement
result collection. Several use cases have been proposed for large- result collection. Several use cases have been proposed for large-
scale measurements including: scale measurements including:
o Operators: to help plan their network and identify faults o Operators: to help plan their network and identify faults
o Regulators: to benchmark several network operators and support o Regulators: to benchmark several network operators and support
public policy development public policy development
Further details of the use cases can be found at Further details of the use cases can be found at
[I-D.linsner-lmap-use-cases]. The LMAP framework should be useful [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for
for these, as well as other use cases that the LMAP WG doesn't these, as well as other use cases that the LMAP WG doesn't
concentrate on, such as to help end users run diagnostic checks like concentrate on, such as to help end users run diagnostic checks like
a network speed test. a network speed test.
The LMAP framework has four basic elements: Measurement Agents, The LMAP framework has four basic elements: Measurement Agents,
Measurement Peers, Controllers and Collectors. Measurement Peers, Controllers and Collectors.
Measurement Agents (MAs) perform network measurements. They are Measurement Agents (MAs) perform network measurements. They are
pieces of code that can be executed in specialized hardware (hardware pieces of code that can be executed in specialized hardware (hardware
probe) or on a general-purpose device (like a PC or mobile phone). probe) or on a general-purpose device (like a PC or mobile phone).
The Measurement Agents may have multiple interfaces (WiFi, Ethernet, The Measurement Agents may have multiple interfaces (WiFi, Ethernet,
DSL, fibre, etc.) and the measurements may specify any one of these. DSL, fibre, etc.) and the measurements may specify any one of these.
Measurements may be active (the MA or Measurement Peer (MP) generates Measurements may be active (the MA or Measurement Peer (MP) generates
test traffic), passive (the MA observes user traffic), or some hybrid test traffic), passive (the MA observes user traffic), or some hybrid
form of the two. For active measurement tasks, the MA (or MP) form of the two. For active measurement tasks, the MA (or MP)
generates test traffic and measures some metric associated with its generates test traffic and measures some metric associated with its
transfer over the path to (or from) a Measurement Peer. For example, transfer over the path to (or from) a Measurement Peer. For example,
one active measurement task could be to measure the UDP latency one active measurement task could be to measure the UDP latency
between the MA and a given MP. MAs may also conduct passive testing between the MA and a given MP. MAs may also conduct passive testing
through the observation of traffic. The measurements themselves may through the observation of traffic. The measurements themselves may
skipping to change at page 4, line 28 skipping to change at page 4, line 23
The Controller manages one or more MAs by instructing it which The Controller manages one or more MAs by instructing it which
measurement tasks it should perform and when. For example it may measurement tasks it should perform and when. For example it may
instruct a MA at a home gateway: "Measure the 'UDP latency' with the instruct a MA at a home gateway: "Measure the 'UDP latency' with the
Measurement Peer mp.example.org; repeat every hour at xx.05". The Measurement Peer mp.example.org; repeat every hour at xx.05". The
Controller also manages a MA by instructing it how to report the Controller also manages a MA by instructing it how to report the
measurement results, for example: "Report results once a day in a measurement results, for example: "Report results once a day in a
batch at 4am". We refer to these as the Measurement Schedule and batch at 4am". We refer to these as the Measurement Schedule and
Report Schedule. Report Schedule.
The Collector accepts Reports from the MAs with the results from The Collector accepts Reports from the MAs with the results from
their measurement tasks. Therefore the MA is a device that initiates their measurement tasks. Therefore the MA is a device that gets
the measurement tasks, gets instructions from the Controller and instructions from the Controller initiates the measurement tasks, and
reports to the Collector. reports to the Collector.
There are additional elements that are part of a measurement system, There are additional elements that are part of a measurement system,
but that are out of the scope for LMAP. We provide a detailed but that are out of the scope for LMAP. We provide a detailed
discussion of all the elements in the rest of the document. discussion of all the elements in the rest of the document.
Over the years various efforts inside and outside the IETF have
worked on independent components of such a system. There are also
existing systems that are deployed today. However, these are either
proprietary, closed, and/or not standardized. The IETF Large-Scale
Measurement of Broadband Performance (LMAP) Working Group is
chartered to specify the information model, associated data models,
and select/extend one or more protocols for secure measurement
control and measurement result collection.
The goal is to have the measurements (made using the same metrics and
mechanisms) for a large number of points on the Internet, and to have
the results collected and stored in the same form.
The desirable features for a large-scale measurement systems we are The desirable features for a large-scale measurement systems we are
designing for are: designing for are:
o Standardised - in terms of the tests that they perform, the o Standardised - in terms of the tests that they perform, the
components, the data models and protocols for transferring components, the data models and protocols for transferring
information between the components. For example so that it is information between the components. For example so that it is
meaningful to compare measurements made of the same metric at meaningful to compare measurements made of the same metric at
different times and places. For example so that the operator of a different times and places. For example so that the operator of a
measurement system can buy the various components from different measurement system can buy the various components from different
vendors. Today's systems are proprietary in some or all of these vendors. Today's systems are proprietary in some or all of these
aspects. aspects.
o Large-scale - [I-D.linsner-lmap-use-cases] envisages Measurement o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement
Agents in every home gateway and edge device such as set-top-boxes Agents in every home gateway and edge device such as set-top-boxes
and tablet computers. Existing systems have up to a few thousand and tablet computers. Existing systems have up to a few thousand
Measurement Agents (without judging how much further they could Measurement Agents (without judging how much further they could
scale). scale).
o Diversity - a measurement system should handle different types of o Diversity - a measurement system should handle different types of
Measurement Agent - for example Measurement Agents may come from Measurement Agent - for example Measurement Agents may come from
different vendors, be in wired and wireless networks and be on different vendors, be in wired and wireless networks and be on
devices with IPv4 or IPv6 addresses. devices with IPv4 or IPv6 addresses.
2. Terminology 2. Outline of an LMAP-based measurement system
Figure 1 shows the main components of a measurement system, and the
interactions of those components. Some of the components are outside
the scope of LMAP. In this section we provide an overview on the
whole measurement system and we introduce the main terms needed for
the LMAP framework. The new terms are capitalized. In the next
section we provide a terminology section with a compilation of all
the LMAP terms and their definition. The subsequent sections study
the LMAP components in more detail.
A Measurement Task measures some performance or reliability Metric of
interest. An Active Measurement Task involves either a Measurement
Agent (MA) injecting Test Traffic into the network destined for a
Measurement Peer (MP), and/or a MP sending Test Traffic to a MA; one
of them measures the some parameter associated with the transfer of
the packet(s). A Passive Measurement Task involves only a MA, which
simply observes existing traffic - for example, it could simply count
bytes or it might calculate the average loss for a particular flow.
It is very useful to standardise Measurement Methods (a Measurement
Method is a generalisation of a Measurement Task), so that it is
meaningful to compare measurements of the same Metric made at
different times and places. It is also useful to define a registry
for commonly-used Metrics [I-D.bagnulo-ippm-new-registry-independent]
so that a Measurement Method can be referred to simply by its
identifier in the registry. The Measurement Methods and registry
would hopefully also be referenced by other standards organisations.
In order for a Measurement Agent and a Measurement Peer to execute an
Active Measurement Task, they exchange Active Measurement Traffic.
The protocols used for the Active Measurement Traffic is out of the
scope of the LMAP WG and falls within the scope of other IETF WGs
such as IPPM.
For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be
used but also the set of Measurement Tasks should follow a similar
Measurement Schedule and be of similar number. The details of such a
characterisation plan are beyond the scope of work in IETF although
certainly facilitated by IETF's work.
The next components we consider are the Measurement Agent (MA),
Controller and Collector. The main work of the LMAP working group is
to define the Control Protocol between the Controller and MA, and the
Report Protocol between the MA and Collector. Section 4 onwards
considers the LMAP compnents in more detail; here we introduce them.
The Controller manages a MA by instructing it which Measurement Tasks
it should perform and when. For example it may instruct a MA at a
home gateway: "Run the 'download speed test' with the Measurement
Peer at the end user's first IP point in the network; if the end user
is active then delay the test and re-try 1 minute later, with up to 3
re-tries; repeat every hour at xx.05 + Unif[0,180] seconds". The
Controller also manages a MA by instructing it how to report the
Measurement Results, for example: "Report results once a day in a
batch at 4am + Unif[0,180] seconds; if the end user is active then
delay the report 5 minutes". As well as regular Measurement Tasks, a
Controller can initiate a one-off Measurement Task ("Do measurement
now", "Report as soon as possible"). These are called the
Measurement and Report Schedule.
The Collector accepts a Report from a MA with the results from its
tests. It may also do some processing on the results - for instance
to eliminate outliers, as they can severely impact the aggregated
results.
Finally we introduce several components that are out of scope of the
LMAP WG and will be provided through existing protocols or
applications. They affect how the measurement system uses the
Measurement Results and how it decides what set of Measurement Tasks
to perform.
The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP WG
considers the boostrap process, since it affects the Information
Model. However, it does not define a bootstrap protocol, since it is
likely to be technology specific and could be defined by the
Broadband Forum, DOCSIS or IEEE. depending on the device. Possible
protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management
Protocol (CWMP) from the Auto Configuration Server (ACS) (as
specified in TR-069).
A Subscriber Parameter Database contains information about the line,
for example the customer's broadband contract (perhaps 2, 40 or 80Mb/
s), the line technology (DSL or fibre), the time zone where the MA is
located, and the type of home gateway and MA. These are all factors
which may affect the choice of what Measurement Tasks to run and how
to interpret the Measurement Results. For example, a download test
suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s
line. Another example is if the Controller wants to run a one-off
Measurement Task to diagnose a fault, then it should understand what
problem the customer is experiencing and what Measurement Tasks have
already been run. The Subscribers' service parameters are already
gathered and stored by existing operations systems.
A Results Repository records all measurements in an equivalent form,
for example an SQL database, so that they can be easily accessed by
the Data Analysis Tools. The Data Analysis Tools also need to
understand the Subscriber's service information, for example the
broadband contract.
The Data Analysis Tools receive the results from the Collector or via
the Results Database. They might visualise the data or identify
which component or link is likely to be the cause of a fault or
degradation.
The operator's OAM (Operations, Administration, and Maintenance) uses
the results from the tools.
^
|
IPPM
+---------------+ Test +-------------+ Scope
+------->| Measurement |<---------->| Measurement | v
| | Agent | Traffic | Peer | ^
| +---------------+ +-------------+ |
| ^ | |
| Instruction | | Report |
| | +-----------------+ |
| | | |
| | v LMAP
| +------------+ +------------+ Scope
| | Controller | | Collector | |
| +------------+ +------------+ v
| ^ ^ | ^
| | | | |
| | +----------+ | |
| | | v |
+------------+ +----------+ +--------+ +----------+ |
|Bootstrapper| |Subscriber|--->| Data |<---|Repository| Out
+------------+ |Parameter | |Analysis| +----------+ of
|Database | | Tools | Scope
+----------+ +--------+ |
|
v
Figure 1: Schematic of main elements of an LMAP-based
measurement system
(showing the elements in and out of the scope of the LMAP WG)
3. Terminology
This section defines terminology for LMAP. Please note that defined This section defines terminology for LMAP. Please note that defined
terms are capitalized. terms are capitalized.
Active Measurement Method (Task): A type of Measurement Method (Task) Active Measurement Method (Task): A type of Measurement Method (Task)
that involves a Measurement Agent and a Measurement Peer (or possibly that involves a Measurement Agent and a Measurement Peer (or possibly
Peers), where either the Measurement Agent or the Measurement Peer Peers), where either the Measurement Agent or the Measurement Peer
injects test packet(s) into the network destined for the other, and injects test packet(s) into the network destined for the other, and
which involves one of them measuring some performance or reliability which involves one of them measuring some performance or reliability
parameter associated with the transfer of the packet(s). parameter associated with the transfer of the packet(s).
Bootstrap Protocol: A protocol that initialises a Measurement Agent Bootstrap Protocol: A protocol that initialises a Measurement Agent
with the information necessary to be integrated into a measurement with the information necessary to be integrated into a measurement
system. system.
Capabilities Information: The list of the Measurement Methods that
the MA can perform, plus information about the device hosting the MA
(for example its interface type and speed and its IP address).
Channel: a schedule, a target and the associated security information
for that target. In the case of a Report Channel it is a specific
Report Schedule, a Collector and its associated security information.
Collector: A function that receives a Report from a Measurement Collector: A function that receives a Report from a Measurement
Agent. Colloquially, a Collector is a physical device that performs Agent. Colloquially, a Collector is a physical device that performs
this function. this function.
Controller: A function that provides a Measurement Agent with Controller: A function that provides a Measurement Agent with
Instruction(s). Colloquially, a Controller is a physical device that Instruction(s). Colloquially, a Controller is a physical device that
performs this function. performs this function.
Control Protocol: The protocol delivering Instruction(s) from a Control Protocol: The protocol delivering Instruction(s) from a
Controller to a Measurement Agent. It also delivers logging Controller to a Measurement Agent. It also delivers Failure
information and capabilities information from the Measurement Agent Information and Capabilities Information from the Measurement Agent
to the Controller. to the Controller.
Cycle-ID: A tag that is sent by the Controller in an Instruction and Cycle-ID: A tag that is sent by the Controller in an Instruction and
echoed by the MA in its Report; Measurement Results with the same echoed by the MA in its Report; Measurement Results with the same
Cycle-ID are expected to be comparable. Cycle-ID are expected to be comparable.
Data Model: The implementation of an Information Model in a Data Model: The implementation of an Information Model in a
particular data modelling language. particular data modelling language.
Derived Metric: A Metric that is a combination of other Metrics, and/ Derived Metric: A Metric that is a combination of other Metrics, and/
or a combination of the same Metric measured over different parts of or a combination of the same Metric measured over different parts of
the network, or at different times. the network, or at different times.
Environmental Constraint: A parameter that is measured as part of the Environmental Constraint: A parameter that is measured as part of the
Measurement Task, its value determining whether the rest of the Measurement Task, its value determining whether the rest of the
Measurement Task proceeds. Measurement Task proceeds.
Failure Information: Information about the MA's failure to action or
execute an Instruction, whether concerning Measurement Tasks or
Reporting.
Group-ID: An identifier of a group of MAs. Group-ID: An identifier of a group of MAs.
Information Model: The protocol-neutral definition of the semantics Information Model: The protocol-neutral definition of the semantics
of the Instructions, the Report, the status of the different elements of the Instructions, the Report, the status of the different elements
of the measurement system as well of the events in the system. of the measurement system as well of the events in the system.
Instruction: The description of Measurement Tasks to perform and the Instruction: The description of Measurement Tasks to perform and the
details of the Report to send. The Instruction is sent by a details of the Report to send. The Instruction is sent by a
Controller to a Measurement Agent. Controller to a Measurement Agent.
skipping to change at page 7, line 22 skipping to change at page 10, line 19
Metric: The quantity related to the performance and reliability of Metric: The quantity related to the performance and reliability of
the Internet that we'd like to know the value of, and that is the Internet that we'd like to know the value of, and that is
carefully specified. carefully specified.
Passive Measurement Method (Task): A Measurement Method (Task) in Passive Measurement Method (Task): A Measurement Method (Task) in
which a Measurement Agent observes existing traffic at a specific which a Measurement Agent observes existing traffic at a specific
measurement point, but does not inject test packet(s). measurement point, but does not inject test packet(s).
Report: The Measurement Results and other associated information (as Report: The Measurement Results and other associated information (as
defined by the Instruction); a specific instance of the Data Model. defined by the Instruction). The Report is sent by a Measurement
The Report is sent by a Measurement Agent to a Collector. Agent to a Collector.
Report Channel: a specific Report Schedule and Collector
Report Protocol: The protocol delivering Report(s) from a Measurement Report Protocol: The protocol delivering Report(s) from a Measurement
Agent to a Collector. Agent to a Collector.
Report Schedule: the schedule for sending a series of Reports to a Report Schedule: the schedule for sending a series of Reports to a
Collector. Collector.
Subscriber: An entity (associated with one or more users) that is Subscriber: An entity (associated with one or more users) that is
engaged in a subscription with a service provider. The subscriber is engaged in a subscription with a service provider. The subscriber is
allowed to subscribe and un-subscribe services, to register a user or allowed to subscribe and un-subscribe services, and to register a
a list of users authorized to enjoy these services, and also to set user or a list of users authorized to enjoy these services. [Q1741]
the limits relative to the use that associated users make of these Both the subscriber and service provider are allowed to set the
services. (This definition is from [Q1741].) limits relative to the use that associated users make of subscribed
services.
Test Traffic: for Active Measurement Tasks, the traffic generated by
the Measurement Agent and/or the Measurement Peer to execute the
requested Measurement Task.
3. Outline of an LMAP-based measurement system
Figure 1 shows the main components of a measurement system, and the
interactions of those components. Some of the components are outside
the scope of LMAP. In this section we provide an overview on the
whole measurement system, whilst the subsequent sections study the
LMAP components in more detail.
The first component is a Measurement Task, which measures some
performance or reliability Metric of interest. An Active Measurement
Task involves either a Measurement Agent injecting Test Traffic into
the network destined for a Measurement Peer, and/or a MP sending Test
Traffic to a MA; one of them measures the some parameter associated
with the transfer of the packet(s). A Passive Measurement Task
involves only a MA, which simply observes existing traffic - for
example, it could simply count bytes or it might calculate the
average loss for a particular flow.
It is very useful to standardise Measurement Methods (a Measurement
Method is a generalisation of a Measurement Task), so that it is
meaningful to compare measurements of the same Metric made at
different times and places. It is also useful to define a registry
for commonly-used Metrics [registry] so that a Measurement Method can
be referred to simply by its identifier in the registry. The
Measurement Methods and registry would hopefully also be referenced
by other standards organisations.
In order for a Measurement Agent and a Measurement Peer to execute an
Active Measurement Task, they exchange Test Traffic. The protocols
used for the Test Traffic is out of the scope of the LMAP WG and
falls within the scope of the IETF WGs such as IPPM.
For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be
used but also the set of Measurement Tasks should follow a similar
Measurement Schedule and be of similar number. The details of such a
characterisation plan are beyond the scope of work in IETF although
certainly facilitated by IETF's work.
The next components we consider are the Measurement Agent (MA),
Controller and Collector. The main work of the LMAP working group is
to define the Control Protocol between the Controller and MA, and the
Report Protocol between the MA and Collector. Section 4 onwards
considers the LMAP compnents in more detail; here we introduce them.
The Controller manages a MA by instructing it which tests it should
perform and when. For example it may instruct a MA at a home
gateway: "Run the 'download speed test' with the test server at the
end user's first IP point in the network; if the end user is active
then delay the test and re-try 1 minute later, with up to 3 re-tries;
repeat every hour at xx.05 + Unif[0,180] seconds". The Controller
also manages a MA by instructing it how to report the test results,
for example: "Report results once a day in a batch at 4am +
Unif[0,180] seconds; if the end user is active then delay the report
5 minutes". As well as regular tests, a Controller can initiate a
one-off test ("Do test now", "Report as soon as possible"). These
are called the Measurement and Report Schedule.
The Collector accepts a Report from a MA with the results from its
tests. It may also do some processing on the results - for instance
to eliminate outliers, as they can severely impact the aggregated
results.
Finally we introduce several components that are out of scope of the
LMAP WG and will be provided through existing protocols or
applications. They affect how the measurement system uses the
Measurement Results and how it decides what set of Measurement Tasks
to perform.
The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP WG
considers the boostrap process, since it affects the Information
Model. However, it does not define a bootstrap protocol, since it is
likely to be technology specific and could be defined by the
Broadband Forum, DOCSIS or IEEE. depending on the device. Possible
protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management
Protocol (CWMP) from the Auto Configuration Server (ACS) (as
specified in TR-069).
A Subscriber Parameter Database contains information about the line,
for example the customer's broadband contract (perhaps 2, 40 or 80Mb/
s), the line technology (DSL or fibre), the time zone where the MA is
located, and the type of home gateway and MA. These are all factors
which may affect the choice of what Measurement Tasks to run and how
to interpret the Measurement Results. For example, a download test
suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s
line. Another example is if the Controller wants to run a one-off
test to diagnose a fault, then it should understand what problem the
customer is experiencing and what tests have already been run. The
Subscribers' service parameters are already gathered and stored by
existing operations systems.
A Results Database records all measurements in an equivalent form,
for example an SQL database, so that they can be easily accessed by
the Data Analysis Tools. The Data Analysis Tools also need to
understand the Subscriber's service information, for example the
broadband contract.
The Data Analysis Tools receive the results from the Collector or via
the Results Database. They might visualise the data or identify
which component or link is likely to be the cause of a fault or
degradation.
The operator's OAM (Operations, Administration, and Maintenance) uses
the results from the tools.
^
|
IPPM
+---------------+ Test +-------------+ Scope
+------->| Measurement |<---------->| Measurement | v
| | Agent | Traffic | Peer | ^
| +---------------+ +-------------+ |
| ^ | |
| Instruction | | Report |
| | +-----------------+ |
| | | |
| | v LMAP
| +------------+ +------------+ Scope
| | Controller | | Collector | |
| +------------+ +------------+ v
| ^ ^ | ^
| | | | |
| | +----------+ | |
| | | v |
+-----------+ +---------+ +--------+ +----------+ |
|Initializer| |Parameter|--->|Analysis|<---|Repository| Out
+-----------+ |DataBase | | tools | +----------+ of
+---------+ +--------+ Scope
|
v
Figure 1: Schematic of main elements of an LMAP-based Active Measurement Traffic: for Active Measurement Tasks, the traffic
measurement system generated by the Measurement Agent and/or the Measurement Peer to
(showing the elements in and out of the scope of the LMAP WG) execute the requested Measurement Task.
4. Constraints 4. Constraints
The LMAP framework makes some important assumptions, which constrain The LMAP framework makes some important assumptions, which constrain
the scope of the work to be done. the scope of the work to be done.
4.1. Measurement system is under the direction of a single organisation 4.1. Measurement system is under the direction of a single organisation
In the LMAP framework (as defined in the WG's charter) the In the LMAP framework, the measurement system is under the direction
measurement system is under the direction of a single organisation of a single organisation that is responsible both for the data and
that is responsible both for the data and the quality of experience the quality of experience delivered to its users. Clear
delivered to its users. Clear responsibility is critical given that responsibility is critical given that a misbehaving large-scale
a misbehaving large-scale measurement system could potentially harm measurement system could potentially harm user experience, user
user experience, user privacy and network security. privacy and network security.
However, the components of an LMAP measurement system can be deployed However, the components of an LMAP measurement system can be deployed
in administrative domains that are not owned by the measuring in administrative domains that are not owned by the measuring
organisation. Thus, the system of functions deployed by a single organisation. Thus, the system of functions deployed by a single
organisation constitutes a single LMAP domain which may span organisation constitutes a single LMAP domain which may span
ownership or other administrative boundaries. ownership or other administrative boundaries.
4.2. Each MA may only have a single Controller at any point in time 4.2. Each MA may only have a single Controller at any point in time
A MA is instructed by one Controller and is in one measurement A MA is instructed by one Controller and is in one measurement
skipping to change at page 12, line 14 skipping to change at page 11, line 50
o a bootstrapping process before the MA can take part in the three o a bootstrapping process before the MA can take part in the three
items below items below
o a Control Protocol, which delivers an Instruction from a o a Control Protocol, which delivers an Instruction from a
Controller and a MA. The Instruction details what Measurement Controller and a MA. The Instruction details what Measurement
Tasks the MA should perform and when, and how it should report the Tasks the MA should perform and when, and how it should report the
Measurement Results Measurement Results
o the actual Measurement Tasks are performed. An Active Measurement o the actual Measurement Tasks are performed. An Active Measurement
Task involves sending test traffic between the Measurement Agent Task involves sending Active Measurement Traffic between the
and a Measurement Peer, whilst a Passive Measurement Task involves Measurement Agent and a Measurement Peer, whilst a Passive
(only) the Measurement Agent observing existing user traffic. The Measurement Task involves (only) the Measurement Agent observing
LMAP WG does not define Measurement Methods, however the IPPM WG existing user traffic. The LMAP WG does not define Measurement
does. Methods, however the IPPM WG does.
o a Report Protocol, which delivers a Report from the MA to a o a Report Protocol, which delivers a Report from the MA to a
Collector. The Report contains the Measurement Results. Collector. The Report contains the Measurement Results.
In the diagrams the following convention is used: In the diagrams the following convention is used:
o (optional): indicated by round brackets o (optional): indicated by round brackets
o [potentially repeated]: indicated by square brackets o [potentially repeated]: indicated by square brackets
The Protocol Model is closely related to the Information Model, which The Protocol Model is closely related to the Information Model
is the abstract definition of the information carried by the protocol [I-D.burbridge-lmap-information-model], which is the abstract
model. The purpose of both is to provide a protocol and device definition of the information carried by the protocol model. The
independent view, which can be implemented via specific protocols. purpose of both is to provide a protocol and device independent view,
The LMAP WG will define a specific Control Protocol and Report which can be implemented via specific protocols. The LMAP WG will
Protocol, but other Protocols could be defined by other standards define a specific Control Protocol and Report Protocol, but other
bodies or be proprietary. However it is important that they all Protocols could be defined by other standards bodies or be
implement the same Information and Protocol Model, in order to ease proprietary. However it is important that they all implement the
the definition, operation and interoperability of large-scale same Information and Protocol Model, in order to ease the definition,
measurement systems. operation and interoperability of large-scale measurement systems.
The diagrams show the flow of LMAP information, however there may
need to be other protocol interactions. For example, typically the
MA is behind a NAT, so it needs to initiate communications in order
that the Controller can communicate with it. The communications
channel also needs to be secured before it is used. Another example
is that the Collector may want to 'pull' Measurement Results from a
MA.
5.1. Bootstrapping process 5.1. Bootstrapping process
The primary purpose of bootstrapping is to enable the MA and The primary purpose of bootstrapping is to enable the MA and
Controller to be integrated into a measurement system. In order to Controller to be integrated into a measurement system. In order to
do that, the MA needs to retrieve information about itself (like its do that, the MA needs to retrieve information about itself (like its
identity in the measurement system), about the Controller and the identity in the measurement system), about the Controller and the
Collector(s) as well as security information (such as certificates Collector(s) as well as security information (such as certificates
and credentials). and credentials).
skipping to change at page 13, line 4 skipping to change at page 12, line 48
Controller to be integrated into a measurement system. In order to Controller to be integrated into a measurement system. In order to
do that, the MA needs to retrieve information about itself (like its do that, the MA needs to retrieve information about itself (like its
identity in the measurement system), about the Controller and the identity in the measurement system), about the Controller and the
Collector(s) as well as security information (such as certificates Collector(s) as well as security information (such as certificates
and credentials). and credentials).
+--------------+ +--------------+
| Measurement | | Measurement |
| Agent | | Agent |
+--------------+ +--------------+
(Initial Controller details: (Initial Controller details:
address or FQDN, -> address or FQDN, ->
security credentials) security credentials, MA-ID)
+-----------------+ +-----------------+
| Initial | | Initial |
| Controller | | Controller |
+-----------------+ +-----------------+
<- (register) <- (register)
Controller details: Controller details:
address or FQDN, -> address or FQDN, ->
security credentials security credentials
+-----------------+ +-----------------+
| | | |
| Controller | | Controller |
+-----------------+ +-----------------+
<- register <- register
MA-ID, (Group-ID, report?) -> (MA-ID, Group-ID, report?) ->
Typically the MA is behind a NAT, so needs to initiate
communications, in order that the Controller can communicate with it.
The normal NAT interactions are not shown in the figure.
The MA knows how to contact a Controller through some device /access The MA knows how to contact a Controller through some device /access
specific mechanism. For example, this could be in the firmware, specific mechanism. For example, this could be in the firmware,
downloaded, manually configured or via a protocol like TR-069. The downloaded, manually configured or via a protocol like TR-069. The
Controller could either be the one that will send it Instructions Controller could either be the one that will send it Instructions
(see next sub-section) or else an initial Controller. The role of an (see next sub-section) or else an initial Controller. The role of an
initial Controller is simply to inform the MA how to contact its initial Controller is simply to inform the MA how to contact its
actual Controller; this could be useful, for example, for load actual Controller; this could be useful, for example: for load
balancing or if the details of the initial Controller are statically balancing; if the details of the initial Controller are statically
configured or if the measurement system has specific Controllers for configured; if the measurement system has specific Controllers for
different devices types. When the MA registers with the Controller different devices types; or perhaps as a way of handling failure of
it learns its MA identifier; it may also be told a Group-ID and the Controller.
whether to include the MA-ID as well as the Group-ID in its Reports.
A Group-ID would be shared by several MAs and could be useful for If the MA has not learnt its identifier (MA-ID) while bootstrapping,
privacy reasons (for instance to hinder tracking of a mobile MA it will do so when the MA registers with the Controller; it may also
device). The MA may also tell the Controller the list of Measurement be told a Group-ID and whether to include the MA-ID as well as the
Methods that its capable of (see next sub-section). Group-ID in its Reports. A Group-ID would be shared by several MAs
and could be useful for privacy reasons (for instance to hinder
tracking of a mobile MA device). The MA may also tell the Controller
its Capabilities (such as the Measurement Methods it can perform)
(see next sub-section).
If the device with the MA re-boots, then the MA need to re-register,
so that it can receive a new Instruction. To avoid a "mass calling
event" after a widespread power restoration affecting many MAs, it is
sensible for an MA to pause for a random delay (perhaps in the range
of one minute) before re-registering.
Whilst the LMAP WG considers the bootstrapping process, it is out of Whilst the LMAP WG considers the bootstrapping process, it is out of
scope to define a bootstrap mechanism, as it depends on the type of scope to define a bootstrap mechanism, as it depends on the type of
device and access. device and access.
Open issue: what happens if a Controller fails, how is the MA is
homed onto a new one?
5.2. Control Protocol 5.2. Control Protocol
The primary purpose of the Control Protocol is to allow the The primary purpose of the Control Protocol is to allow the
Controller to configure a Measurement Agent with Measurement Controller to configure a Measurement Agent with Measurement
Instructions, which it then acts on autonomously. Instructions, which it then acts on autonomously.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |===================================| Agent | | Controller |===================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
(Capability request) ->
<- List of Measurement
Methods
ACK ->
Instruction: Instruction:
[(Measurement Task (parameters)), -> [(Measurement Task (parameters)), ->
(Measurement Schedule), (Measurement Schedule),
(Report Channel(s))] (Report Channel(s))]
<- ACK <- ACK
(Capability request) ->
<- List of Measurement
Methods
ACK ->
Suppress -> Suppress ->
<- ACK
Un-suppress ->
<- ACK
<- Failure report: <- Failure report:
(reason) [reason]
ACK -> ACK ->
The Instruction contains: The Instruction contains:
o what measurements to do: the Measurement Methods could be defined o what Measurement Tasks to do: the Measurement Methods could be
by reference to a registry entry, along with any parameters that defined by reference to a registry entry, along with any
need to be set (such as the address of the Measurement Peer) and parameters that need to be set (such as the address of the
any Environmental Constraint (such as, 'delay the test if the end Measurement Peer) and any Environmental Constraint (such as,
user is active') 'delay the measurement task if the end user is active')
o when to do them: the Measurement Schedule details the timings of o when to do them: the Measurement Schedule details the timings of
regular tests, one-off tests regular measurement tasks, one-off measurement tasks
o how to report the Measurement Results: via Reporting Channel(s), o how to report the Measurement Results: via Reporting Channel(s),
each of which defines a target Collector and Report Schedule each of which defines a target Collector and Report Schedule
An Instruction could contain one or more of the above elements, since An Instruction could contain one or more of the above elements, since
the Controller may want the MA to perform several different the Controller may want the MA to perform several different
Measurement Tasks (measure UDP latency and download speed), at Measurement Tasks (measure UDP latency and download speed), at
several frequencies (a regular test every hour and a one-off test several frequencies (a regular test every hour and a one-off test
immediately), and report to several Collectors. The different immediately), and report to several Collectors. The different
elements can be updated independently at different times and elements can be updated independently at different times and
regularities, for example it is likely that the Measurement Schedule regularities, for example it is likely that the Measurement Schedule
will be updated more often than the other elements. will be updated more often than the other elements.
A new Instruction replaces (rather than adds to) those elements that
it includes. For example, if the new Instruction includes (only) a
Measurement Schedule, then that replaces the old Measurement Schedule
but does not alter the configuration of the Measurement Tasks and
Report Channels.
If the Instruction includes several Measurement Tasks, these could be
scheduled to run at different times or possibly at the same time -
some Tasks may be compatible, in that they do not affect each other's
Results, whilst with others great care would need to be taken.
A Measurement Task may create more than one Measurement Result. For
example, one Result could be reported periodically, whilst another
could be an alarm that is reported immediately a the measured value
of a Metric goes below a threshold.
In general we expect that the Controller knows what Measurement In general we expect that the Controller knows what Measurement
Methods the MA supports, such that the Controller can correctly Methods the MA supports, such that the Controller can correctly
instruct the MA. Note that the Control Protocol does not allow instruct the MA. Note that the Control Protocol does not allow
negotiation (which would add complexity to the MA, Controller and negotiation (which would add complexity to the MA, Controller and
Control Protocol for little benefit). Control Protocol for little benefit).
The MA can send to the Controller the complete list of Measurement However, the Control protocol includes a Capabilities detection
Methods that it is capable of. Note that it is not intended to feature, through which the MA can send to the Controller the complete
indicate dynamic capabilities like the MA's currently unused CPU, list of Measurement Methods that it is capable of. Note that it is
memory or battery life. The list of Measurement Methods could be not intended to indicate dynamic capabilities like the MA's currently
useful in several circumstances: when the MA first communicates with unused CPU, memory or battery life. The list of Measurement Methods
a Controller; when the MA becomes capable of a new Measurement could be useful in several circumstances: when the MA first
Method; when requested by the Controller (for example, if the communicates with a Controller; when the MA becomes capable of a new
Controller forgets what the MA can do or otherwise wants to Measurement Method; when requested by the Controller (for example, if
the Controller forgets what the MA can do or otherwise wants to
resynchronize what it knows about the MA). resynchronize what it knows about the MA).
The Controller has the ability to send a "suppress" message to MAs. The Controller has the ability to send a "suppress" message to MAs.
This could be useful if there is some unexpected network issue and so This could be useful if there is some unexpected network issue and so
the measurement system wants to eliminate inessential traffic. As a the measurement system wants to eliminate inessential traffic. As a
result, temporarily the MA does not start new Active Measurement result, temporarily the MA does not start new Active Measurement
Tasks, and it may also stop in-progress Measurement Tasks, especially Tasks, and it may also stop in-progress Measurement Tasks, especially
ones that are long-running &/or creates a lot of traffic. See the ones that are long-running &/or create a lot of traffic. See the
next section for more information on stopping Measuremet Tasks. next section for more information on stopping Measurement Tasks.
Note that if a Controller wants to permanently stop a Measurement
Task, it should send a new Measurement Schedule, as suppression is
intended to temporarily stop Tasks. The Controller can send an "un-
suppress" message to indicate that the temporary problem is solved
and Active Measurement Tasks can begin again.
The figure shows that the various messages are acknowledged, which The figure shows that the various messages are acknowledged, which
means that they have been delivered successfully. However, the means that they have been delivered successfully.
"suppress" message is not acknowledged, since it is likely to be
broadcast to several /many MAs at a time when the measurement system
wants to eliminate inessential traffic. Note also that the MA does
not inform the Controller about Measurement Tasks starting and
stopping.
There is no need for the MA to confirm to the Controller that it has There is no need for the MA to confirm to the Controller that it has
understood and acted on the Instruction, since the Controller knows understood and acted on the Instruction, since the Controller knows
the capabilities of the MA. However, the Control Protocol must the capabilities of the MA. However, the Control Protocol must
support robust error reporting by the MA, to provide the Controller support robust error reporting by the MA, to provide the Controller
with sufficiently detailed reasons for any failures. There are two with sufficiently detailed reasons for any failures. These could
broad categories of failure: the MA cannot action the Instruction concern either the Measurement Tasks and Schedules, or the Reporting.
(for example, it doesn't include a parameter that is mandatory for In both cases there are two broad categories of failure. Firstly,
the requested Measurement Method); or the Measurement Task could not the MA cannot action the Instruction (for example, it doesn't include
be executed (for example, the MA unexpectedly has no spare CPU a parameter that is mandatory for the requested Measurement Method;
cycles). Note that it is not considered a failure if a Measurement or it is missing details of the target Collector). Secondly, the MA
Task (correctly) doesn't start - for example if the MA detects cross- cannot execute the Measurement Task or deliver the Report (for
traffic; instead this is reported to the Collector in the normal example, the MA unexpectedly has no spare CPU cycles; or the
manner (see Section below). Collector is not responding). Note that it is not considered a
failure if a Measurement Task (correctly) doesn't start - for example
Comment: the detailed list of reasons below would be more appropriate if the MA detects cross-traffic; instead this is reported to the
in the Information Model i-d. Collector in the normal manner.
o no value for a mandatory parameter
o time of test is in past
o type wrong, eg string given where expect integer
o Schedule refers to a Measurement configuration or Report Channel
that doesn't exist
o MA has crashed
o MA doesn't (any longer) understand requested Method
o MA has run out of CPU, memory, battery power
o Collector has disappeared
o MP has disappeared
Finally, note that the MA doesn't do a 'safety check' with the Finally, note that the MA doesn't do a 'safety check' with the
Controller (that it should still continue with the requested Controller (that it should still continue with the requested
Measurement Tasks) - it simply carries out the Measurement Tasks as Measurement Tasks) - nor does it inform the Controller about
instructed, unless it gets an updated Instruction. Measurement Tasks starting and stopping. It simply carries out the
Measurement Tasks as instructed, unless it gets an updated
Instruction.
The LMAP WG will define a Control Protocol and its associated Data The LMAP WG will define a Control Protocol and its associated Data
Model that implements the Protocol & Information Model. This may be Model that implements the Protocol & Information Model. This may be
a simple instruction - response protocol, and LMAP will specify how a simple instruction - response protocol, and LMAP will specify how
it operates over an existing protocol -to be selected, perhaps REST- it operates over an existing protocol - to be selected, perhaps REST-
style HTTP(s) or NETCONF-YANG. style HTTP(s) or NETCONF-YANG.
5.3. Starting and stopping Measurement Tasks 5.3. Starting and stopping Measurement Tasks
The LMAP WG is neutral to what the actual Measurement Task is. The The LMAP WG is neutral to what the actual Measurement Task is. The
WG does not define a generic start and stop process, since the WG does not define a generic start and stop process, since the
correct approach depend on the particular Measurement Task; the correct approach depend on the particular Measurement Task; the
details are defined as part of each Measurement Method, and hence details are defined as part of each Measurement Method, and hence
potentially by the IPPM WG. potentially by the IPPM WG.
Once the MA gets its Measurement and Report Schedules from its Once the MA gets its Measurement and Report Schedules from its
Controller then it acts autonomously, in terms of operation of the Controller then it acts autonomously, in terms of operation of the
Measurement Tasks and reporting of the result. One implication is Measurement Tasks and reporting of the result. One implication is
that the MA initiates Measurement Tasks. Therefore for the common that the MA initiates Measurement Tasks. As an example, for the
case where the MA is on a home gateway, the MA initiates a 'download common case where the MA is on a home gateway, the MA initiates a
speed test' by asking a Measurement Peer to send the file. 'download speed test' by asking a Measurement Peer to send the file.
Many Active Measurement Tasks begin with a pre-check before the test Many Active Measurement Tasks begin with a pre-check before the test
traffic is sent. Action could include: traffic is sent. Action could include:
o the MA checking that there is no cross-traffic (ie that the user o the MA checking that there is no cross-traffic (ie that the user
isn't already sending traffic); isn't already sending traffic);
o the MA checking with the Measurement Peer that it can handle a new o the MA checking with the Measurement Peer that it can handle a new
Measurement Task (in case the MP is already handling many Measurement Task (in case the MP is already handling many
Measurement Tasks with other MAs); Measurement Tasks with other MAs);
skipping to change at page 17, line 36 skipping to change at page 17, line 36
Task, especially one that is long-running &/or creates a lot of Test Task, especially one that is long-running &/or creates a lot of Test
Traffic, which may be abandoned whilst in-progress. A Measurement Traffic, which may be abandoned whilst in-progress. A Measurement
Task could also be abandoned in response to a "suppress" message (see Task could also be abandoned in response to a "suppress" message (see
previous section). Action could include: previous section). Action could include:
o For 'upload' tests, the MA not sending traffic o For 'upload' tests, the MA not sending traffic
o For 'download' tests, the MA closing the TCP connection or sending o For 'download' tests, the MA closing the TCP connection or sending
a TWAMP Stop control message. a TWAMP Stop control message.
Comment: presumably Passive Measurement Tasks don't do pre-checking The Controller may want a MA to run the same Measurement Task
or stopping? indefinitely (for example, "run the 'upload speed' Measurement Task
once an hour until further notice"). To avoid the MA generating
traffic forever after a Controller has permanently failed, it is
suggested that the Measurement Schedule includes a time limit ("run
the 'upload speed' Measurement Task once an hour for the next 30
days") and that the Measurement Schedule is updated regularly (say,
every 10 days).
5.4. Report Protocol 5.4. Report Protocol
The primary purpose of the Report Protocol is to allow a Measurement The primary purpose of the Report Protocol is to allow a Measurement
Agent to report its Measurement Results to a Collector, and the Agent to report its Measurement Results to a Collector, and the
context in which they were obtained. context in which they were obtained.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Collector |===================================| Agent | | Collector |===================================| Agent |
skipping to change at page 18, line 20 skipping to change at page 18, line 26
The Report contains: The Report contains:
o the MA's identifier, or perhaps a Group-ID to anonymise results o the MA's identifier, or perhaps a Group-ID to anonymise results
o the actual Measurement Results, including the time they were o the actual Measurement Results, including the time they were
measured measured
o the details of the Measurement Task (to avoid the Collector having o the details of the Measurement Task (to avoid the Collector having
to ask the Controller for this information later) to ask the Controller for this information later)
Depending on the requirements of the measurement system, the MA might The MA may report the Results to more than one Collector, if the
label, or perhaps not include, Measurement Results impacted by for Instruction says so. It could also report a different subset of
instance cross-traffic or the MP being busy. If applicable the Results to different Collectors.
Measurement Report includes the start and end of suppression.
The MA may report the results to more than one Collector, if the Optionally, a Report is not sent when there are no Measurement
Instruction says so. It could report a different subset of Results Results.
to different Collectors.
In the initial LMAP Information Model and Report Protocol, for
simplicity we assume that all Measurement Results are reported as-is,
but allow extensibility so that a measurement system (or perhaps a
second phase of LMAP) could allow a MA to pre-process Measurement
Results before it reports them. Potential examples of pre-processing
by the MA are:
o labelling, or perhaps not including, Measurement Results impacted
by for instance cross-traffic or the MP being busy
o detailing the start and end of suppression
o filtering outlier Results
o calculating some statistic like average (beyond that defined by
the Measurement Task itself)
The measurement system may define what happens if a Collector
unexpectedly does not hear from a MA. Possible solutions could
include the ability for a Collector to 'pull' Measurement Results
from a MA, or (after an out-of-scope indication from the Collector to
the Controller) for the Controller to send a fresh Report Schedule to
the MA. The measurement system also needs to consider carefully how
to interpret missing Results; for example, if the missing Results are
ignored and the lack of a Report is caused by its broadband being
broken, then the estimate of overall performance, averaged across all
MAs, would be too optimistic.
The LMAP WG will define a Report Protocol and its associated Data The LMAP WG will define a Report Protocol and its associated Data
Model that implements the Protocol & Information Model. This may be Model that implements the Protocol & Information Model. This may be
a simple instruction - response protocol, and LMAP will specify how a simple instruction - response protocol, and LMAP will specify how
it operates over an existing protocol - to be selected, perhaps REST- it operates over an existing protocol - to be selected, perhaps REST-
style HTTP(s) or IPFIX. style HTTP(s) or IPFIX.
5.5. Items beyond the scope of the LMAP Protocol Model 5.5. Items beyond the scope of the LMAP Protocol Model
There are several potential interactions between LMAP elements that There are several potential interactions between LMAP elements that
skipping to change at page 20, line 15 skipping to change at page 20, line 42
considerations. considerations.
In both cases there will be some way for the user to initiate the In both cases there will be some way for the user to initiate the
Measurement Task(s). The mechanism is out-of-scope of the LMAP WG, Measurement Task(s). The mechanism is out-of-scope of the LMAP WG,
but could include the user clicking a button on a GUI or sending a but could include the user clicking a button on a GUI or sending a
text message. Presumably the user will also be able to see the text message. Presumably the user will also be able to see the
Measurement Results, perhaps summarised on a webpage. It is Measurement Results, perhaps summarised on a webpage. It is
suggested that these interfaces conform to the LMAP guidance on the suggested that these interfaces conform to the LMAP guidance on the
privacy of the Measurement Results and Subscriber information. privacy of the Measurement Results and Subscriber information.
6. Details of the LMAP framework 6. MA Deployment considerations
This section contains a more detailed discussion of the four The Measurement Agent could take a number of forms: a dedicated
components of the LMAP framework. probe, software on a PC, embedded into an appliance, or even embedded
into a gateway. A single site (home, branch office etc.) that is
participating in a measurement could make use of one or multiple
Measurement Agents in a single measurement e.g., if there are
multiple output interfaces, there might be a Measurement Agent per
interface.
6.1. Measurement Agent (MA) The Measurement Agent could be deployed in a variety of locations.
Not all deployment locations are available to every kind of
Measurement Agent operator. There are also a variety of limitations
and trade-offs depending on the final placement. The next sections
outline some of the locations a Measurement Agent may be deployed.
This is not an exhaustive list and combinations of the below may also
apply.
The Measurement Agent is the component that is responsible for 6.1. Measurement Agent embedded in site gateway
executing the Measurement Tasks. The Measurement Agent could take a
number of forms: a dedicated probe, software on a PC, embedded into
an appliance, or even embedded into a gateway. A single site (home,
branch office etc.) that is participating in a measurement could make
use of one or multiple Measurement Agents in a single measurement
e.g., if there are multiple output interfaces, there might be a
Measurement Agent per interface. The Measurement Agent's
configuration (specifically which Controller to initially connect
to), is out of scope within LMAP. However, depending on the type of
probe, it could be manually configured by the user, pre-configured
before shipment to the end user, or configured by the application (in
the case of some PC based Measurement Agents). For example, a
Measurement Agent that is included in the app for a content provider
might be configured automatically by the content provider to use the
content provider's LMAP Controller. That said, there should be an
element of local premises configuration that allows the Measurement
Agent (especially in the case of Active Measurements Tasks) to mimic
performance of user applications at the same site. For example,
making use of the same DNS server as the remainder of the site. The
Measurement Agent could be deployed in a variety of locations. Not
all deployment locations are available to every kind of Measurement
Agent operator. There are also a variety of limitations and trade-
offs depending on the final placement. The next sections outline
some of the locations a Measurement Agent may be deployed. This is
not an exhaustive list and combinations of the below may also apply.
6.1.1. Measurement Agent embedded in site gateway
A Measurement Agent embedded with the site gateway (e.g. in the case A Measurement Agent embedded with the site gateway (e.g. in the case
of a a branch office in a managed service environment) is one of of a a branch office in a managed service environment) is one of
better places the Measurement Agent could be deployed. All site to better places the Measurement Agent could be deployed. All site to
ISP traffic would traverse through the gateway and passive ISP traffic would traverse through the gateway and passive
measurements could easily be performed. Similarly, due to this user measurements could easily be performed. Similarly, due to this user
traffic visibility, an Active Measurements Task could be rescheduled traffic visibility, an Active Measurements Task could be rescheduled
so as not to compete with user traffic. Generally NAT and firewall so as not to compete with user traffic. Generally NAT and firewall
services are built into the gateway, allowing the Measurement Agent services are built into the gateway, allowing the Measurement Agent
the option to offer its Controller facing management interface the option to offer its Controller facing management interface
outside of the NAT/firewall. This placement of the management outside of the NAT/firewall. This placement of the management
interface allows the Controller to unilaterally contact the interface allows the Controller to unilaterally contact the
Measurement Agent for instructions. However, if the site gateway is Measurement Agent for instructions. However, if the site gateway is
owned and operated by the service provider, the Measurement Agent owned and operated by the service provider, the Measurement Agent
will generally not be available for over the top providers, the will generally not be available for over the top providers, the
regulator, end users or enterprises. regulator, end users or enterprises.
6.1.2. Measurement Agent embedded behind Site NAT /Firewall 6.2. Measurement Agent embedded behind Site NAT /Firewall
The Measurement Agent could also be embedded behind a NAT, a The Measurement Agent could also be embedded behind a NAT, a
firewall, or both. In this case the Controller may not be able to firewall, or both. In this case the Controller may not be able to
unilaterally contact the Measurement Agent unless either static port unilaterally contact the Measurement Agent unless either static port
forwarding configuration or firewall pin holing is configured. This forwarding configuration or firewall pin holing is configured. This
would require user intervention, and ultimately might not be an would require user intervention, and ultimately might not be an
option available to the user (perhaps due to permissions). The option available to the user (perhaps due to permissions). The
Measurement Agent may originate a session towards the Controller and Measurement Agent may originate a session towards the Controller and
maintain the session for bidirectional communications. This would maintain the session for bidirectional communications. This would
alleviate the need to have user intervention on the gateway, but alleviate the need to have user intervention on the gateway, but
would reduce the overall scalability of the Controller as it would would reduce the overall scalability of the Controller as it would
have to maintain a higher number of active sessions. That said, have to maintain a higher number of active sessions. That said,
sending keepalives to prop open the firewall could serve a dual sending keepalives to prop open the firewall could serve a dual
purpose in testing network reachability for the Measurement Agent. purpose in testing network reachability for the Measurement Agent.
An alternative would be to use a protocol such as UPnP or PCP An alternative would be to use a protocol such as UPnP or PCP
[RFC6887] to control the NAT/firewall if the gateway supports this [RFC6887] to control the NAT/firewall if the gateway supports this
kind of control. kind of control.
6.1.3. Measurement Agent in-line with site gateway 6.3. Measurement Agent in multi homed site
As mentioned earlier, there are benefits in the Measurement Agent's
ability to observe the site's user traffic. It allows the
Measurement Agent to back off a potentially disruptive Active
Measurements Task to avoid impacting the user. A Passive
Measurements Task allows the Measurement Agent to gather data without
the overhead of Test Traffic (of interest to both the site user and
network operator) as well as potentially provide a greater number of
samples. A Measurement Agent behind the gateway would generally not
be privy to observation of the user traffic unless the Measurement
Agent was placed in-line with the site gateway or the site gateway
traffic was replicated to the Measurement Agent (a capability
generally not found in home broadband gateways).
6.1.4. Measurement Agent in multi homed site
A broadband site may be multi-homed. For example, the site may be A broadband site may be multi-homed. For example, the site may be
connected to multiple broadband ISPs (perhaps for redundancy or load- connected to multiple broadband ISPs (perhaps for redundancy or load-
sharing), or have a broadband as well as mobile/WiFi connectivity. sharing), or have a broadband as well as mobile/WiFi connectivity.
It may also be helpful to think of dual stack IPv4 and IPv6 broadband It may also be helpful to think of dual stack IPv4 and IPv6 broadband
sites as multi-homed. In these cases, there needs to be clarity on sites as multi-homed. In these cases, there needs to be clarity on
which network connectivity option is being measured. Sometimes this which network connectivity option is being measured. Sometimes this
is easily resolved by the location of the MA itself. For example, if is easily resolved by the location of the MA itself. For example, if
the MA is built into the gateway (and the gateway only has a single the MA is built into the gateway (and the gateway only has a single
WAN side interface), there is little confusion or choice. However, WAN side interface), there is little confusion or choice. However,
for multi-homed gateways or devices behind the gateway(s) of multi- for multi-homed gateways or devices behind the gateway(s) of multi-
homed sites it would be preferable to explicitly select the network homed sites it would be preferable to explicitly select the network
to measure (e.g. [RFC5533]) but the network measured should be to measure (e.g. [RFC5533]) but the network measured should be
included in the Measurement Result. Section 3.2 of [I-D.ietf- included in the Measurement Result. Section 3.2 of
homenet-arch] describes dual-stack and multi-homing topologies that [I-D.ietf-homenet-arch] describes dual-stack and multi-homing
might be encountered in a home network (which is generally a topologies that might be encountered in a home network (which is
broadband connected site). The Multiple Interfaces (mif) working generally a broadband connected site). The Multiple Interfaces (mif)
group covers cases where hosts are either directly attached to working group covers cases where hosts are either directly attached
multiple networks (physical or virtual) or indirectly (multiple to multiple networks (physical or virtual) or indirectly (multiple
default routers, etc.). xref target="RFC6419"/> provides the current default routers, etc.). [RFC6419] provides the current practices of
practices of multi-interfaces hosts today. As some of the end goals multi-interfaces hosts today. As some of the end goals of a MA is to
of a MA is to replicate the end user's network experience, it is replicate the end user's network experience, it is important to
important to understand the current practices. understand the current practices.
6.2. Measurement Peer (MP)
A Measurement Peer is the other side of an Active Measurements Task -
the target of Test Traffic from a Measurement Agent. The Measurement
Peer could also take many different forms: a web site, a service
(VoIP), a DNS server, an application specific server (e.g., webex), a
well known web site (e.g., youtube, google search), even another
Measurement Agent in another home could perform as a Measurement Peer
for a given Measurement Task. Particularly useful could be a MP that
is well placed bandwidth-wise and can handle thousand of sessions of
Test Traffic.
6.3. Controller
A Controller is responsible for providing the Measurement Agent with
instructions which include the Measurement Schedule, parameters, etc.
It is basically the entity controlling the Measurement Agents in a
LMAP domain.
For scaling purposes there may be several Controllers, perhaps
regionally located. A large scale test making use of multiple
Controllers would need a master Controller that is the ultimate
source of direction.
6.4. Collector
A Collector is responsible for receiving the Measurement Results from
the Measurement Agent at the end of a Measurement Task. It may have
additional features such as aggregating the results across multiple
Measurement Agents, remove outliers, create additional statistics,
(depending on usage of data) anonymization of results for privacy
reasons (if not done already in the Measurement Agents) etc. The
work of anonymization of user identifiable data has been addressed
for IPFIX via RFC6235 [RFC6235]. For scaling purposes there may be
several Collectors, perhaps regionally located. A large scale test
making use of multiple Collectors would need to aggregate/consolidate
their results for the complete picture.
7. Security considerations 7. Security considerations
The security of the LMAP framework should protect the interests of The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who the measurement operator(s), the network user(s) and other actors who
could be impacted by a compromised measurement deployment. could be impacted by a compromised measurement deployment. The
measurement system must secure the various components of the system
from unauthorised access or corruption.
We assume that each Measurement Agent will receive test We assume that each Measurement Agent will receive measurement tasks
configuration, scheduling and reporting instructions from a single configuration, scheduling and reporting instructions from a single
organisation (operator of the Controller). These instructions must organisation (operator of the Controller). These instructions must
be authenticated (to ensure that they come from the trusted be authenticated (to ensure that they come from the trusted
Controller), checked for integrity (to ensure no-one has tampered Controller), checked for integrity (to ensure no-one has tampered
with them) and be prevented from replay. If a malicious party can with them) and be prevented from replay. If a malicious party can
gain control of the Measurement Agent they can use the MA gain control of the Measurement Agent they can use the MA
capabilities to launch DoS attacks at targets, reduce the network capabilities to launch DoS attacks at targets, reduce the network
user experience and corrupt the measurement results that are reported user experience and corrupt the measurement results that are reported
to the Collector. By altering the tests that are operated and/or the to the Collector. By altering the tests that are operated and/or the
Collector address they can also compromise the confidentiality of the Collector address they can also compromise the confidentiality of the
network user and the MA environment (such as information about the network user and the MA environment (such as information about the
location of devices or their traffic). location of devices or their traffic).
The reporting of the MA must also be secured to maintain The reporting of the MA must also be secured to maintain
confidentiality. The results must be encrypted such that only the confidentiality. The results must be encrypted such that only the
authorised Collector can decrypt the results to prevent the leakage authorised Collector can decrypt the results to prevent the leakage
of confidential or private information. In addition it must be of confidential or private information. In addition it must be
authenticated that the results have come from the expected MA and authenticated that the results have come from the expected MA and
that they have not been tampered with. It must not be possible to that they have not been tampered with. It must not be possible to
fool a MA into injecting falsified data into the measurement platform fool a MA into injecting falsified data into the measurement platform
or to corrupt the results of a real MA. or to corrupt the results of a real MA. The results must also be
held and processed securely after collection and analysis.
Availability should also be considered. While the loss of some MAs Availability should also be considered. While the loss of some MAs
may not be considered critical, the unavailability of the Collector may not be considered critical, the unavailability of the Collector
could mean that valuable business data or data critical to a could mean that valuable business data or data critical to a
regulatory process is lost. Similarly, the unavailability of a regulatory process is lost. Similarly, the unavailability of a
Controller could mean that the MAs do not operate a correct Controller could mean that the MAs do not operate a correct
Measurement Schedule. Measurement Schedule.
A malicious party could "game the system". For example, where a A malicious party could "game the system". For example, where a
regulator is running a measurement system in order to benchmark regulator is running a measurement system in order to benchmark
operators, an operator could try to identify the broadband lines that operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. This the regulator was measuring and prioritise that traffic. This
potential issue is currently handled by a code of conduct. It is potential issue is currently handled by a code of conduct. It is
outside the scope of the LMAP WG to consider the issue. outside the scope of the LMAP WG to consider the issue.
8. Privacy Considerations for LMAP 8. Privacy Considerations for LMAP
Comment: It may be better to create a separate draft about 'LMAP
threats and considerations' containing this section and perhaps the
security section.
The LMAP Working Group will consider privacy as a core requirement The LMAP Working Group will consider privacy as a core requirement
and will ensure that by default measurement and collection mechanisms and will ensure that by default measurement and collection mechanisms
and protocols operate in a privacy-sensitive manner, i.e. that and protocols operate in a privacy-sensitive manner, i.e. that
privacy features are well-defined. privacy features are well-defined.
This section provides a set of privacy considerations for LMAP. This This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the timely publication of [RFC6973]. section benefits greatly from the timely publication of [RFC6973].
There are dependencies on the integrity of the LMAP security There are dependencies on the integrity of the LMAP security
mechanisms, described in the Security Considerations section above. mechanisms, described in the Security Considerations section above.
skipping to change at page 25, line 31 skipping to change at page 24, line 15
o Internet Service Providers: Organizations who offer Internet o Internet Service Providers: Organizations who offer Internet
access service subscriptions, and thus have access to sensitive access service subscriptions, and thus have access to sensitive
information of Individuals who choose to use the service. These information of Individuals who choose to use the service. These
organizations desire to protect their subscribers and their own organizations desire to protect their subscribers and their own
sensitive information which may be stored in the process of sensitive information which may be stored in the process of
measurement and result collection. measurement and result collection.
o Other LMAP system Operators: Organizations who operate measurement o Other LMAP system Operators: Organizations who operate measurement
systems or participate in measurements in some way. systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we include
discussion of ISPs and other LMAP system operators in this section.
These organizations have sensitive information involved in the LMAP
system and revealed by measurements, and many of the same mitigations
are applicable. Further, the ISPs store information on their
subscribers beyond that used in the LMAP system (e.g., billing
information), and there should be a benefit in considering all the
needs and potential solutions coherently.
8.2. Examples of Sensitive Information 8.2. Examples of Sensitive Information
This section gives examples of sensitive information which may be This section gives examples of sensitive information which may be
measured or stored in a measurement system, and which is to be kept measured or stored in a measurement system, and which is to be kept
private by default in the LMAP core protocols. private by default in the LMAP core protocols.
Examples of Subscriber or authorized Internet User Sensitive Examples of Subscriber or authorized Internet User Sensitive
Information: Information:
o Sub-IP layer addresses and names (e.g., MAC address, BS id, SSID)
o IP address in use o IP address in use
o Personal Identification (Real Name) o Personal Identification (Real Name)
o Location (street address, city) o Location (street address, city)
o Subscribed Service Parameters o Subscribed Service Parameters
o Contents of Traffic (Activity, DNS queries, Destinations, o Contents of Traffic (Activity, DNS queries, Destinations,
Equipment types, Account info for other services, etc.) Equipment types, Account info for other services, etc.)
skipping to change at page 26, line 23 skipping to change at page 25, line 18
o Measurement Schedule (exact times) o Measurement Schedule (exact times)
o Network Topology (Locations, Connectivity, Redundancy) o Network Topology (Locations, Connectivity, Redundancy)
o Subscriber billing information, and any of the above Subscriber o Subscriber billing information, and any of the above Subscriber
Information known to the provider. Information known to the provider.
o Authentication credentials (e.g., certificates) o Authentication credentials (e.g., certificates)
Other organizations will have some combination of the lists above. Other organizations will have some combination of the lists above.
The LMAP system would not typically expose all of the information
above, but could expose a combination of items which could be
correlated with other pieces collected by an attacker (as discussed
in the section on Threats below).
8.3. Key Distinction Between Active and Passive Measurement Tasks 8.3. Key Distinction Between Active and Passive Measurement Tasks
For the purposes of this memo, we define Passive and Active There are many possible definitions for the two main categories of
Measurements Tasks as follows: measurement types, active and passive. For the purposes of this
memo, we describe Passive and Active Measurements as follows:
Passive: measurements conducted on Internet User traffic, such that Passive: measurements conducted on Internet User traffic, such that
sensitive information is present and stored in the measurement system sensitive information is present and stored in the measurement system
(however briefly this storage may be). (however briefly this storage may be). We note that some authorities
make a distinction on time of storage, and information that is kept
only temporarily to perform a communications function is not subject
to regulation (e.g., Active Queue Management, Deep Packet
Inspection). Passive measurements could reveal all websites a
subscriber visits and the applications and/or services they use.
Active: measurements conducted on traffic which serves only the Active: measurements conducted on traffic which serves only the
purpose of measurement. Even if a user host generates active purpose of measurement. Even if a user host generates active
measurement traffic, there is significantly limited sensitive measurement traffic, there is significantly limited sensitive
information present and stored in the measurement system compared to information about the Subscriber present and stored in the
the passive case, as follows: measurement system compared to the passive case, as follows:
o IP address in use o IP address in use (and possibly Sub-IP addresses and names)
o Status as a study volunteer and schedule of active tests o Status as a study volunteer schedule of active tests
On the other hand, the sensitive information for an Internet Service On the other hand, the sensitive information for an Internet Service
Provider is the same whether active or passive measurements are used. Provider is the same whether active or passive measurements are used
(e.g., measurement results).
8.4. Communications Model (for Privacy) Both Active and Passive measurements potentially expose the
description of Internet Access service and specific service
parameters, such as subscribed rate and type of access.
This section briefly presents a set of communication models for LMAP. 8.4. Privacy analysis of the Communications Models
We assume that the Measurement Agent is located behind a NAT/
Firewall, so it performs the role of Initiator for all
communications.
From a privacy perspective, all LMAP entities can be considered This section examines each of the protocol exchanges described at a
"observers" according to the definition in [RFC6973]. Their stored high level in Section 5 and some example measurement tasks, and
information potentially poses a threat to privacy, especially if one identifies specific sensitive information which must be secured
or more of these functional entities has been compromised. during communication for each case. With the protocol-related
sensitive information identified, we have can better consider the
threats described in the following section.
Likewise, all devices on the paths used for control, reporting, and From the privacy perspective, all entities participating in LMAP
measurement are also observers. We note this in the figures below by protocols can be considered "observers" according to the definition
identifying the possible presence of a NAT, which has additional in [RFC6973]. Their stored information potentially poses a threat to
significance to the protocols and direction of initiation. privacy, especially if one or more of these functional entities has
been compromised. Likewise, all devices on the paths used for
control, reporting, and measurement are also observers.
8.4.1. Controller <-> Measurement Agent 8.4.1. MA Bootstrapping and Registration
The high-level communication model for interactions between the LMAP Section 5.1 provides the communication model for the Bootstrapping
Controller and Measurement Agent is illustrated below. The primary process.
purpose of this exchange is to authenticate and task a Measurement
Agent with Measurement Instructions, which the Measurement Agent then
acts on autonomously.
_________________ _________________ Although the specification of mechanisms for Bootstrapping the MA are
| | | | beyond the LMAP scope, designers should recognize that the
| Controller |=========== NAT ? ==========| Meas Agent | Bootstrapping process is extremely powerful and could cause an MA to
|_________________| |_________________| join a new or different LMAP system with Control/Collection entities,
or simply install new methods of measurement (e.g., a passive DNS
Query collector). A Bootstrap attack could result in a breach of the
LMAP system with significant sensitive information exposure depending
on the capabilities of the MA, so sufficient security protections are
warranted.
<- Key Negotiation & The Bootstrapping (or Registration) process provides sensitive
Encryption Setup information about the LMAP system and the organization that operates
Encrypted Channel -> it, such as
Established
Request Capabilities ->
Equipment ID & Status
<- Reply Equipment ID
Capabil. & Status
Measurement ->
Instruction
(MP IP Addrs, set of
Metrics, Schedule)
<- ACK (new Status)
Primarily IP addresses and pseudonyms are exchanged first, then o Initial Controller IP address or FQDN
measurement-related information of interest such as the metrics,
schedule, and IP addresses of measurement devices.
An organization operating the controller having no service o Assigned Controller IP address or FQDN
relationship with the user who hosts the measurement agent *could*
gain real-name mapping to public IP address through user
participation in an LMAP system.
8.4.2. Collector <-> Measurement Agent o Security certificates and credentials
During the Bootstrap process (or Registration process that follows),
the MA receives its MA-ID which is a persistent pseudonym for the
subscriber in the case that the MA is located at a service
demarcation point. Thus, the MA-ID is considered sensitive
information, because it could provide the link between subscriber
identification and measurements or observations on traffic.
Also, the Bootstrap or Registration process could assign a Group-ID
to the MA. The specific definition of information represented in a
Group-ID is to be determined, but several examples are envisaged
including use as a pseudonym for a set of subscribers, a class of
service, an access technology, or other important categories.
Assignment of a Group-ID enables anonymization sets to be formed on
the basis of service type/grade/rates. Thus, the mapping between
Group-ID and MA-ID is considered sensitive information.
8.4.2. Controller <-> Measurement Agent
The high-level communication model for interactions between the LMAP The high-level communication model for interactions between the LMAP
Measurement Agent and Collector is illustrated below. The primary Controller and Measurement Agent is illustrated in Section 5.2. The
purpose of this exchange is to authenticate and collect results from primary purpose of this exchange is to authenticate and task a
a Measurement Agent, which it has measured autonomously and stored. Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously.
_________________ _________________ Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged
| | | | with a capability request, then measurement-related information of
| Collector |=========== NAT ? ==========| Meas Agent | interest such as the parameters, schedule, metrics, and IP addresses
|_________________| |_________________| of measurement devices. Thus, the measurement Instruction contains
sensitive information which must be secured. For example, the fact
that an ISP is running additional measurements beyond the set
reported externally is sensitive information, as are the additional
measurements themselves. The schedule/timing of specific
measurements is also sensitive, because an attacker intending to bias
the results without being detected can use this information to great
advantage.
<- Key Negotiation & An organization operating the Controller having no service
Encryption Setup relationship with a user who hosts the measurement agent *could* gain
Encrypted Channel -> real-name mapping to public IP address through user participation in
Established an LMAP system (this applies to the Measurement Collection protocol,
Request Capabilities? -> as well).
Equipment ID & Status
<- Reply Equipment ID
Capabil. & Status
<- Measurement Results
(MP IP Addrs, set of
Metrics, Values)
ACK ->
Primarily IP addresses and pseudonyms are exchanged first, then 8.4.3. Collector <-> Measurement Agent
measurement-related information of interest such as the metrics,
schedule, results, and IP addresses of measurement devices.
An organization operating the collector having no service The high-level communication model for interactions between the LMAP
relationship with the user who hosts the measurement agent *could* Measurement Agent and Collector is illustrated in Section 5.4. The
gain real-name mapping to public IP address through user primary purpose of this exchange is to authenticate and collect
participation in an LMAP system. results from a Measurement Agent, which it has measured autonomously
and stored.
8.4.3. Active Measurement Peer <-> Measurement Agent Beyond the Controller-MA exchange, the new and highly-sensitive
information exposed in the Collector-MA exchange is the measurement
results. Organizations collecting LMAP measurements have the
responsibility for Data Control. Thus, the results and other
information communicated in the Collector protocol must be secured.
8.4.4. Active Measurement Peer <-> Measurement Agent
Although the specification of the mechanisms for measurement is Although the specification of the mechanisms for measurement is
beyond the LMAP scope, the high-level communications model below beyond the LMAP scope, the high-level communications model below
illustrates measurement information and results flowing between illustrates measurement information and results flowing between
active measurement devices as a potential privacy issue. The primary active measurement devices as a potential privacy issue. The primary
purpose of this exchange is to execute measurements and store the purpose of this exchange is to execute measurements and store the
results. results.
We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation.
_________________ _________________ _________________ _________________
| | | | | | | |
| Meas Peer |=========== NAT ? ==========| Meas Agent | | Meas Peer |=========== NAT ? ==========| Meas Agent |
|_________________| |_________________| |_________________| |_________________|
<- Key Negotiation & <- Key Negotiation &
Encryption Setup Encryption Setup
Encrypted Channel -> Encrypted Channel ->
Established Established
Announce Capabilities -> Announce Capabilities ->
& Status & Status
<- Select Capabilities <- Select Capabilities
ACK -> ACK ->
<- Measurement Request <- Measurement Request
(MA+MP IPAddrs,set of (MA+MP IPAddrs,set of
skipping to change at page 29, line 28 skipping to change at page 29, line 4
(may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted)
<- Stop Tests <- Stop Tests
Return Results -> Return Results ->
(if applicable) (if applicable)
<- ACK, Close <- ACK, Close
This exchange primarily exposes the IP addresses of measurement This exchange primarily exposes the IP addresses of measurement
devices and the inference of measurement participation from such devices and the inference of measurement participation from such
traffic. There may be information on key points in a service traffic. There may be sensitive information on key points in a
provider's network. There may also be access to measurement-related service provider's network included. There may also be access to
information of interest such as the metrics, schedule, and results. measurement-related information of interest such as the metrics,
schedule, and intermediate results carried in the measurement packets
(usually a set of timestamps).
If the measurement traffic is unencrypted, as found in many systems If the measurement traffic is unencrypted, as found in many systems
today, then both timing and limited results are open to observers. today, then both timing and limited results are open to on-path
observers, and this should be avoided when the degradation of secure
measurement is minimal.
8.4.4. Passive Measurement Peer <-> Measurement Agent 8.4.5. Passive Measurement Peer <-> Measurement Agent
Although the specification of the mechanisms for measurement is Although the specification of the mechanisms for measurement is
beyond the LMAP scope, the high-level communications model below beyond the LMAP scope, the high-level communications model below
illustrates passive monitoring and measurement of information flowing illustrates passive monitoring and measurement of information flowing
between production network devices as a potential privacy issue. The between production network devices as a potential privacy issue. The
primary purpose of this model is to illustrate collection of user primary purpose of this model is to illustrate collection of user
information of interest with the Measurement Agent performing the information of interest with the Measurement Agent performing the
monitoring and storage of the results. This particular exchange is monitoring and storage of the results. This particular exchange is
for DNS Response Time, which most frequently uses UDP transport. for DNS Response Time, which most frequently uses UDP transport.
skipping to change at page 30, line 16 skipping to change at page 29, line 43
Desired Domain Name) Desired Domain Name)
Return Record -> Return Record ->
This exchange primarily exposes the IP addresses of measurement This exchange primarily exposes the IP addresses of measurement
devices and the intent to communicate with, or access the services of devices and the intent to communicate with, or access the services of
"Domain Name". There may be information on key points in a service "Domain Name". There may be information on key points in a service
provider's network, such as the address of one of its DNS servers. provider's network, such as the address of one of its DNS servers.
The Measurement Agent may be embedded in the User host, or it may be The Measurement Agent may be embedded in the User host, or it may be
located in another device capable of observing user traffic. located in another device capable of observing user traffic.
In principle, any of the Internet User information of interest In principle, any of the Internet User sensitive information of
(listed above) can be collected and stored in the passive monitoring interest (listed above) can be collected and stored in the passive
scenario. monitoring scenario. Thus, the LMAP Collection of passive
measurements provides the additional sensitive information exposure
8.4.5. Result Storage and Reporting to a Collection-path observer, and this information must be secured.
8.4.6. Result Storage and Reporting
Although the mechanisms for communicating results (beyond the initial Although the mechanisms for communicating results (beyond the initial
Collector) are beyond the LMAP scope, there are potential privacy Collector) are beyond the LMAP scope, there are potential privacy
issues related to a single organization's storage and reporting of issues related to a single organization's storage and reporting of
measurement results. Both storage and reporting functions can help measurement results. Both storage and reporting functions can help
to preserve privacy by implementing the mitigations described below. to preserve privacy by implementing the mitigations described below.
8.5. Threats 8.5. Threats
This section indicates how each of the threats described in [RFC6973] This section indicates how each of the threats described in [RFC6973]
apply to the LMAP entities and their communication and storage of apply to the LMAP entities and their communication and storage of
skipping to change at page 31, line 12 skipping to change at page 30, line 40
stamped, the measurement results could provide a record of IP address stamped, the measurement results could provide a record of IP address
assignments over time. assignments over time.
Either of the above pieces of information could be useful in Either of the above pieces of information could be useful in
correlation and identification, described below. correlation and identification, described below.
8.5.2. Stored Data Compromise 8.5.2. Stored Data Compromise
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
resulting from inadequate measures to secure stored data from resulting from inadequate measures to secure stored data from
unauthorized or inappropriate access. unauthorized or inappropriate access. For LMAP systems this includes
deleting or modifying collected measurement records, as well as data
theft.
The primary LMAP entity subject to compromise is the results storage The primary LMAP entity subject to compromise is the results storage
which serves the Collector function (also applicable to temporary which serves the Collector function (also applicable to temporary
storage on the Collector itself). Extensive security and privacy storage on the Collector itself). Extensive security and privacy
threat mitigations are warranted for the storage system. Although threat mitigations are warranted for the storage system. Although
the scope of its measurement and storage is smaller than the the scope of its measurement and storage is smaller than the
collector's, an individual Measurement Agent stores sensitive collector's, an individual Measurement Agent stores sensitive
information temporarily, and also needs protections. information temporarily, and also needs protections.
The LMAP Controller may have direct access to storage of Service The LMAP Controller may have direct access to storage of Service
Parameters, Subscriber information (location, billing, etc.), and Parameters, Subscriber information (location, billing, etc.), and
other information which the controlling organization considers other information which the controlling organization considers
private, and needs protection in this case. private, and needs protection in this case.
The communications between the local storage of the Collector and The communications between the local storage of the Collector and
other storage facilities (possibly permanent mass storage), is beyond other storage facilities (possibly permanent mass storage), is beyond
the scope of the LMAP work at this time, though this communications the scope of the LMAP work at this time, though this communications
channel will certainly need protection as well as the mass storage. channel will certainly need protection as well as the mass storage
itself.
8.5.3. Correlation and Identification 8.5.3. Correlation and Identification
Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as
combining various pieces of information to obtain desired combining various pieces of information to obtain desired
characteristics of an individual, and Identification as using this characteristics of an individual, and Identification as using this
process to infer identity. process to infer identity.
The main risk is that the LMAP system could un-wittingly provide a The main risk is that the LMAP system could un-wittingly provide a
key piece of the correlation chain, starting with an unknown key piece of the correlation chain, starting with an unknown
skipping to change at page 32, line 6 skipping to change at page 31, line 39
8.5.4. Secondary Use and Disclosure 8.5.4. Secondary Use and Disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as
unauthorized utilization of an individual's information for a purpose unauthorized utilization of an individual's information for a purpose
the individual did not intend, and Disclosure is when such the individual did not intend, and Disclosure is when such
information is revealed causing other's notions of the individual to information is revealed causing other's notions of the individual to
change, or confidentiality to be violated. change, or confidentiality to be violated.
The collection and reporting of passive traffic measurements is a The collection and reporting of passive traffic measurements is a
form of secondary use, and subscribers' permission should be obtained form of secondary use, and subscribers' permission and measured ISP's
before measurement. Although user traffic is only indirectly permission should be obtained before measurement. Although user
involved, active measurement results provide limited information traffic is only indirectly involved, active measurement results
about the subscriber and may constitute secondary use. provide limited information about the subscriber/ISP and may
constitute secondary use. Use of the measurements in unauthorized
marketing campaigns would qualify as Secondary Use.
8.6. Mitigations 8.6. Mitigations
This section examines the mitigations listed in section 6 of This section examines the mitigations listed in section 6 of
[RFC6973] and their applicability to LMAP systems. Note that each [RFC6973] and their applicability to LMAP systems. Note that each
section in [RFC6973] identifies the threat categories that each section in [RFC6973] identifies the threat categories that each
technique mitigates. technique mitigates.
8.6.1. Data Minimization 8.6.1. Data Minimization
skipping to change at page 34, line 26 skipping to change at page 34, line 13
to obscure identity. to obscure identity.
8.6.4. Other Mitigations 8.6.4. Other Mitigations
Sections 6.2 and 6.3 of [RFC6973] describe User Participation and Sections 6.2 and 6.3 of [RFC6973] describe User Participation and
Security, respectively. Security, respectively.
Where LMAP measurements involve devices on the Subscriber's premises Where LMAP measurements involve devices on the Subscriber's premises
or Subscriber-owned equipment, it is essential to secure the or Subscriber-owned equipment, it is essential to secure the
Subscriber's permission with regard to the specific information that Subscriber's permission with regard to the specific information that
will be collected. will be collected. The informed consent of the Subscriber (and, if
different, the end user) is needed, including the specific purpose of
the measurements. The approval process could involve showing the
Subscriber their measured information and results before instituting
periodic collection, or before all instances of collection, with the
option to cancel collection temporarily or permanently.
It should also be clear who is legally responsible for data
protection (privacy); in some jurisdictions this role is called the
'data controller'. It is good practice to time limit the storage of
personal information.
Although the details of verification would be impenetrable to most
subscribers, the MA could be architected as an "app" with open
source-code, pre-download and embedded terms of use and agreement on
measurements, and protection from code modifications usually provided
by the app-stores. Further, the app itself could provide data
reduction and temporary storage mitigations as appropriate and
certified through code review.
LMAP protocols, devices, and the information they store clearly need LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorized access. This is the hand-off between to be secure from unauthorized access. This is the hand-off between
privacy and security considerations, found elsewhere in this memo. privacy and security considerations, found elsewhere in this memo.
The Data Controller has the (legal) responsibility to maintain data
protections described in the Subscriber's agreement and agreements
with other organizations.
8.7. The potential role of a Group-ID for privacy Another standard method for de-personalising data is to blur it by
adding synthetic data, data-swapping, or perturbing the values in
A group identifier may be useful to help maintain privacy. Several ways that can be reversed or corrected.
MAs would share the same Group-ID. This has been suggested where the
endusers are sensitive about privacy, for example mobile users do not
want their location tracked. Some possibilities are discussed below.
A Group-ID might be used when Results are forwarded by a Collector to
a third party. The measurement system operates using MA-IDs, however
if Results are sent to a third party then Results from several MAs
are aggregated together, in order to prevent the third party tracking
them to an individual MA or enduser.
A Group-ID could be used for Reporting. The Controller's Instruction
still refers to an MA using its MA-ID, but Results are reported to
the Collector including a Group-ID but not an MA-ID. This might be
useful where the measurement system is not run by the ISP (in the
mobile example, the user clearly wants the operator track their
location). The Group-ID needs to be sensible, for example MAs with
the same broadband product (it is not sensible to aggregate Results
from MAs on 2Mb/s and 300Mb/s lines). Note that:
o A malicious MA could bias overall results by reporting more or
less often than it is supposed to. The use of a Group-ID makes
this harder for a Collector to detect.
o An attacker is more likely to be able to break the MA-Collector
communications, since it can only be secured at the group level,
for instance with a shared password. The attacker could then
report false Results. Securing at the individual MA level
intrinsically reveals the MA's identity
o A malicious Collector can probably use other information to
deaggregate the Results per MA, for example by tracking its IP
address or analysing some per-MA 'fingerprint' information
associated with the MA-Collector transmission protocol
o A conspiratorial Controller could create a per-MA fingerprint (for
example a unique set of parameters for the Measurement Tasks or
simply a regular time at which the MA reports), which the
Collector uses to identify the MA
o A well-behaved Collector ensures that it only stores the Group-ID
and throws away per-MA information. Then it cannot subsequently
disaggregate Results per MA - such a breakdown might be requested
by a government agency, an attacker or even by the measurement
system itself (say after a change of company policy). In this
case, the MA-Collector communication can be secured per MA,
providing authentication is changed regularly and/or cannot be
linked to the repository with the Measurement Results. In
principle the scenario doesn't need a Group-ID to be defined for
the Report Protocol - since the Collector can implement the Group-
ID locally, after Results are reported.
A Group-ID could be used for Control as well as Reporting. The same
Instruction is broadcast to all MAs, which check that they have a
matching group-id before carrying out the Instruction. Notes:
o The first three bullets above still apply
o In addition, the Controller-MA communication is now also less
secure
o All the MAs with the same Group-ID probably need to be able to run
exactly the same set of Measurement Methods.
o At least at first glance, failure handling is harder. It is much
less useful for the MA to inform the Controller that it cannot
understand or execute an Instruction - the Controller simply knows
that one or more MAs, with a particular Group-ID, cannot
understand or execute the Instruction. There also seems no point
an MA reporting the Measurement Methods that it understands (which
is intended to help a Controller that has forgotten an MA's
capabilities, perhaps after a crash)
Conclusion - this topic needs more discussion. The use of per-MA
authentication for security seems in tension with the use of Group-
IDs for privacy.
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations in this memo. There are no IANA considerations in this memo.
10. Acknowledgments 10. Acknowledgments
This document is a merger of three individual drafts: draft-eardley- This document is a merger of three individual drafts: draft-eardley-
lmap-terminology-02, draft-akhter-lmap-framework-00, and draft- lmap-terminology-02, draft-akhter-lmap-framework-00, and draft-
eardley-lmap-framework-02. eardley-lmap-framework-02.
skipping to change at page 37, line 13 skipping to change at page 35, line 33
First WG version, copy of draft-folks-lmap-framework-00. First WG version, copy of draft-folks-lmap-framework-00.
11.1. From -00 to -01 11.1. From -00 to -01
o new sub-section of possible use of Group-IDs for privacy o new sub-section of possible use of Group-IDs for privacy
o tweak to definition of Control protocol o tweak to definition of Control protocol
o fix typo in figure in S5.4 o fix typo in figure in S5.4
12. Informative References 11.2. From -01 to -02
[I-D.linsner-lmap-use-cases] o change to INFORMATIONAL track (previous version had typo'd
Linsner, M., Eardley, P., and T. Burbridge, "Large-Scale Standards track)
Broadband Measurement Use Cases", draft-linsner-lmap-use-
cases-04 (work in progress), October 2013.
[lmap-yang] o new definitions for Capabilities Information and Failure
, "A YANG Data Model for LMAP Measurement Agents", , Information
<http://tools.ietf.org/html/draft-schoenw-lmap-yang>.
[lmap-netconf] o clarify that diagrams show LMAP-level information flows.
, "Considerations on using NETCONF with LMAP Measurement Underlying protocol could do other interactions, eg to get through
Agents", , NAT or for Collector to pull a Report
<http://tools.ietf.org/html/draft-schoenw-lmap-netconf>.
[lmap-ipfix] o add hint that after a re-boot should pause random time before re-
, "An LMAP application for IPFIX", , register (to avoid mass calling event)
<http://tools.ietf.org/html/draft-bagnulo-lmap-ipfix>.
[registry] o delete the open issue "what happens if a Controller fails" (normal
, , , , , "A registry for commonly used metrics. methods can handle)
Independent registries", , <http://tools.ietf.org/html/
draft-bagnulo-ippm-new-registry-independent>.
[RFC6241] , , , , "Network Configuration Protocol (NETCONF)", , o add some extra words about multiple Tasks in one Schedule
<http://tools.ietf.org/html/rfc6241>. o clarify that new Schedule replaces (rather than adds to) and old
one. similarly for new configuration of Measurement Tasks or
Report Channels.
[yang-api] o clarify suppression is temporary stop; send a new Schedule to
, "YANG-API Protocol", , permanently stop Tasks
<http://tools.ietf.org/html/rfc6241>.
[schulzrinne] o alter suppression so it is ACKed
, , , "Large-Scale Measurement of Broadband Performance:
Use Cases, Architecture and Protocol Requirements", ,
<http://tools.ietf.org/html/draft-schulzrinne-lmap-
requirements>.
[information-model] o add un-suppress message
Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale o expand the text on error reporting, to mention Reporting failures
Measurement Platforms (LMAP)", , <http://tools.ietf.org/ (as well as failures to action or execute Measurement Task &
html/draft-burbridge-lmap-information-model>. Schedule)
o add some text about how to have Tasks running indefinitely
o add that optionally a Report is not sent when there are no
Measurement Results
o add that a Measurement Task may create more than one Measurement
Result
o clarify /amend /expand that Reports include the "raw" Measurement
Results - any pre-processing is left for lmap2.0
o add some cautionary words about what if the Collector unexpectedly
doesn't hear from a MA
o add some extra words about the potential impact of Measurement
Tasks
o clarified varous aspects of the privacy section
o updated references
o minor tweaks
12. Informative References
[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
"The Role of Network Trace Anonymization Under Attack", "The Role of Network Trace Anonymization Under Attack",
January 2010. January 2010.
[Q1741] Q.1741.7, ., "IMT-2000 references to Release 9 of GSM- [Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM-
evolved UMTS core network", evolved UMTS core network",
http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011. http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011.
[I-D.ietf-lmap-use-cases]
Linsner, M., Eardley, P., and T. Burbridge, "Large-Scale
Broadband Measurement Use Cases", draft-ietf-lmap-use-
cases-00 (work in progress), October 2013.
[I-D.bagnulo-ippm-new-registry-independent] [I-D.bagnulo-ippm-new-registry-independent]
Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
A. Morton, "A registry for commonly used metrics. A. Morton, "A registry for commonly used metrics.
Independent registries", draft-bagnulo-ippm-new-registry- Independent registries", draft-bagnulo-ippm-new-registry-
independent-01 (work in progress), July 2013. independent-01 (work in progress), July 2013.
[RFC2330] Paxson, V., Almes, G., Mahdavi, J., and M. Mathis, [I-D.ietf-homenet-arch]
"Framework for IP Performance Metrics", RFC 2330, May Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil,
1998. "IPv6 Home Networking Architecture Principles", draft-
ietf-homenet-arch-11 (work in progress), October 2013.
[I-D.mathis-ippm-model-based-metrics] [RFC6419] Wasserman, M. and P. Seite, "Current Practices for
Mathis, M. and A. Morton, "Model Based Internet Multiple-Interface Hosts", RFC 6419, November 2011.
Performance Metrics", draft-mathis-ippm-model-based-
metrics-01 (work in progress), February 2013.
[RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Delay Metric for IPPM", RFC 2681, September 1999. Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, June 2009.
[I-D.burbridge-lmap-information-model] [I-D.burbridge-lmap-information-model]
Burbridge, T., Eardley, P., Bagnulo, M., and J. Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", draft-burbridge-lmap- Measurement Platforms (LMAP)", draft-burbridge-lmap-
information-model-00 (work in progress), July 2013. information-model-01 (work in progress), October 2013.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Support", RFC 6235, May 2011. Support", RFC 6235, May 2011.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
Authors' Addresses Authors' Addresses
 End of changes. 119 change blocks. 
650 lines changed or deleted 644 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/