draft-ietf-lmap-framework-02.txt   draft-ietf-lmap-framework-03.txt 
Network Working Group P. Eardley Network Working Group P. Eardley
Internet-Draft BT Internet-Draft BT
Intended status: Informational A. Morton Intended status: Informational A. Morton
Expires: June 9, 2014 AT&T Labs Expires: July 25, 2014 AT&T Labs
M. Bagnulo M. Bagnulo
UC3M UC3M
T. Burbridge T. Burbridge
BT BT
P. Aitken P. Aitken
A. Akhter A. Akhter
Cisco Systems Cisco Systems
December 6, 2013 January 21, 2014
A framework for large-scale measurement platforms (LMAP) A framework for large-scale measurement platforms (LMAP)
draft-ietf-lmap-framework-02 draft-ietf-lmap-framework-03
Abstract Abstract
Measuring broadband service on a large scale requires a description Measuring broadband service on a large scale requires a description
of the logical architecture and standardisation of the key protocols of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document that coordinate interactions between the components. The document
presents an overall framework for large-scale measurements. It also presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (large-scale measurement platforms). defines terminology for LMAP (large-scale measurement platforms).
Status of This Memo Status of This Memo
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 9, 2014. This Internet-Draft will expire on July 25, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Outline of an LMAP-based measurement system . . . . . . . . . 5 2. Outline of an LMAP-based measurement system . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1. Measurement system is under the direction of a single 4.1. Measurement system is under the direction of a single
organisation . . . . . . . . . . . . . . . . . . . . . . 10 organisation . . . . . . . . . . . . . . . . . . . . . . 11
4.2. Each MA may only have a single Controller at any point in 4.2. Each MA may only have a single Controller at any point in
time . . . . . . . . . . . . . . . . . . . . . . . . . . 11 time . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 11 5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 12
5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 12 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 13
5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 14 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15
5.3. Starting and stopping Measurement Tasks . . . . . . . . . 16 5.2.1. Measurement Suppression . . . . . . . . . . . . . . . 18
5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 17 5.3. Starting and stopping Measurement Tasks . . . . . . . . . 19
5.5. Items beyond the scope of the LMAP Protocol Model . . . . 19 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 20
5.5.1. User-controlled measurement system . . . . . . . . . 20 5.5. Operation of LMAP over the underlying transport protocol 22
6. MA Deployment considerations . . . . . . . . . . . . . . . . 20 5.6. Items beyond the scope of the LMAP Protocol Model . . . . 23
6.1. Measurement Agent embedded in site gateway . . . . . . . 21 5.6.1. Enduser-controlled measurement system . . . . . . . . 24
6.2. Measurement Agent embedded behind Site NAT /Firewall . . 21 6. Deployment considerations . . . . . . . . . . . . . . . . . . 24
6.3. Measurement Agent in multi homed site . . . . . . . . . . 21 6.1. Controller . . . . . . . . . . . . . . . . . . . . . . . 24
7. Security considerations . . . . . . . . . . . . . . . . . . . 22 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 25
8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 23 6.2.1. Measurement Agent embedded in site gateway . . . . . 26
8.1. Categories of Entities with Information of Interest . . . 23 6.2.2. Measurement Agent embedded behind site NAT /Firewall 26
8.2. Examples of Sensitive Information . . . . . . . . . . . . 24 6.2.3. Measurement Agent in a multi-homed site . . . . . . . 27
6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 27
7. Security considerations . . . . . . . . . . . . . . . . . . . 27
8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 28
8.1. Categories of Entities with Information of Interest . . . 29
8.2. Examples of Sensitive Information . . . . . . . . . . . . 29
8.3. Key Distinction Between Active and Passive Measurement 8.3. Key Distinction Between Active and Passive Measurement
Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 30
8.4. Privacy analysis of the Communications Models . . . . . . 26 8.4. Privacy analysis of the Communications Models . . . . . . 31
8.4.1. MA Bootstrapping and Registration . . . . . . . . . . 26 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 31
8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 27 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 32
8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 27 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 33
8.4.4. Active Measurement Peer <-> Measurement Agent . . . . 28 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 33
8.4.5. Passive Measurement Peer <-> Measurement Agent . . . 29 8.4.5. Passive Measurement Agent . . . . . . . . . . . . . . 34
8.4.6. Result Storage and Reporting . . . . . . . . . . . . 29 8.4.6. Storage and Reporting of Measurement Results . . . . 35
8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 30 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 35
8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 30 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 36
8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 30 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 36
8.5.3. Correlation and Identification . . . . . . . . . . . 31 8.5.3. Correlation and Identification . . . . . . . . . . . 36
8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 31 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 37
8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 31 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 37
8.6.1. Data Minimization . . . . . . . . . . . . . . . . . . 32 8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 37
8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 32 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 38
8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 33 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 39
8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 34 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 39
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40
11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 35 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 41
11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 35 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 41
12. Informative References . . . . . . . . . . . . . . . . . . . 36 11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 12. Informative References . . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
There is a desire to be able to coordinate the execution of broadband There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large measurements and the collection of measurement results across a large
scale set of diverse devices. These devices could be software based scale set of diverse devices. These devices could be software based
agents on PCs, embedded agents in consumer devices (e.g. blu-ray agents on PCs, embedded agents in consumer devices (e.g. blu-ray
players), service provider controlled devices such as set-top players players), service provider controlled devices such as set-top players
and home gateways, or simply dedicated probes. It is expected that and home gateways, or simply dedicated probes. It is expected that
such a system could easily comprise 100k devices. Such a scale such a system could easily comprise 100k devices. Such a scale
skipping to change at page 3, line 45 skipping to change at page 4, line 5
Further details of the use cases can be found at Further details of the use cases can be found at
[I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for [I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for
these, as well as other use cases that the LMAP WG doesn't these, as well as other use cases that the LMAP WG doesn't
concentrate on, such as to help end users run diagnostic checks like concentrate on, such as to help end users run diagnostic checks like
a network speed test. a network speed test.
The LMAP framework has four basic elements: Measurement Agents, The LMAP framework has four basic elements: Measurement Agents,
Measurement Peers, Controllers and Collectors. Measurement Peers, Controllers and Collectors.
Measurement Agents (MAs) perform network measurements. They are Measurement Agents (MAs) perform Measurement Tasks, perhaps in
pieces of code that can be executed in specialized hardware (hardware conjunction with Measurement Peers. They are pieces of code that can
probe) or on a general-purpose device (like a PC or mobile phone). be executed in specialized hardware (hardware probe) or on a general-
The Measurement Agents may have multiple interfaces (WiFi, Ethernet, purpose device (like a PC or mobile phone). A device with a
DSL, fibre, etc.) and the measurements may specify any one of these. Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL,
Measurements may be active (the MA or Measurement Peer (MP) generates fibre, etc.) and the Measurement Tasks may specify any one of these.
test traffic), passive (the MA observes user traffic), or some hybrid Measurement Tasks may be Active (the MA or Measurement Peer generates
form of the two. For active measurement tasks, the MA (or MP) Active Measurement Traffic), Passive (the MA observes user traffic),
generates test traffic and measures some metric associated with its or some hybrid form of the two. For Active Measurement Tasks, the MA
transfer over the path to (or from) a Measurement Peer. For example, (or Measurement Peer) generates Active Measurement Traffic and
one active measurement task could be to measure the UDP latency measures some metric associated with its transfer over the path to
between the MA and a given MP. MAs may also conduct passive testing (or from) a Measurement Peer. For example, one Active Measurement
through the observation of traffic. The measurements themselves may Task could be to measure the UDP latency between the MA and a given
be on IPv4, IPv6, and on various services (DNS, HTTP, XMPP, FTP, Measurement Peer. MAs may also conduct Passive Measurement Tasks
through the observation of traffic. The Measurement Tasks themselves
may be on IPv4, IPv6, and on various services (DNS, HTTP, XMPP, FTP,
VoIP, etc.). VoIP, etc.).
The Controller manages one or more MAs by instructing it which The Controller manages one or more MAs by instructing it which
measurement tasks it should perform and when. For example it may Measurement Tasks it should perform and when. For example it may
instruct a MA at a home gateway: "Measure the 'UDP latency' with the instruct a MA at a home gateway: "Measure the 'UDP latency' with the
Measurement Peer mp.example.org; repeat every hour at xx.05". The Measurement Peer mp.example.org; repeat every hour at xx.05". The
Controller also manages a MA by instructing it how to report the Controller also manages a MA by instructing it how to report the
measurement results, for example: "Report results once a day in a Measurement Results, for example: "Report results once a day in a
batch at 4am". We refer to these as the Measurement Schedule and batch at 4am". We refer to these as the Measurement Schedule and
Report Schedule. Report Schedule.
The Collector accepts Reports from the MAs with the results from The Collector accepts Reports from the MAs with the Results from
their measurement tasks. Therefore the MA is a device that gets their Measurement Tasks. Therefore the MA is a device that gets
instructions from the Controller initiates the measurement tasks, and Instructions from the Controller, initiates the Measurement Tasks,
reports to the Collector. and reports to the Collector.
There are additional elements that are part of a measurement system, There are additional elements that are part of a measurement system,
but that are out of the scope for LMAP. We provide a detailed but that are out of the scope for LMAP. We provide a detailed
discussion of all the elements in the rest of the document. discussion of all the elements in the rest of the document.
The desirable features for a large-scale measurement systems we are The desirable features for a large-scale measurement systems we are
designing for are: designing for are:
o Standardised - in terms of the tests that they perform, the o Standardised - in terms of the Measurement Tasks that they
components, the data models and protocols for transferring perform, the components, the data models and protocols for
information between the components. For example so that it is transferring information between the components. Amongst other
meaningful to compare measurements made of the same metric at things, standardisation enables meaningful comparisons of
different times and places. For example so that the operator of a measurements made of the same metric at different times and
measurement system can buy the various components from different places, and enables the operator of a measurement system to buy
vendors. Today's systems are proprietary in some or all of these the various components from different vendors. Today's systems
aspects. are proprietary in some or all of these aspects.
o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement
Agents in every home gateway and edge device such as set-top-boxes Agents in every home gateway and edge device such as set-top-boxes
and tablet computers. Existing systems have up to a few thousand and tablet computers. It is expected that a measurement system
Measurement Agents (without judging how much further they could could easily encompass a few hundred thousand Measurement Agents.
scale). Existing systems have up to a few thousand MAs (without judging
how much further they could scale).
o Diversity - a measurement system should handle different types of o Diversity - a measurement system should handle different types of
Measurement Agent - for example Measurement Agents may come from Measurement Agent - for example Measurement Agents may come from
different vendors, be in wired and wireless networks and be on different vendors, be in wired and wireless networks and be on
devices with IPv4 or IPv6 addresses. devices with IPv4 or IPv6 addresses.
2. Outline of an LMAP-based measurement system 2. Outline of an LMAP-based measurement system
Figure 1 shows the main components of a measurement system, and the Figure 1 shows the main components of a measurement system, and the
interactions of those components. Some of the components are outside interactions of those components. Some of the components are outside
the scope of LMAP. In this section we provide an overview on the the scope of LMAP. In this section we provide an overview of the
whole measurement system and we introduce the main terms needed for whole measurement system and we introduce the main terms needed for
the LMAP framework. The new terms are capitalized. In the next the LMAP framework. The new terms are capitalized. In the next
section we provide a terminology section with a compilation of all section we provide a terminology section with a compilation of all
the LMAP terms and their definition. The subsequent sections study the LMAP terms and their definition. The subsequent sections study
the LMAP components in more detail. the LMAP components in more detail.
A Measurement Task measures some performance or reliability Metric of A Measurement Task measures some performance or reliability Metric of
interest. An Active Measurement Task involves either a Measurement interest. An Active Measurement Task involves either a Measurement
Agent (MA) injecting Test Traffic into the network destined for a Agent (MA) injecting Active Measurement Traffic into the network
Measurement Peer (MP), and/or a MP sending Test Traffic to a MA; one destined for a Measurement Peer, and/or a Measurement Peer sending
of them measures the some parameter associated with the transfer of Active Measurement Traffic to a MA; one of them measures some
the packet(s). A Passive Measurement Task involves only a MA, which parameter associated with the transfer of the packet(s). A Passive
simply observes existing traffic - for example, it could simply count Measurement Task involves only a MA, which simply observes existing
bytes or it might calculate the average loss for a particular flow. traffic - for example, it could simply count bytes or it might
calculate the average loss for a particular flow.
It is very useful to standardise Measurement Methods (a Measurement It is very useful to standardise Measurement Methods (a Measurement
Method is a generalisation of a Measurement Task), so that it is Method is a generalisation of a Measurement Task), so that it is
meaningful to compare measurements of the same Metric made at meaningful to compare measurements of the same Metric made at
different times and places. It is also useful to define a registry different times and places. It is also useful to define a registry
for commonly-used Metrics [I-D.bagnulo-ippm-new-registry-independent] for commonly-used Metrics [I-D.bagnulo-ippm-new-registry-independent]
so that a Measurement Method can be referred to simply by its so that a Measurement Method can be referred to simply by its
identifier in the registry. The Measurement Methods and registry identifier in the registry. The Measurement Methods and registry
would hopefully also be referenced by other standards organisations. will hopefully be referenced by other standards organisations.
In order for a Measurement Agent and a Measurement Peer to execute an In order for a Measurement Agent and a Measurement Peer to execute an
Active Measurement Task, they exchange Active Measurement Traffic. Active Measurement Task, they exchange Active Measurement Traffic.
The protocols used for the Active Measurement Traffic is out of the The protocols used for the Active Measurement Traffic is out of the
scope of the LMAP WG and falls within the scope of other IETF WGs scope of the LMAP WG and falls within the scope of other IETF WGs
such as IPPM. such as IPPM.
For Measurement Results to be truly comparable, as might be required For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be by a regulator, not only do the same Measurement Methods need to be
used but also the set of Measurement Tasks should follow a similar used but also the set of Measurement Tasks should follow a similar
Measurement Schedule and be of similar number. The details of such a Measurement Schedule and be of similar number. The details of such a
characterisation plan are beyond the scope of work in IETF although characterisation plan are beyond the scope of work in IETF although
certainly facilitated by IETF's work. certainly facilitated by IETF's work.
The next components we consider are the Measurement Agent (MA), The next components we consider are the Measurement Agent (MA),
Controller and Collector. The main work of the LMAP working group is Controller and Collector. The main work of the LMAP working group is
to define the Control Protocol between the Controller and MA, and the to define the Control Protocol between the Controller and MA, and the
Report Protocol between the MA and Collector. Section 4 onwards Report Protocol between the MA and Collector. Section 4 onwards
considers the LMAP compnents in more detail; here we introduce them. considers the LMAP components in more detail; here we introduce them.
The Controller manages a MA by instructing it which Measurement Tasks The Controller manages a MA by instructing it which Measurement Tasks
it should perform and when. For example it may instruct a MA at a it should perform and when. For example it may instruct a MA at a
home gateway: "Run the 'download speed test' with the Measurement home gateway: "Run the 'download speed test' with the Measurement
Peer at the end user's first IP point in the network; if the end user Peer at the end user's first IP point in the network; if the end user
is active then delay the test and re-try 1 minute later, with up to 3 is active then delay the test and re-try 1 minute later, with up to 3
re-tries; repeat every hour at xx.05 + Unif[0,180] seconds". The re-tries; repeat every hour at xx.05 + Unif[0,180] seconds". The
Controller also manages a MA by instructing it how to report the Controller also manages a MA by instructing it how to report the
Measurement Results, for example: "Report results once a day in a Measurement Results, for example: "Report results once a day in a
batch at 4am + Unif[0,180] seconds; if the end user is active then batch at 4am + Unif[0,180] seconds; if the end user is active then
delay the report 5 minutes". As well as regular Measurement Tasks, a delay the report 5 minutes". These are called the Measurement and
Controller can initiate a one-off Measurement Task ("Do measurement Report Schedule. As well as periodic Measurement Tasks, a Controller
now", "Report as soon as possible"). These are called the can initiate a one-off (non-recurring) Measurement Task ("Do
Measurement and Report Schedule. measurement now", "Report as soon as possible").
The Collector accepts a Report from a MA with the results from its The Collector accepts a Report from a MA with the results from its
tests. It may also do some processing on the results - for instance Measurement Tasks. It may also do some post-processing on the
to eliminate outliers, as they can severely impact the aggregated results, for instance to eliminate outliers, as they can severely
results. impact the aggregated results.
Finally we introduce several components that are out of scope of the Finally we introduce several components that are out of scope of the
LMAP WG and will be provided through existing protocols or LMAP WG and will be provided through existing protocols or
applications. They affect how the measurement system uses the applications. They affect how the measurement system uses the
Measurement Results and how it decides what set of Measurement Tasks Measurement Results and how it decides what set of Measurement Tasks
to perform. to perform.
The MA needs to be bootstrapped with initial details about its The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP WG Controller, including authentication credentials. The LMAP WG
considers the boostrap process, since it affects the Information considers the bootstrap process, since it affects the Information
Model. However, it does not define a bootstrap protocol, since it is Model. However, it does not define a bootstrap protocol, since it is
likely to be technology specific and could be defined by the likely to be technology specific and could be defined by the
Broadband Forum, DOCSIS or IEEE. depending on the device. Possible Broadband Forum, CableLabs or IEEE depending on the device. Possible
protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management
Protocol (CWMP) from the Auto Configuration Server (ACS) (as Protocol (CWMP) from the Auto Configuration Server (ACS) (as
specified in TR-069). specified in TR-069).
A Subscriber Parameter Database contains information about the line, A Subscriber parameter database contains information about the line,
for example the customer's broadband contract (perhaps 2, 40 or 80Mb/ such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s),
s), the line technology (DSL or fibre), the time zone where the MA is the line technology (DSL or fibre), the time zone where the MA is
located, and the type of home gateway and MA. These are all factors located, and the type of home gateway and MA. These parameters are
which may affect the choice of what Measurement Tasks to run and how already gathered and stored by existing operations systems. They may
to interpret the Measurement Results. For example, a download test affect the choice of what Measurement Tasks to run and how to
interpret the Measurement Results. For example, a download test
suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s
line. Another example is if the Controller wants to run a one-off line.
Measurement Task to diagnose a fault, then it should understand what
problem the customer is experiencing and what Measurement Tasks have
already been run. The Subscribers' service parameters are already
gathered and stored by existing operations systems.
A Results Repository records all measurements in an equivalent form, A results repository records all Measurement Results in an equivalent
for example an SQL database, so that they can be easily accessed by form, for example an SQL database, so that they can easily be
the Data Analysis Tools. The Data Analysis Tools also need to accessed by the data analysis tools. The data analysis tools also
understand the Subscriber's service information, for example the need to understand the Subscriber's service information, for example
broadband contract. the broadband contract.
The Data Analysis Tools receive the results from the Collector or via The data analysis tools receive the results from the Collector or via
the Results Database. They might visualise the data or identify the Results repository. They might visualise the data or identify
which component or link is likely to be the cause of a fault or which component or link is likely to be the cause of a fault or
degradation. degradation. This information could help the Controller decide what
follow-up Measurement Task to perform in order to diagnose a fault.
The operator's OAM (Operations, Administration, and Maintenance) uses The operator's OAM (Operations, Administration, and Maintenance) uses
the results from the tools. the results from the tools.
^ ^
| |
IPPM Active IPPM
+---------------+ Test +-------------+ Scope +---------------+ Measurement +-------------+ Scope
+------->| Measurement |<---------->| Measurement | v +------->| Measurement |<------------>| Measurement | v
| | Agent | Traffic | Peer | ^ | | Agent | Traffic | Peer | ^
| +---------------+ +-------------+ | | +---------------+ +-------------+ |
| ^ | | | ^ | |
| Instruction | | Report | | Instruction | | Report |
| | +-----------------+ | | | +-----------------+ |
| | | | | | | |
| | v LMAP | | v LMAP
| +------------+ +------------+ Scope | +------------+ +------------+ Scope
| | Controller | | Collector | | | | Controller | | Collector | |
| +------------+ +------------+ v | +------------+ +------------+ v
| ^ ^ | ^ | ^ ^ | ^
| | | | | | | | | |
| | +----------+ | | | | +----------+ | |
| | | v | | | | v |
+------------+ +----------+ +--------+ +----------+ | +------------+ +----------+ +--------+ +----------+ |
|Bootstrapper| |Subscriber|--->| Data |<---|Repository| Out |Bootstrapper| |Subscriber|--->| data |<---|repository| Out
+------------+ |Parameter | |Analysis| +----------+ of +------------+ |parameter | |analysis| +----------+ of
|Database | | Tools | Scope |database | | tools | Scope
+----------+ +--------+ | +----------+ +--------+ |
| |
v v
Figure 1: Schematic of main elements of an LMAP-based Figure 1: Schematic of main elements of an LMAP-based
measurement system measurement system
(showing the elements in and out of the scope of the LMAP WG) (showing the elements in and out of the scope of the LMAP WG)
3. Terminology 3. Terminology
This section defines terminology for LMAP. Please note that defined This section defines terminology for LMAP. Please note that defined
terms are capitalized. terms are capitalized.
Active Measurement Method (Task): A type of Measurement Method (Task) Active Measurement Method (Task): A type of Measurement Method (Task)
that involves a Measurement Agent and a Measurement Peer (or possibly that involves a Measurement Agent and a Measurement Peer (or possibly
Peers), where either the Measurement Agent or the Measurement Peer Peers), where either the Measurement Agent or the Measurement Peer
injects test packet(s) into the network destined for the other, and injects Active Measurement Traffic into the network destined for the
which involves one of them measuring some performance or reliability other, and which involves one of them measuring some performance or
parameter associated with the transfer of the packet(s). reliability parameter associated with the transfer of the traffic.
Bootstrap Protocol: A protocol that initialises a Measurement Agent Active Measurement Traffic: the packet(s) generated by the
with the information necessary to be integrated into a measurement Measurement Agent and/or the Measurement Peer, as part of an Active
system. Measurement Task.
Capabilities Information: The list of the Measurement Methods that Bootstrap: A process that initialises a Measurement Agent with the
the MA can perform, plus information about the device hosting the MA information necessary to be integrated into a measurement system.
(for example its interface type and speed and its IP address).
Channel: a schedule, a target and the associated security information Capabilities: Information about the Measurement Methods that the MA
for that target. In the case of a Report Channel it is a specific can perform and the device hosting the MA, for example its interface
Report Schedule, a Collector and its associated security information. type and speed and its IP address.
Channel: an Instruction Channel, Report Channel or MA-to-Controller
Channel
Collector: A function that receives a Report from a Measurement Collector: A function that receives a Report from a Measurement
Agent. Colloquially, a Collector is a physical device that performs Agent.
this function.
Composite Metric: A Metric that is a combination of other Metrics,
and/or a combination of the same Metric measured over different parts
of the network or at different times.
Controller: A function that provides a Measurement Agent with Controller: A function that provides a Measurement Agent with
Instruction(s). Colloquially, a Controller is a physical device that Instruction(s).
performs this function.
Control Channel: a communications channel between a Controller and a
MA, which is defined by a specific Controller, MA and associated
security, and over which Instructions are sent.
Control Protocol: The protocol delivering Instruction(s) from a Control Protocol: The protocol delivering Instruction(s) from a
Controller to a Measurement Agent. It also delivers Failure Controller to a Measurement Agent. It also delivers Failure
Information and Capabilities Information from the Measurement Agent Information and Capabilities Information from the Measurement Agent
to the Controller. to the Controller.
Cycle-ID: A tag that is sent by the Controller in an Instruction and Cycle-ID: (optional) A tag that is sent by the Controller in an
echoed by the MA in its Report; Measurement Results with the same Instruction and echoed by the MA in its Report. The same Cycle-ID is
Cycle-ID are expected to be comparable. used by several MAs that use the same Measurement Method with the
same Input Parameters. Hence the Cycle-ID allows the Collector to
easily identify Measurement Results that should be comparable.
Data Model: The implementation of an Information Model in a Data Model: The implementation of an Information Model in a
particular data modelling language. particular data modelling language.
Derived Metric: A Metric that is a combination of other Metrics, and/
or a combination of the same Metric measured over different parts of
the network, or at different times.
Environmental Constraint: A parameter that is measured as part of the Environmental Constraint: A parameter that is measured as part of the
Measurement Task, its value determining whether the rest of the Measurement Task, its value determining whether the rest of the
Measurement Task proceeds. Measurement Task proceeds.
Failure Information: Information about the MA's failure to action or Failure Information: Information about the MA's failure to action or
execute an Instruction, whether concerning Measurement Tasks or execute an Instruction, whether concerning Measurement Tasks or
Reporting. Reporting.
Group-ID: An identifier of a group of MAs. Group-ID: (optional) An identifier of a group of MAs.
Information Model: The protocol-neutral definition of the semantics Information Model: The protocol-neutral definition of the semantics
of the Instructions, the Report, the status of the different elements of the Instructions, the Report, the status of the different elements
of the measurement system as well of the events in the system. of the measurement system as well of the events in the system.
Input Parameter: A parameter whose value is left open by the
Measurement Method and is set to a specific value in a Measurement
Task. Altering the value of an Input Parameter does not change the
fundamental nature of the Measurement Method.
Instruction: The description of Measurement Tasks to perform and the Instruction: The description of Measurement Tasks to perform and the
details of the Report to send. The Instruction is sent by a details of the Report to send. The Instruction is sent by a
Controller to a Measurement Agent. Controller to a Measurement Agent.
MA-to-Controller Channel: a communications channel between a MA and a
Controller, which is defined by a specific Controller, MA and
associated security, and over which Capabilities and Failure
Information is sent.
Measurement Agent (MA): The function that receives Instructions from Measurement Agent (MA): The function that receives Instructions from
a Controller, performs Measurement Tasks (perhaps in concert with a a Controller, performs Measurement Tasks (perhaps in concert with a
Measurement Peer) and reports Measurement Results to a Collector. Measurement Peer) and reports Measurement Results to a Collector.
Colloquially, a Measurement Agent is a physical device that performs
this function. Measurement Agent Identifier (MA-ID): a UUID [RFC4122], which is
configured as part of the Bootstrapping and included in a
Capabilities message, Failure Information message and optionally in a
Report.
Measurement Method: The process for assessing the value of a Metric; Measurement Method: The process for assessing the value of a Metric;
the process of measuring some performance or reliability parameter; the process of measuring some performance or reliability parameter;
the generalisation of a Measurement Task. the generalisation of a Measurement Task.
Measurement Parameter: A parameter whose value is left open by the
Measurement Method.
Measurement Peer: The function that receives control messages and Measurement Peer: The function that receives control messages and
test packets from a Measurement Agent and may reply to the Active Measurement Traffic from a Measurement Agent and may reply to
Measurement Agent as defined by the Measurement Method. the Measurement Agent as defined by the Active Measurement Method.
Measurement Result: The output of a single Measurement Task (the Measurement Result: The output of a single Measurement Task (the
value obtained for the parameter of interest, or Metric). value obtained for the parameter of interest or Metric).
Measurement Schedule: the schedule for performing a series of Measurement Schedule: the schedule for performing Measurement Tasks.
Measurement Tasks.
Measurement Suppression: a type of Instruction that stops Measurement Suppression: a type of Instruction that temporarily stops
(suppresses) Measurement Tasks. (suppresses) Active Measurement Tasks.
Measurement Task: The act that yields a single Measurement Result; Measurement Task: The act that yields a single Measurement Result;
the act consisting of the (single) operation of the Measurement the act consisting of the (single) operation of the Measurement
Method at a particular time and with all its parameters set to Method at a particular time and with all its parameters set to
specific values. specific values.
Metric: The quantity related to the performance and reliability of Metric: The quantity related to the performance and reliability of
the Internet that we'd like to know the value of, and that is the network that we'd like to know the value of, and that is
carefully specified. carefully specified.
Passive Measurement Method (Task): A Measurement Method (Task) in Passive Measurement Method (Task): A Measurement Method (Task) in
which a Measurement Agent observes existing traffic at a specific which a Measurement Agent observes existing traffic but does not
measurement point, but does not inject test packet(s). inject Active Measurement Traffic.
Report: The Measurement Results and other associated information (as Report: The Measurement Results and other associated information (as
defined by the Instruction). The Report is sent by a Measurement defined by the Instruction). The Report is sent by a Measurement
Agent to a Collector. Agent to a Collector.
Report Channel: a communications channel between a MA and a
Collector, which is defined by a specific MA, Collector, Report
Schedule and associated security, and over which Reports are sent.
Report Protocol: The protocol delivering Report(s) from a Measurement Report Protocol: The protocol delivering Report(s) from a Measurement
Agent to a Collector. Agent to a Collector.
Report Schedule: the schedule for sending a series of Reports to a Report Schedule: the schedule for sending one or more Reports to a
Collector. Collector.
Subscriber: An entity (associated with one or more users) that is Subscriber: An entity (associated with one or more users) that is
engaged in a subscription with a service provider. The subscriber is engaged in a subscription with a service provider. The Subscriber is
allowed to subscribe and un-subscribe services, and to register a allowed to subscribe and un-subscribe services, and to register a
user or a list of users authorized to enjoy these services. [Q1741] user or a list of users authorized to enjoy these services. [Q1741]
Both the subscriber and service provider are allowed to set the Both the Subscriber and service provider are allowed to set the
limits relative to the use that associated users make of subscribed limits relative to the use that associated users make of subscribed
services. services.
Active Measurement Traffic: for Active Measurement Tasks, the traffic
generated by the Measurement Agent and/or the Measurement Peer to
execute the requested Measurement Task.
4. Constraints 4. Constraints
The LMAP framework makes some important assumptions, which constrain The LMAP framework makes some important assumptions, which constrain
the scope of the work to be done. the scope of the work to be done.
4.1. Measurement system is under the direction of a single organisation 4.1. Measurement system is under the direction of a single organisation
In the LMAP framework, the measurement system is under the direction In the LMAP framework, the measurement system is under the direction
of a single organisation that is responsible both for the data and of a single organisation that is responsible both for the data and
the quality of experience delivered to its users. Clear the quality of experience delivered to its users. Clear
skipping to change at page 11, line 29 skipping to change at page 12, line 25
specific types of MA before deployment to ensure that the end user specific types of MA before deployment to ensure that the end user
experience is not impacted (due to CPU, memory or broadband-product experience is not impacted (due to CPU, memory or broadband-product
constraints). constraints).
An operator may have several Controllers, perhaps with a Controller An operator may have several Controllers, perhaps with a Controller
for different types of MA (home gateways, tablets) or location for different types of MA (home gateways, tablets) or location
(Ipswich, Edinburgh). (Ipswich, Edinburgh).
5. LMAP Protocol Model 5. LMAP Protocol Model
A protocol model presents (RFC4101) "an architectural model for how A protocol model [RFC4101] presents an architectural model for how
the protocol operates ... a short description of the system in the protocol operates and needs to answer three basic questions:
overview form, ... [which] needs to answer three basic questions:
1. What problem is the protocol trying to achieve? 1. What problem is the protocol trying to achieve?
2. What messages are being transmitted and what do they mean? 2. What messages are being transmitted and what do they mean?
3. What are the important, but unobvious, features of the protocol?" 3. What are the important, but unobvious, features of the protocol?
An LMAP system goes through the following phases: An LMAP system goes through the following phases:
o a bootstrapping process before the MA can take part in the three o a bootstrapping process before the MA can take part in the other
items below three phases
o a Control Protocol, which delivers an Instruction from a o a Control Protocol, which delivers an Instruction from a
Controller and a MA. The Instruction details what Measurement Controller to a MA, detailing what Measurement Tasks the MA should
Tasks the MA should perform and when, and how it should report the perform and when, and how it should report the Measurement Results
Measurement Results
o the actual Measurement Tasks are performed. An Active Measurement o the actual Measurement Tasks are performed. An Active Measurement
Task involves sending Active Measurement Traffic between the Task involves sending Active Measurement Traffic between the
Measurement Agent and a Measurement Peer, whilst a Passive Measurement Agent and a Measurement Peer, whilst a Passive
Measurement Task involves (only) the Measurement Agent observing Measurement Task involves (only) the Measurement Agent observing
existing user traffic. The LMAP WG does not define Measurement existing user traffic. The LMAP WG does not define Measurement
Methods, however the IPPM WG does. Methods, however the IPPM WG does.
o a Report Protocol, which delivers a Report from the MA to a o a Report Protocol, which delivers a Report from the MA to a
Collector. The Report contains the Measurement Results. Collector. The Report contains the Measurement Results.
In the diagrams the following convention is used: In the diagrams the following convention is used:
o (optional): indicated by round brackets o (optional): indicated by round brackets
o [potentially repeated]: indicated by square brackets o [potentially repeated]: indicated by square brackets
The Protocol Model is closely related to the Information Model The protocol model is closely related to the Information Model
[I-D.burbridge-lmap-information-model], which is the abstract [I-D.burbridge-lmap-information-model], which is the abstract
definition of the information carried by the protocol model. The definition of the information carried by the protocol model. The
purpose of both is to provide a protocol and device independent view, purpose of both is to provide a protocol and device independent view,
which can be implemented via specific protocols. The LMAP WG will which can be implemented via specific protocols. The LMAP WG will
define a specific Control Protocol and Report Protocol, but other define a specific Control Protocol and Report Protocol, but others
Protocols could be defined by other standards bodies or be could be defined by other standards bodies or be proprietary.
proprietary. However it is important that they all implement the However it is important that they all implement the same Information
same Information and Protocol Model, in order to ease the definition, Model and protocol model, in order to ease the definition, operation
operation and interoperability of large-scale measurement systems. and interoperability of large-scale measurement systems.
The diagrams show the flow of LMAP information, however there may The diagrams show the various LMAP messages and Section 5.5 considers
need to be other protocol interactions. For example, typically the how they could be mapped onto an underlying transport protocol.
MA is behind a NAT, so it needs to initiate communications in order
that the Controller can communicate with it. The communications
channel also needs to be secured before it is used. Another example
is that the Collector may want to 'pull' Measurement Results from a
MA.
5.1. Bootstrapping process 5.1. Bootstrapping process
The primary purpose of bootstrapping is to enable the MA and The primary purpose of bootstrapping is to enable the MA and
Controller to be integrated into a measurement system. In order to Controller to be integrated into a measurement system. In order to
do that, the MA needs to retrieve information about itself (like its do that, the MA needs to retrieve information about itself (like its
identity in the measurement system), about the Controller and the identity in the measurement system), about the Controller, as well as
Collector(s) as well as security information (such as certificates security information (such as certificates and credentials).
and credentials).
+--------------+ +--------------+
| Measurement | | Measurement |
| Agent | | Agent |
+--------------+ +--------------+
(Initial Controller details: (initial Controller details:
address or FQDN, -> address or FQDN, ->
security credentials, MA-ID) security credentials)
+-----------------+ +-----------------+
| Initial | | initial |
| Controller | | Controller |
+-----------------+ +-----------------+
<- (register) <- (register)
Controller details: Controller details:
address or FQDN, -> address or FQDN, ->
security credentials security credentials
+-----------------+ +-----------------+
| | | |
| Controller | | Controller |
+-----------------+ +-----------------+
<- register <- register
(MA-ID, Group-ID, report?) -> MA-ID, (Group-ID), ->
Control Channel,
(Suppression Channel),
MA-to-Controller Channel
The MA knows how to contact a Controller through some device /access The MA knows how to contact a Controller through some device /access
specific mechanism. For example, this could be in the firmware, specific mechanism. For example, this could be in the firmware,
downloaded, manually configured or via a protocol like TR-069. The downloaded, manually configured or via a protocol like TR-069. The
Controller could either be the one that will send it Instructions Controller could either be the one that will send it Instructions or
(see next sub-section) or else an initial Controller. The role of an else an initial Controller (whose details may be statically
initial Controller is simply to inform the MA how to contact its configured). The role of an initial Controller is simply to inform
actual Controller; this could be useful, for example: for load the MA how to contact its actual Controller, for example its FQDN
balancing; if the details of the initial Controller are statically (Fully Qualified Domain Name) [RFC1035].
configured; if the measurement system has specific Controllers for
different devices types; or perhaps as a way of handling failure of
the Controller.
If the MA has not learnt its identifier (MA-ID) while bootstrapping, The MA learns its identifier (MA-ID). It may also be told a Group-ID
it will do so when the MA registers with the Controller; it may also and whether to include the MA-ID as well as the Group-ID in its
be told a Group-ID and whether to include the MA-ID as well as the Reports. A Group-ID would be shared by several MAs and could be
Group-ID in its Reports. A Group-ID would be shared by several MAs useful for privacy reasons, for instance to hinder tracking of a
and could be useful for privacy reasons (for instance to hinder mobile device.
tracking of a mobile MA device). The MA may also tell the Controller
its Capabilities (such as the Measurement Methods it can perform)
(see next sub-section).
If the device with the MA re-boots, then the MA need to re-register, The MA is also told about the Control Channel over which it will
receive Instructions from the Controller, in particular the
associated security information, for example to enable the MA to
decrypt the Instruction. Optionally any Suppression messages can be
sent over a different Channel. The MA is also informed about the MA-
to-Controller Channel, over which the MA can tell the Controller
about its Capabilities and any Failure Information. This consists of
the address of the Controller, for instance its URL, and security
details for MA-to-Controller messages.
The MA may tell the Controller its Capabilities, in particular the
Measurement Methods it can perform.
If the device with the MA re-boots, then the MA needs to re-register,
so that it can receive a new Instruction. To avoid a "mass calling so that it can receive a new Instruction. To avoid a "mass calling
event" after a widespread power restoration affecting many MAs, it is event" after a widespread power restoration affecting many MAs, it is
sensible for an MA to pause for a random delay (perhaps in the range sensible for an MA to pause for a random delay (perhaps in the range
of one minute) before re-registering. of one minute or so) before re-registering.
Whilst the LMAP WG considers the bootstrapping process, it is out of Whilst the LMAP WG considers the bootstrapping process, it is out of
scope to define a bootstrap mechanism, as it depends on the type of scope to define a bootstrap mechanism, as it depends on the type of
device and access. device and access.
5.2. Control Protocol 5.2. Control Protocol
The primary purpose of the Control Protocol is to allow the The primary purpose of the Control Protocol is to allow the
Controller to configure a Measurement Agent with Measurement Controller to configure a Measurement Agent with an Instruction about
Instructions, which it then acts on autonomously. what Measurement Tasks to do, when to do them, and how to report the
Measurement Results. The Measurement Agent then acts on the
Instruction autonomously.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |===================================| Agent | | Controller |===================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
(Capability request) -> -----------------+ +-------------+
<- List of Measurement (Capabilities request) ->
Methods <- Capabilities
ACK -> ACK ->
Instruction: Instruction:
[(Measurement Task (parameters)), -> [(Measurement Task (Input Parameters)), ->
(Measurement Schedule), (Measurement Schedule),
(Report Channel(s))] (Report Channel(s))]
<- ACK <- ACK
Suppress -> <- Failure Information:
<- ACK [reason]
Un-suppress -> ACK ->
<- ACK The Controller needs to know the Capabilities of the MA, and in
particular what Measurement Methods it supports, so that it can
correctly instruct the MA. It is possible that the Controller knows
the MA's Capabilities via some mechanism beyond the scope of LMAP,
such as a device-specific protocol. In LMAP, the MA can inform the
Controller about its Capabilities. This message could be sent in
several circumstances: when the MA first communicates with a
Controller; when the MA becomes capable of a new Measurement Method;
when requested by the Controller (for example, if the Controller
forgets what the MA can do or otherwise wants to resynchronize what
it knows about the MA). Note that Capabilities do not include
dynamic information like the MA's currently unused CPU, memory or
battery life.
<- Failure report: A single Instruction message contains one, two, three or all four of
[reason] the following elements:
ACK ->
The Instruction contains: o configuration of all the Measurement Tasks, each of which needs:
o what Measurement Tasks to do: the Measurement Methods could be * the Measurement Method, specified as a URN to a registry entry.
defined by reference to a registry entry, along with any The registry could be defined by the IETF
parameters that need to be set (such as the address of the [I-D.bagnulo-ippm-new-registry-independent], locally by the
Measurement Peer) and any Environmental Constraint (such as, operator of the measurement system or perhaps by another
'delay the measurement task if the end user is active') standards organisation.
o when to do them: the Measurement Schedule details the timings of * any Input Parameters that need to be set for the Measurement
regular measurement tasks, one-off measurement tasks Method, such as the address of the Measurement Peer
o how to report the Measurement Results: via Reporting Channel(s), * if the device with the MA has multiple interfaces, then the
each of which defines a target Collector and Report Schedule interface to use
An Instruction could contain one or more of the above elements, since * optionally, a Cycle-ID
the Controller may want the MA to perform several different
Measurement Tasks (measure UDP latency and download speed), at
several frequencies (a regular test every hour and a one-off test
immediately), and report to several Collectors. The different
elements can be updated independently at different times and
regularities, for example it is likely that the Measurement Schedule
will be updated more often than the other elements.
A new Instruction replaces (rather than adds to) those elements that * a name for this Measurement Task configuration
it includes. For example, if the new Instruction includes (only) a
Measurement Schedule, then that replaces the old Measurement Schedule
but does not alter the configuration of the Measurement Tasks and
Report Channels.
If the Instruction includes several Measurement Tasks, these could be o configuration of all the Report Channels, each of which needs:
scheduled to run at different times or possibly at the same time -
some Tasks may be compatible, in that they do not affect each other's
Results, whilst with others great care would need to be taken.
A Measurement Task may create more than one Measurement Result. For * the address of the Collector, for instance its URL
example, one Result could be reported periodically, whilst another
could be an alarm that is reported immediately a the measured value
of a Metric goes below a threshold.
In general we expect that the Controller knows what Measurement * the timing of when to report Measurement Results, for example
Methods the MA supports, such that the Controller can correctly every hour or immediately
instruct the MA. Note that the Control Protocol does not allow
negotiation (which would add complexity to the MA, Controller and
Control Protocol for little benefit).
However, the Control protocol includes a Capabilities detection * security for sending the Report, for example the X.509
feature, through which the MA can send to the Controller the complete certificate
list of Measurement Methods that it is capable of. Note that it is
not intended to indicate dynamic capabilities like the MA's currently
unused CPU, memory or battery life. The list of Measurement Methods
could be useful in several circumstances: when the MA first
communicates with a Controller; when the MA becomes capable of a new
Measurement Method; when requested by the Controller (for example, if
the Controller forgets what the MA can do or otherwise wants to
resynchronize what it knows about the MA).
The Controller has the ability to send a "suppress" message to MAs. * a name for this Report Channel
This could be useful if there is some unexpected network issue and so
the measurement system wants to eliminate inessential traffic. As a
result, temporarily the MA does not start new Active Measurement
Tasks, and it may also stop in-progress Measurement Tasks, especially
ones that are long-running &/or create a lot of traffic. See the
next section for more information on stopping Measurement Tasks.
Note that if a Controller wants to permanently stop a Measurement
Task, it should send a new Measurement Schedule, as suppression is
intended to temporarily stop Tasks. The Controller can send an "un-
suppress" message to indicate that the temporary problem is solved
and Active Measurement Tasks can begin again.
The figure shows that the various messages are acknowledged, which o the set of periodic Measurement Schedules, each of which needs:
means that they have been delivered successfully.
There is no need for the MA to confirm to the Controller that it has * the name of one or several Measurement Task configurations
understood and acted on the Instruction, since the Controller knows
the capabilities of the MA. However, the Control Protocol must * the timing of when the Measurement Tasks are to be performed.
support robust error reporting by the MA, to provide the Controller Possible types of timing are periodic and calendar-based
with sufficiently detailed reasons for any failures. These could periodic
concern either the Measurement Tasks and Schedules, or the Reporting.
In both cases there are two broad categories of failure. Firstly, * the name of a Report Channel or Channels on which to report the
the MA cannot action the Instruction (for example, it doesn't include Measurement Results
a parameter that is mandatory for the requested Measurement Method;
or it is missing details of the target Collector). Secondly, the MA * a name for this Measurement Schedule
cannot execute the Measurement Task or deliver the Report (for
example, the MA unexpectedly has no spare CPU cycles; or the o the set of one-off Measurement Schedules, each of which needs the
Collector is not responding). Note that it is not considered a same items as for a periodic Measurement Schedule, except that the
failure if a Measurement Task (correctly) doesn't start - for example possible types of timing are one-off immediate and one-off at a
if the MA detects cross-traffic; instead this is reported to the future time.
Collector in the normal manner.
A single Instruction message contains one, two, three or all four of
the above elements. This allows the different elements to be updated
independently at different times and intervals, for example it is
likely that the periodic Measurement Schedule will be updated more
often than the other elements.
Note that an Instruction message replaces (rather than adds to) those
elements that it includes. For example, if the message includes
(only) a periodic Measurement Schedule, then that replaces the old
periodic Measurement Schedule but does not alter the configuration of
the Measurement Tasks and Report Channels.
Periodic Measurement Schedules contain the name of one or several
Measurement Task configurations that are to be carried out on a
recurring basis, whilst one-off Measurement Schedules contain non-
recurring Measurement Tasks. One-off and periodic Measurement
Schedules are kept separate so that the Controller can instruct the
MA to perform an ad hoc Measurement Task (for instance to help
isolate a fault) without having to re-notify the MA about the
periodic Measurement Schedule.
Note that the Instruction informs the MA; the Control Protocol does
not allow the MA to negotiate, as this would add complexity to the
MA, Controller and Control Protocol for little benefit.
The MA can inform the Controller about a Failure. There are two
broad categories of failure: (1) the MA cannot action the Instruction
(for example, it doesn't include a parameter that is mandatory for
the requested Measurement Method; or it is missing details of the
target Collector). (2) the MA cannot execute the Measurement Task or
deliver the Report (for example, the MA unexpectedly has no spare CPU
cycles; or the Collector is not responding). Note that it is not
considered a failure if a Measurement Task (correctly) doesn't start;
for example if the MA detects cross-traffic, this is reported to the
Collector in the normal manner. Note also that the MA does not
inform the Controller about normal operation of its Measurement Tasks
and Reports.
In the Figure, ACK means that the message has been delivered
successfully.
Finally, note that the MA doesn't do a 'safety check' with the Finally, note that the MA doesn't do a 'safety check' with the
Controller (that it should still continue with the requested Controller (that it should still continue with the requested
Measurement Tasks) - nor does it inform the Controller about Measurement Tasks) - nor does it inform the Controller about
Measurement Tasks starting and stopping. It simply carries out the Measurement Tasks starting and stopping. It simply carries out the
Measurement Tasks as instructed, unless it gets an updated Measurement Tasks as instructed, unless it gets an updated
Instruction. Instruction.
The LMAP WG will define a Control Protocol and its associated Data The LMAP WG will define a Control Protocol and its associated Data
Model that implements the Protocol & Information Model. This may be Model that implements the Protocol & Information Model. This may be
a simple instruction - response protocol, and LMAP will specify how a simple instruction-response protocol.
it operates over an existing protocol - to be selected, perhaps REST-
style HTTP(s) or NETCONF-YANG. 5.2.1. Measurement Suppression
Measurement Suppression is used if the measurement system wants to
eliminate inessential traffic, because there is some unexpected
network issue for example. The Controller instructs the MA to
temporarily not begin new Active Measurement Tasks. By default,
suppression applies to all Active Measurement Tasks, starts
immediately and continues until an un-suppress message is received.
Optionally the suppress message may include:
o a set of Active Measurement Tasks to suppress; the others are not
suppressed. For example, a particular Measurement Task may be
overloading a Measurement Peer.
o a set of Measurement Schedules to suppress; the others are not
suppressed. For example, suppose the measurement system has
defined two Schedules, one with the most critical Active
Measurement Tasks and the other with less critical ones that
create a lot of traffic, then it may only want to suppress the
second.
o a start time, at which suppression begins
o an end time, at which suppression ends.
It is not standardised what the impact of Suppression is on:
o Passive Measurement Tasks; since they do not create any Active
Measurement Traffic there is no need to suppress them, however it
may be simpler for an implementation to do so
o on-going Active Measurement Tasks; see Section 5.3
Note that Suppression is not intended to permanently stop a
Measurement Task (instead, the Controller should send a new
Measurement Schedule), nor to permanently disable a MA (instead, some
kind of management action is suggested).
+-----------------+ +-------------+
| | | Measurement |
| Controller |===================================| Agent |
+-----------------+ +-------------+
Suppress:
[(Measurement Task), ->
(Measurement Schedule),
start time, end time]
<- ACK
Un-suppress ->
<- ACK
5.3. Starting and stopping Measurement Tasks 5.3. Starting and stopping Measurement Tasks
The LMAP WG is neutral to what the actual Measurement Task is. The The LMAP WG is neutral to what the actual Measurement Task is. The
WG does not define a generic start and stop process, since the WG does not define a generic start and stop process, since the
correct approach depend on the particular Measurement Task; the correct approach depend on the particular Measurement Task; the
details are defined as part of each Measurement Method, and hence details are defined as part of each Measurement Method, and hence
potentially by the IPPM WG. potentially by the IPPM WG. This section provides some general
hints.
Once the MA gets its Measurement and Report Schedules from its Once the MA gets its Measurement and Report Schedules from its
Controller then it acts autonomously, in terms of operation of the Controller then it acts autonomously, in terms of operation of the
Measurement Tasks and reporting of the result. One implication is Measurement Tasks and reporting of the result. One implication is
that the MA initiates Measurement Tasks. As an example, for the that the MA initiates Measurement Tasks. As an example, for the
common case where the MA is on a home gateway, the MA initiates a common case where the MA is on a home gateway, the MA initiates a
'download speed test' by asking a Measurement Peer to send the file. 'download speed test' by asking a Measurement Peer to send the file.
Many Active Measurement Tasks begin with a pre-check before the test Many Active Measurement Tasks begin with a pre-check before the test
traffic is sent. Action could include: traffic is sent. Action could include:
o the MA checking that there is no cross-traffic (ie that the user o the MA checking that there is no cross-traffic; in other words, a
isn't already sending traffic); check that the user isn't already sending traffic;
o the MA checking with the Measurement Peer that it can handle a new o the MA checking with the Measurement Peer that it can handle a new
Measurement Task (in case the MP is already handling many Measurement Task (in case the Measurement Peer is already handling
Measurement Tasks with other MAs); many Measurement Tasks with other MAs);
o the first part of the Measurement Task consisting of traffic that o the first part of the Measurement Task consisting of traffic that
probes the path to make sure it isn't overloaded. probes the path to make sure it isn't overloaded.
It is possible that similar checks continue during the Measurement It is possible that similar checks continue during the Measurement
Task, especially one that is long-running &/or creates a lot of Test Task, especially one that is long-running and/or creates a lot of
Traffic, which may be abandoned whilst in-progress. A Measurement Active Measurement Traffic, which may be abandoned whilst in-
Task could also be abandoned in response to a "suppress" message (see progress. A Measurement Task could also be abandoned in response to
previous section). Action could include: a "suppress" message (see Section 5.2.1). Action could include:
o For 'upload' tests, the MA not sending traffic o For 'upload' tests, the MA not sending traffic
o For 'download' tests, the MA closing the TCP connection or sending o For 'download' tests, the MA closing the TCP connection or sending
a TWAMP Stop control message. a TWAMP Stop control message [RFC5357].
The Controller may want a MA to run the same Measurement Task The Controller may want a MA to run the same Measurement Task
indefinitely (for example, "run the 'upload speed' Measurement Task indefinitely (for example, "run the 'upload speed' Measurement Task
once an hour until further notice"). To avoid the MA generating once an hour until further notice"). To avoid the MA generating
traffic forever after a Controller has permanently failed, it is traffic forever after a Controller has permanently failed, it is
suggested that the Measurement Schedule includes a time limit ("run suggested that the Measurement Schedule includes a time limit ("run
the 'upload speed' Measurement Task once an hour for the next 30 the 'upload speed' Measurement Task once an hour for the next 30
days") and that the Measurement Schedule is updated regularly (say, days") and that the Measurement Schedule is updated regularly (say,
every 10 days). every 10 days).
{Comment: It is possible that the set of measurement schedules
implies overlapping Measurement Tasks. It is not clear the best
thing to do. Our current suggestion is to leave this to the protocol
document.}
5.4. Report Protocol 5.4. Report Protocol
The primary purpose of the Report Protocol is to allow a Measurement The primary purpose of the Report Protocol is to allow a Measurement
Agent to report its Measurement Results to a Collector, and the Agent to report its Measurement Results to a Collector, and the
context in which they were obtained. context in which they were obtained.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Collector |===================================| Agent | | Collector |===================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
<- Report: <- Report:
[MA-ID &/or Group-ID, [MA-ID &/or Group-ID,
Measurement Results, Measurement Results,
Measurement Task] details of Measurement Task]
ACK -> ACK ->
The MA acts autonomously in terms of reporting; it simply sends
Reports as defined by the Controller's Instruction.
The Report contains: The Report contains:
o the MA's identifier, or perhaps a Group-ID to anonymise results o the MA-ID or a Group-ID (to anonymise results)
o the actual Measurement Results, including the time they were o the actual Measurement Results, including the time they were
measured measured
o the details of the Measurement Task (to avoid the Collector having o the details of the Measurement Task (to avoid the Collector having
to ask the Controller for this information later) to ask the Controller for this information later)
The MA may report the Results to more than one Collector, if the The MA sends Reports as defined by the Report Channel in the
Instruction says so. It could also report a different subset of Controller's Instruction. It is possible that the Instruction tells
Results to different Collectors. the MA to report the same Results to more than one Collector, or to
report a different subset of Results to different Collectors. It is
also possible that a Measurement Task may create two (or more)
Measurement Results, which could be reported differently (for
example, one Result could be reported periodically, whilst the second
Result could be an alarm that is created as soon as the measured
value of the Metric crosses a threshold and that is reported
immediately).
Optionally, a Report is not sent when there are no Measurement Optionally, a Report is not sent when there are no Measurement
Results. Results.
In the initial LMAP Information Model and Report Protocol, for In the initial LMAP Information Model and Report Protocol, for
simplicity we assume that all Measurement Results are reported as-is, simplicity we assume that all Measurement Results are reported as-is,
but allow extensibility so that a measurement system (or perhaps a but allow extensibility so that a measurement system (or perhaps a
second phase of LMAP) could allow a MA to pre-process Measurement second phase of LMAP) could allow a MA to pre-process Measurement
Results before it reports them. Potential examples of pre-processing Results before it reports them. Potential examples of pre-processing
by the MA are: by the MA are:
o labelling, or perhaps not including, Measurement Results impacted o labelling, or perhaps not including, Measurement Results impacted
by for instance cross-traffic or the MP being busy by, for instance, cross-traffic or the Measurement Peer being busy
o detailing the start and end of suppression o not reporting the Measurement Results if the MA believes that they
are invalid
o detailing when suppression started and ended
o filtering outlier Results o filtering outlier Results
o calculating some statistic like average (beyond that defined by o calculating some statistic like average (beyond that defined by
the Measurement Task itself) the Measurement Task itself)
The measurement system may define what happens if a Collector The measurement system may define what happens if a Collector
unexpectedly does not hear from a MA. Possible solutions could unexpectedly does not hear from a MA, for example the Controller
include the ability for a Collector to 'pull' Measurement Results could send a fresh Report Schedule to the MA.
from a MA, or (after an out-of-scope indication from the Collector to
the Controller) for the Controller to send a fresh Report Schedule to
the MA. The measurement system also needs to consider carefully how
to interpret missing Results; for example, if the missing Results are
ignored and the lack of a Report is caused by its broadband being
broken, then the estimate of overall performance, averaged across all
MAs, would be too optimistic.
The LMAP WG will define a Report Protocol and its associated Data The LMAP WG will define a Report Protocol and its associated Data
Model that implements the Protocol & Information Model. This may be Model that implements the Information Model and protocol model. This
a simple instruction - response protocol, and LMAP will specify how may be a simple instruction-response protocol.
it operates over an existing protocol - to be selected, perhaps REST-
style HTTP(s) or IPFIX.
5.5. Items beyond the scope of the LMAP Protocol Model 5.5. Operation of LMAP over the underlying transport protocol
The above sections have described LMAP's protocol model. The LMAP
working group will also specify how it operates over an existing
protocol, to be selected, for example REST-style HTTP(S). It is also
possible that a different choice is made for the Control and Report
Protocols, for example NETCONF-YANG and IPFIX respectively. It is
even possible that a different choice could be made for Suppression
and for other Instruction messages.
For the Control Protocol, the underlying transport protocol could be:
o a 'push' protocol (that is, from the Controller to the MA)
o a multicast protocol (from the Controller to a group of MAs)
o a 'pull' protocol. The MA periodically checks with Controller if
the Instruction has changed and pulls a new Instruction if
necessary. A pull protocol seems attractive for a MA behind a NAT
(as is typical for a MA on an end-user's device), so that it can
initiate the communications. A pull mechanism is likely to
require the MA to be configured with how frequently it should
check in with the Controller, and perhaps what it should do if the
Controller is unreachable after a certain number of attempts.
o a hybrid protocol. In addition to a pull protocol, the Controller
can also push an alert to the MA that it should immediately pull a
new Instruction.
For the Report Protocol, the underlying transport protocol could be:
o a 'push' protocol (that is, from the MA to the Collector)
o perhaps supplemented by the ability for the Collector to 'pull'
Measurement Results from a MA.
5.6. Items beyond the scope of the LMAP Protocol Model
There are several potential interactions between LMAP elements that There are several potential interactions between LMAP elements that
are out of scope of definition by the LMAP WG: are out of scope of definition by the LMAP WG:
1. It does not define a coordination process between MAs. Whilst a 1. It does not define a coordination process between MAs. Whilst a
measurement system may define coordinated Measurement Schedules measurement system may define coordinated Measurement Schedules
across its various MAs, there is no direct coordination between across its various MAs, there is no direct coordination between
MAs. MAs.
2. It does not define interactions between the Collector and 2. It does not define interactions between the Collector and
Controller. It is quite likely that there will be such Controller. It is quite likely that there will be such
interactions, probably intermediated by the data analysis tools. interactions, optionally intermediated by the data analysis
For example if there is an "interesting" Measurement Result then tools. For example if there is an "interesting" Measurement
the measurement system may want to trigger extra Measurement Result then the measurement system may want to trigger extra
Tasks that explore the potential cause in more detail. Measurement Tasks that explore the potential cause in more
detail.
3. It does not define coordination between different measurement 3. It does not define coordination between different measurement
systems. For example, it does not define the interaction of a MA systems. For example, it does not define the interaction of a MA
in one measurement system with a Controller or Collector in a in one measurement system with a Controller or Collector in a
different measurement system. Whilst it is likely that the different measurement system. Whilst it is likely that the
Control and Report protocols could be re-used or adapted for this Control and Report Protocols could be re-used or adapted for this
scenario, any form of coordination between different scenario, any form of coordination between different
organisations involves difficult commercial and technical issues organisations involves difficult commercial and technical issues
and so, given the novelty of large-scale measurement efforts, any and so, given the novelty of large-scale measurement efforts, any
form of inter-organisation coordination is outside the scope of form of inter-organisation coordination is outside the scope of
the LMAP WG. Note that a single MA is instructed by a single the LMAP WG. Note that a single MA is instructed by a single
Controller and is only in one measurement system. Controller and is only in one measurement system.
* An interesting scenario is where a home contains two * An interesting scenario is where a home contains two
independent MAs, for example one controlled by a regulator and independent MAs, for example one controlled by a regulator and
one controlled by an ISP. Then the test traffic of one MA is one controlled by an ISP. Then the Active Measurement Traffic
treated by the other MA just like any other user traffic. of one MA is treated by the other MA just like any other user
traffic.
4. It does not specifically define a user-initiated measurement 4. It does not consider how to prevent a malicious party "gaming the
system, see sub-section. system". For example, where a regulator is running a measurement
system in order to benchmark operators, a malicious operator
could try to identify the broadband lines that the regulator was
measuring and prioritise that traffic. It is assumed this is a
policy issue and would be dealt with through a code of conduct
for instance.
5.5.1. User-controlled measurement system 5. It does not define how to analyse Measurement Results, including
how to interpret missing Results.
6. It does not specifically define a enduser-controlled measurement
system, see sub-section 5.6.1.
5.6.1. Enduser-controlled measurement system
The WG concentrates on the cases where an ISP or a regulator runs the The WG concentrates on the cases where an ISP or a regulator runs the
measurement system. However, we expect that LMAP functionality will measurement system. However, we expect that LMAP functionality will
also be used in the context of an end user-controlled measurement also be used in the context of an enduser-controlled measurement
system. There are at least two ways this could happen (they have system. There are at least two ways this could happen (they have
various pros and cons): various pros and cons):
1. a user could somehow request the ISP- (or regulator-) run 1. an enduser could somehow request the ISP- (or regulator-) run
measurement system to test his/her line. The ISP (or regulator) measurement system to test his/her line. The ISP (or regulator)
Controller would then send an Instruction to the MA in the usual Controller would then send an Instruction to the MA in the usual
LMAP way. Note that a user can't directly initiate a Measurement LMAP way. Note that a user can't directly initiate a Measurement
Task on an ISP- (or regulator-) controlled MA. Task on an ISP- (or regulator-) controlled MA.
2. a user could deploy their own measurement system, with their own 2. an enduser could deploy their own measurement system, with their
MA, Controller and Collector. For example, the user could own MA, Controller and Collector. For example, the user could
download all three functions onto the same user-owned end device; implement all three functions onto the same enduser-owned end
then the LMAP Control and Report protocols do not need to be device, perhaps by downloading the functions from the ISP or
used, but using LMAP's Information Model would still be regulator. Then the LMAP Control and Report Protocols do not
beneficial. The MP could be in the home gateway or outside the need to be used, but using LMAP's Information Model would still
home network; in the latter case the MP is highly likely to be be beneficial. The Measurement Peer could be in the home gateway
run by a different organisation, which raises extra privacy or outside the home network; in the latter case the Measurement
considerations. Peer is highly likely to be run by a different organisation,
which raises extra privacy considerations.
In both cases there will be some way for the user to initiate the In both cases there will be some way for the user to initiate the
Measurement Task(s). The mechanism is out-of-scope of the LMAP WG, Measurement Task(s). The mechanism is out-of-scope of the LMAP WG,
but could include the user clicking a button on a GUI or sending a but could include the user clicking a button on a GUI or sending a
text message. Presumably the user will also be able to see the text message. Presumably the user will also be able to see the
Measurement Results, perhaps summarised on a webpage. It is Measurement Results, perhaps summarised on a webpage. It is
suggested that these interfaces conform to the LMAP guidance on the suggested that these interfaces conform to the LMAP guidance on the
privacy of the Measurement Results and Subscriber information. privacy in Section 8.
6. MA Deployment considerations 6. Deployment considerations
6.1. Controller
The Controller should understand both the MA's LMAP Capabilities (for
instance what Measurement Methods it can perform) and about the MA's
other capabilities like processing power and memory. This allows the
Controller to make sure that the Measurement Schedule of Measurement
Tasks and the Reporting Schedule are sensible for each MA that it
Instructs.
An Instruction is likely to include several Measurement Tasks.
Typically these run at different times, but it is also possible for
them to run at the same time, if the Controller is sure that one Task
will not affect the Results of another Task.
The Controller should ensure that the Active Measurement Tasks do not
have an adverse effect on the end user. Typically Tasks, especially
those that generate a substantial amount of traffic, will include a
pre-check that the user isn't already sending traffic (Section 5.3).
Another consideration is whether Active Measurement Traffic will
impact a Subscriber's bill or traffic cap.
The different elements of the Instruction can be updated
independently. For example, the Measurement Tasks could be
configured with different Input Parameters whilst keeping the same
Measurement Schedule. In general this should not create any issues,
since Measurement Methods should be defined so their fundamental
nature does not change for a new value of Input Parameter. There
could be a problem if, for example, a Measurement Task involving a
1kB file upload could be changed into a 1GB file upload.
A measurement system may have multiple Controllers (but note the
overriding principle that a single MA is instructed by a single
Controller at any point in time (Section 4.2)). For example, there
could be different Controllers for different types of MA (home
gateways, tablets) or locations (Ipswich, Edinburgh), for load
balancing or to cope with failure of one Controller. One possibility
is that Bootstrapping involves an initial Controller, whose role is
simply to inform the MA how to contact its actual Controller.
6.2. Measurement Agent
The Measurement Agent could take a number of forms: a dedicated The Measurement Agent could take a number of forms: a dedicated
probe, software on a PC, embedded into an appliance, or even embedded probe, software on a PC, embedded into an appliance, or even embedded
into a gateway. A single site (home, branch office etc.) that is into a gateway. A single site (home, branch office etc.) that is
participating in a measurement could make use of one or multiple participating in a measurement could make use of one or multiple
Measurement Agents in a single measurement e.g., if there are Measurement Agents in a single measurement. If the site is multi
multiple output interfaces, there might be a Measurement Agent per homed there might be a Measurement Agent per interface.
interface.
The Measurement Agent could be deployed in a variety of locations. The Measurement Agent could be deployed in a variety of locations.
Not all deployment locations are available to every kind of Not all deployment locations are available to every kind of
Measurement Agent operator. There are also a variety of limitations Measurement Agent. There are also a variety of limitations and
and trade-offs depending on the final placement. The next sections trade-offs depending on the final placement. The next sections
outline some of the locations a Measurement Agent may be deployed. outline some of the locations a Measurement Agent may be deployed.
This is not an exhaustive list and combinations of the below may also This is not an exhaustive list and combinations may also apply.
apply.
6.1. Measurement Agent embedded in site gateway If the Instruction includes several Measurement Tasks, these could be
scheduled to run at different times or possibly at the same time -
some Tasks may be compatible, in that they do not affect each other's
Results, whilst with others great care would need to be taken.
A Measurement Agent embedded with the site gateway (e.g. in the case The measurement system also needs to consider carefully how to
of a a branch office in a managed service environment) is one of interpret missing Results; for example, if the missing Results are
better places the Measurement Agent could be deployed. All site to ignored and the lack of a Report is caused by its broadband being
ISP traffic would traverse through the gateway and passive broken, then the estimate of overall performance, averaged across all
measurements could easily be performed. Similarly, due to this user MAs, would be too optimistic.
traffic visibility, an Active Measurements Task could be rescheduled
so as not to compete with user traffic. Generally NAT and firewall
services are built into the gateway, allowing the Measurement Agent
the option to offer its Controller facing management interface
outside of the NAT/firewall. This placement of the management
interface allows the Controller to unilaterally contact the
Measurement Agent for instructions. However, if the site gateway is
owned and operated by the service provider, the Measurement Agent
will generally not be available for over the top providers, the
regulator, end users or enterprises.
6.2. Measurement Agent embedded behind Site NAT /Firewall 6.2.1. Measurement Agent embedded in site gateway
A Measurement Agent embedded with the site gateway, for example a
home router or the edge router of a branch office in a managed
service environment, is one of better places the Measurement Agent
could be deployed. All site-to-ISP traffic would traverse through
the gateway and passive measurements could easily be performed.
Similarly, due to this user traffic visibility, an Active
Measurements Task could be rescheduled so as not to compete with user
traffic. Generally NAT and firewall services are built into the
gateway, allowing the Measurement Agent the option to offer its
Controller facing management interface outside of the NAT/firewall.
This placement of the management interface allows the Controller to
unilaterally contact the Measurement Agent for instructions.
However, if the site gateway is owned and operated by the service
provider, the Measurement Agent will generally not be directly
available for over the top providers, the regulator, end users or
enterprises.
6.2.2. Measurement Agent embedded behind site NAT /Firewall
The Measurement Agent could also be embedded behind a NAT, a The Measurement Agent could also be embedded behind a NAT, a
firewall, or both. In this case the Controller may not be able to firewall, or both. In this case the Controller may not be able to
unilaterally contact the Measurement Agent unless either static port unilaterally contact the Measurement Agent unless either static port
forwarding configuration or firewall pin holing is configured. This forwarding configuration or firewall pin holing is configured, and
would require user intervention, and ultimately might not be an might not always be possible. It would require user intervention or
option available to the user (perhaps due to permissions). The pre-provisioning by the operator via a mechanisms such as TR-069.
Measurement Agent may originate a session towards the Controller and The Measurement Agent may originate a session towards the Controller
maintain the session for bidirectional communications. This would and maintain the session for bidirectional communications. This
alleviate the need to have user intervention on the gateway, but would alleviate the need to have user intervention on the gateway,
would reduce the overall scalability of the Controller as it would but would reduce the overall saleability of the Controller as it
have to maintain a higher number of active sessions. That said, would have to maintain a higher number of active sessions. That
sending keepalives to prop open the firewall could serve a dual said, sending keepalives to prop open the firewall could serve a dual
purpose in testing network reachability for the Measurement Agent. purpose in testing network reachability for the Measurement Agent.
An alternative would be to use a protocol such as UPnP or PCP An alternative would be to use a protocol such as UPnP or PCP
[RFC6887] to control the NAT/firewall if the gateway supports this [RFC6887] to control the NAT/firewall if the gateway supports this
kind of control. kind of control.
6.3. Measurement Agent in multi homed site 6.2.3. Measurement Agent in a multi-homed site
A broadband site may be multi-homed. For example, the site may be A broadband site may be multi-homed. For example, the site may be
connected to multiple broadband ISPs (perhaps for redundancy or load- connected to multiple broadband ISPs, perhaps for redundancy or load-
sharing), or have a broadband as well as mobile/WiFi connectivity. sharing, or have both wired and wireless broadband connectivity. It
It may also be helpful to think of dual stack IPv4 and IPv6 broadband may also be helpful to think of dual stack IPv4 and IPv6 broadband
sites as multi-homed. In these cases, there needs to be clarity on devices as multi-homed. In these cases, there needs to be clarity on
which network connectivity option is being measured. Sometimes this which network connectivity option is being measured. Sometimes this
is easily resolved by the location of the MA itself. For example, if is easily resolved by the location of the MA itself. For example, if
the MA is built into the gateway (and the gateway only has a single the MA is built into the gateway (and the gateway only has a single
WAN side interface), there is little confusion or choice. However, WAN side interface), there is little confusion or choice. However,
for multi-homed gateways or devices behind the gateway(s) of multi- for multi-homed gateways or devices behind the gateway(s) of multi-
homed sites it would be preferable to explicitly select the network homed sites it would be preferable to explicitly select the network
to measure (e.g. [RFC5533]) but the network measured should be to measure ([RFC5533]) but the network measured should be included in
included in the Measurement Result. Section 3.2 of the Measurement Result. Section 3.2 of [I-D.ietf-homenet-arch]
[I-D.ietf-homenet-arch] describes dual-stack and multi-homing describes dual-stack and multi-homing topologies that might be
topologies that might be encountered in a home network (which is encountered in a home network (which is generally a broadband
generally a broadband connected site). The Multiple Interfaces (mif) connected site). The Multiple Interfaces (mif) working group covers
working group covers cases where hosts are either directly attached cases where hosts are either directly attached to multiple networks
to multiple networks (physical or virtual) or indirectly (multiple (physical or virtual) or indirectly (multiple default routers, etc.).
default routers, etc.). [RFC6419] provides the current practices of [RFC6419] provides the current practices of multi-interfaces hosts
multi-interfaces hosts today. As some of the end goals of a MA is to today. As one aim is for a MA is to measure the end user's quality
replicate the end user's network experience, it is important to of experience, it is important to understand the current practices.
understand the current practices.
6.3. Measurement Peer
A Measurement Peer participates in Active Measurement Tasks. It may
have specific functionality to enable it to participate in a
particular Measurement Method. On the other hand, other Measurement
Methods may require no special functionality, for example if the
Measurement Agent sends a ping to example.com then the server at
example.com plays the role of a Measurement Peer.
A device may participate in some Measurement Tasks as a Measurement
Agent and in others as a Measurement Peer.
7. Security considerations 7. Security considerations
The security of the LMAP framework should protect the interests of The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who the measurement operator(s), the network user(s) and other actors who
could be impacted by a compromised measurement deployment. The could be impacted by a compromised measurement deployment. The
measurement system must secure the various components of the system measurement system must secure the various components of the system
from unauthorised access or corruption. from unauthorised access or corruption.
We assume that each Measurement Agent will receive measurement tasks We assume that each Measurement Agent (MA) will receive its
configuration, scheduling and reporting instructions from a single Instructions from a single organisation, which operates the
organisation (operator of the Controller). These instructions must Controller. These Instructions must be authenticated (to ensure that
be authenticated (to ensure that they come from the trusted they come from the trusted Controller), checked for integrity (to
Controller), checked for integrity (to ensure no-one has tampered ensure no-one has tampered with them) and not vulnerable to replay
with them) and be prevented from replay. If a malicious party can attacks. If a malicious party can gain control of the MA they can
gain control of the Measurement Agent they can use the MA use it to launch DoS attacks at targets, reduce the end user's
capabilities to launch DoS attacks at targets, reduce the network quality of experience and corrupt the Measurement Results that are
user experience and corrupt the measurement results that are reported reported to the Collector. By altering the Measurement Tasks and/or
to the Collector. By altering the tests that are operated and/or the the address that Results are reported to, they can also compromise
Collector address they can also compromise the confidentiality of the the confidentiality of the network user and the MA environment (such
network user and the MA environment (such as information about the as information about the location of devices or their traffic).
location of devices or their traffic).
The reporting of the MA must also be secured to maintain Reporting by the MA must also be secured to maintain confidentiality.
confidentiality. The results must be encrypted such that only the The results must be encrypted such that only the authorised Collector
authorised Collector can decrypt the results to prevent the leakage can decrypt the results to prevent the leakage of confidential or
of confidential or private information. In addition it must be private information. In addition it must be authenticated that the
authenticated that the results have come from the expected MA and results have come from the expected MA and that they have not been
that they have not been tampered with. It must not be possible to tampered with. It must not be possible to fool a MA into injecting
fool a MA into injecting falsified data into the measurement platform falsified data into the measurement platform or to corrupt the
or to corrupt the results of a real MA. The results must also be results of a real MA. The results must also be held and processed
held and processed securely after collection and analysis. securely after collection and analysis.
Availability should also be considered. While the loss of some MAs Availability should also be considered. While the loss of some MAs
may not be considered critical, the unavailability of the Collector may not be considered critical, the unavailability of the Collector
could mean that valuable business data or data critical to a could mean that valuable business data or data critical to a
regulatory process is lost. Similarly, the unavailability of a regulatory process is lost. Similarly, the unavailability of a
Controller could mean that the MAs do not operate a correct Controller could mean that the MAs do not operate a correct
Measurement Schedule. Measurement Schedule.
A malicious party could "game the system". For example, where a A malicious party could "game the system". For example, where a
regulator is running a measurement system in order to benchmark regulator is running a measurement system in order to benchmark
operators, an operator could try to identify the broadband lines that operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. This the regulator was measuring and prioritise that traffic. This
potential issue is currently handled by a code of conduct. It is potential issue is currently handled by a code of conduct. It is
outside the scope of the LMAP WG to consider the issue. outside the scope of the LMAP WG to consider the issue.
8. Privacy Considerations for LMAP 8. Privacy Considerations for LMAP
The LMAP Working Group will consider privacy as a core requirement The LMAP Working Group will consider privacy as a core requirement
and will ensure that by default measurement and collection mechanisms and will ensure that by default the Control and Report Protocols
and protocols operate in a privacy-sensitive manner, i.e. that operate in a privacy-sensitive manner and that privacy features are
privacy features are well-defined. well-defined.
This section provides a set of privacy considerations for LMAP. This This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the timely publication of [RFC6973]. section benefits greatly from the timely publication of [RFC6973].
There are dependencies on the integrity of the LMAP security Privacy and security (Section 7) are related. In some jurisdictions
mechanisms, described in the Security Considerations section above. privacy is called data protection.
We begin with a set of assumptions related to protecting the We begin with a set of assumptions related to protecting the
sensitive information of individuals and organizations participating sensitive information of individuals and organisations participating
in LMAP-orchestrated measurement and data collection. in LMAP-orchestrated measurement and data collection.
8.1. Categories of Entities with Information of Interest 8.1. Categories of Entities with Information of Interest
LMAP protocols need to protect the sensitive information of the LMAP protocols need to protect the sensitive information of the
following entities, including individuals and organizations who following entities, including individuals and organisations who
participate in measurement and collection of results. participate in measurement and collection of results.
o Individual Internet Users: Persons who utilize Internet access o Individual Internet users: Persons who utilise Internet access
services for communications tasks, according to the terms of services for communications tasks, according to the terms of
service of a service agreement. Such persons may be a Service service of a service agreement. Such persons may be a service
Subscriber, or have been given permission by the subscriber to use Subscriber, or have been given permission by the Subscriber to use
the service. the service.
o Internet Service Providers: Organizations who offer Internet o Internet service providers: Organisations who offer Internet
access service subscriptions, and thus have access to sensitive access service subscriptions, and thus have access to sensitive
information of Individuals who choose to use the service. These information of individuals who choose to use the service. These
organizations desire to protect their subscribers and their own organisations desire to protect their Subscribers and their own
sensitive information which may be stored in the process of sensitive information which may be stored in the process of
measurement and result collection. performing Measurement Tasks and collecting and Results.
o Other LMAP system Operators: Organizations who operate measurement o Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive
information.
o Other LMAP system operators: Organisations who operate measurement
systems or participate in measurements in some way. systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we include Although privacy is a protection extended to individuals, we include
discussion of ISPs and other LMAP system operators in this section. discussion of ISPs and other LMAP system operators in this section.
These organizations have sensitive information involved in the LMAP These organisations have sensitive information involved in the LMAP
system and revealed by measurements, and many of the same mitigations system, and many of the same dangers and mitigations are applicable.
are applicable. Further, the ISPs store information on their Further, the ISPs store information on their Subscribers beyond that
subscribers beyond that used in the LMAP system (e.g., billing used in the LMAP system (for instance billing information), and there
information), and there should be a benefit in considering all the should be a benefit in considering all the needs and potential
needs and potential solutions coherently. solutions coherently.
8.2. Examples of Sensitive Information 8.2. Examples of Sensitive Information
This section gives examples of sensitive information which may be This section gives examples of sensitive information which may be
measured or stored in a measurement system, and which is to be kept measured or stored in a measurement system, and which is to be kept
private by default in the LMAP core protocols. private by default in the LMAP core protocols.
Examples of Subscriber or authorized Internet User Sensitive Examples of Subscriber or authorised Internet user sensitive
Information: information:
o Sub-IP layer addresses and names (e.g., MAC address, BS id, SSID) o Sub-IP layer addresses and names (MAC address, base station ID,
SSID)
o IP address in use o IP address in use
o Personal Identification (Real Name) o Personal Identification (real name)
o Location (street address, city) o Location (street address, city)
o Subscribed Service Parameters o Subscribed service parameters
o Contents of Traffic (Activity, DNS queries, Destinations, o Contents of traffic (activity, DNS queries, destinations,
Equipment types, Account info for other services, etc.) equipment types, account info for other services, etc.)
o Status as a study volunteer and Schedule of (Active) Measurement o Status as a study volunteer and Schedule of (Active) Measurement
Tasks Tasks
Examples of Internet Service Provider Sensitive Information: Examples of Internet Service Provider sensitive information:
o Measurement device identification (equipment ID and IP address)
o Measurement Device Identification (Equipment ID and IP address)
o Measurement Instructions (choice of measurements) o Measurement Instructions (choice of measurements)
o Measurement Results (some may be shared, others may be private) o Measurement Results (some may be shared, others may be private)
o Measurement Schedule (exact times) o Measurement Schedule (exact times)
o Network Topology (Locations, Connectivity, Redundancy) o Network topology (locations, connectivity, redundancy)
o Subscriber billing information, and any of the above Subscriber o Subscriber billing information, and any of the above Subscriber
Information known to the provider. information known to the provider.
o Authentication credentials (e.g., certificates) o Authentication credentials (such as certificates)
Other organizations will have some combination of the lists above. Other organisations will have some combination of the lists above.
The LMAP system would not typically expose all of the information The LMAP system would not typically expose all of the information
above, but could expose a combination of items which could be above, but could expose a combination of items which could be
correlated with other pieces collected by an attacker (as discussed correlated with other pieces collected by an attacker (as discussed
in the section on Threats below). in the section on Threats below).
8.3. Key Distinction Between Active and Passive Measurement Tasks 8.3. Key Distinction Between Active and Passive Measurement Tasks
There are many possible definitions for the two main categories of Passive and Active Measurement Tasks raise different privacy issues.
measurement types, active and passive. For the purposes of this
memo, we describe Passive and Active Measurements as follows:
Passive: measurements conducted on Internet User traffic, such that Passive Measurement Tasks are conducted on a user's traffic, such
sensitive information is present and stored in the measurement system that sensitive information is present and stored in the measurement
(however briefly this storage may be). We note that some authorities system (however briefly this storage may be). We note that some
make a distinction on time of storage, and information that is kept authorities make a distinction on time of storage, and information
only temporarily to perform a communications function is not subject that is kept only temporarily to perform a communications function is
to regulation (e.g., Active Queue Management, Deep Packet not subject to regulation (for example, active queue management, deep
Inspection). Passive measurements could reveal all websites a packet inspection). Passive Measurement Tasks could reveal all the
subscriber visits and the applications and/or services they use. websites a Subscriber visits and the applications and/or services
they use.
Active: measurements conducted on traffic which serves only the Active Measurement Tasks are conducted on traffic which is created
purpose of measurement. Even if a user host generates active specifically for the purpose. Even if a user host generates Active
measurement traffic, there is significantly limited sensitive Measurement Traffic, there is significantly limited sensitive
information about the Subscriber present and stored in the information about the Subscriber present and stored in the
measurement system compared to the passive case, as follows: measurement system compared to the passive case, as follows:
o IP address in use (and possibly Sub-IP addresses and names) o IP address in use (and possibly sub-IP addresses and names)
o Status as a study volunteer schedule of active tests o Status as a study volunteer and Schedule of Active Measurement
Tasks
On the other hand, the sensitive information for an Internet Service On the other hand, for a service provider the sensitive information
Provider is the same whether active or passive measurements are used like Measurement Results is the same for Passive and Active
(e.g., measurement results). Measurement Tasks.
Both Active and Passive measurements potentially expose the From the Subscriber perspective, both Active and Passive Measurement
description of Internet Access service and specific service Tasks potentially expose the description of Internet access service
parameters, such as subscribed rate and type of access. and specific service parameters, such as subscribed rate and type of
access.
8.4. Privacy analysis of the Communications Models 8.4. Privacy analysis of the Communications Models
This section examines each of the protocol exchanges described at a This section examines each of the protocol exchanges described at a
high level in Section 5 and some example measurement tasks, and high level in Section 5 and some example Measurement Tasks, and
identifies specific sensitive information which must be secured identifies specific sensitive information which must be secured
during communication for each case. With the protocol-related during communication for each case. With the protocol-related
sensitive information identified, we have can better consider the sensitive information identified, we have can better consider the
threats described in the following section. threats described in the following section.
From the privacy perspective, all entities participating in LMAP From the privacy perspective, all entities participating in LMAP
protocols can be considered "observers" according to the definition protocols can be considered "observers" according to the definition
in [RFC6973]. Their stored information potentially poses a threat to in [RFC6973]. Their stored information potentially poses a threat to
privacy, especially if one or more of these functional entities has privacy, especially if one or more of these functional entities has
been compromised. Likewise, all devices on the paths used for been compromised. Likewise, all devices on the paths used for
control, reporting, and measurement are also observers. control, reporting, and measurement are also observers.
8.4.1. MA Bootstrapping and Registration 8.4.1. MA Bootstrapping
Section 5.1 provides the communication model for the Bootstrapping Section 5.1 provides the communication model for the Bootstrapping
process. process.
Although the specification of mechanisms for Bootstrapping the MA are Although the specification of mechanisms for Bootstrapping the MA are
beyond the LMAP scope, designers should recognize that the beyond the LMAP scope, designers should recognize that the
Bootstrapping process is extremely powerful and could cause an MA to Bootstrapping process is extremely powerful and could cause an MA to
join a new or different LMAP system with Control/Collection entities, join a new or different LMAP system with a different Controller and
or simply install new methods of measurement (e.g., a passive DNS Collector, or simply install new Measurement Methods (for example to
Query collector). A Bootstrap attack could result in a breach of the passively record DNS queries). A Bootstrap attack could result in a
LMAP system with significant sensitive information exposure depending breach of the LMAP system with significant sensitive information
on the capabilities of the MA, so sufficient security protections are exposure depending on the capabilities of the MA, so sufficient
warranted. security protections are warranted.
The Bootstrapping (or Registration) process provides sensitive The Bootstrapping process provides sensitive information about the
information about the LMAP system and the organization that operates LMAP system and the organisation that operates it, such as
it, such as
o Initial Controller IP address or FQDN o Initial Controller IP address or FQDN
o Assigned Controller IP address or FQDN o Assigned Controller IP address or FQDN
o Security certificates and credentials o Security certificates and credentials
During the Bootstrap process (or Registration process that follows), During the Bootstrap process, the MA receives its MA-ID which is a
the MA receives its MA-ID which is a persistent pseudonym for the persistent pseudonym for the Subscriber in the case that the MA is
subscriber in the case that the MA is located at a service located at a service demarcation point. Thus, the MA-ID is
demarcation point. Thus, the MA-ID is considered sensitive considered sensitive information, because it could provide the link
information, because it could provide the link between subscriber between Subscriber identification and Measurements Results.
identification and measurements or observations on traffic.
Also, the Bootstrap or Registration process could assign a Group-ID Also, the Bootstrap process could assign a Group-ID to the MA. The
to the MA. The specific definition of information represented in a specific definition of information represented in a Group-ID is to be
Group-ID is to be determined, but several examples are envisaged determined, but several examples are envisaged including use as a
including use as a pseudonym for a set of subscribers, a class of pseudonym for a set of Subscribers, a class of service, an access
service, an access technology, or other important categories. technology, or other important categories. Assignment of a Group-ID
Assignment of a Group-ID enables anonymization sets to be formed on enables anonymisation sets to be formed on the basis of service type/
the basis of service type/grade/rates. Thus, the mapping between grade/rates. Thus, the mapping between Group-ID and MA-ID is
Group-ID and MA-ID is considered sensitive information. considered sensitive information.
8.4.2. Controller <-> Measurement Agent 8.4.2. Controller <-> Measurement Agent
The high-level communication model for interactions between the LMAP The high-level communication model for interactions between the LMAP
Controller and Measurement Agent is illustrated in Section 5.2. The Controller and Measurement Agent is illustrated in Section 5.2. The
primary purpose of this exchange is to authenticate and task a primary purpose of this exchange is to authenticate and task a
Measurement Agent with Measurement Instructions, which the Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously. Measurement Agent then acts on autonomously.
Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged
with a capability request, then measurement-related information of with a capability request, then measurement-related information of
interest such as the parameters, schedule, metrics, and IP addresses interest such as the parameters, schedule, metrics, and IP addresses
of measurement devices. Thus, the measurement Instruction contains of measurement devices. Thus, the measurement Instruction contains
sensitive information which must be secured. For example, the fact sensitive information which must be secured. For example, the fact
that an ISP is running additional measurements beyond the set that an ISP is running additional measurements beyond the set
reported externally is sensitive information, as are the additional reported externally is sensitive information, as are the additional
measurements themselves. The schedule/timing of specific Measurements Tasks themselves. The Measurement Schedule is also
measurements is also sensitive, because an attacker intending to bias sensitive, because an attacker intending to bias the results without
the results without being detected can use this information to great being detected can use this information to great advantage.
advantage.
An organization operating the Controller having no service An organisation operating the Controller having no service
relationship with a user who hosts the measurement agent *could* gain relationship with a user who hosts the Measurement Agent *could* gain
real-name mapping to public IP address through user participation in real-name mapping to a public IP address through user participation
an LMAP system (this applies to the Measurement Collection protocol, in an LMAP system (this applies to the Measurement Collection
as well). protocol, as well).
8.4.3. Collector <-> Measurement Agent 8.4.3. Collector <-> Measurement Agent
The high-level communication model for interactions between the LMAP The high-level communication model for interactions between the
Measurement Agent and Collector is illustrated in Section 5.4. The Measurement Agent and Collector is illustrated in Section 5.4. The
primary purpose of this exchange is to authenticate and collect primary purpose of this exchange is to authenticate and collect
results from a Measurement Agent, which it has measured autonomously Measurement Results from a MA, which the MA has measured autonomously
and stored. and stored.
Beyond the Controller-MA exchange, the new and highly-sensitive The Measurement Results are the additional sensitive information
information exposed in the Collector-MA exchange is the measurement included in the Collector-MA exchange. Organisations collecting LMAP
results. Organizations collecting LMAP measurements have the measurements have the responsibility for data control. Thus, the
responsibility for Data Control. Thus, the results and other Results and other information communicated in the Collector protocol
information communicated in the Collector protocol must be secured. must be secured.
8.4.4. Active Measurement Peer <-> Measurement Agent 8.4.4. Measurement Peer <-> Measurement Agent
Although the specification of the mechanisms for measurement is Although the specification of the mechanisms for an Active
beyond the LMAP scope, the high-level communications model below Measurement Task is beyond the scope of LMAP, it raises potential
illustrates measurement information and results flowing between privacy issues. The high-level communications model below
active measurement devices as a potential privacy issue. The primary illustrates the various exchanges to execute Active Measurement Tasks
purpose of this exchange is to execute measurements and store the and store the Results.
results.
We note the potential for additional observers in the figures below We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation. significance to the protocols and direction of initiation.
The various messages are optional, depending on the nature of the
Active Measurement Task. It may involve sending Active Measurement
Traffic from the Measurement Peer to MA, MA to Measurement Peer, or
both.
_________________ _________________ _________________ _________________
| | | | | | | |
| Meas Peer |=========== NAT ? ==========| Meas Agent | |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________| |_________________| |_________________| |_________________|
<- Key Negotiation & <- (Key Negotiation &
Encryption Setup Encryption Setup)
Encrypted Channel -> (Encrypted Channel ->
Established Established)
Announce Capabilities -> (Announce capabilities ->
& Status & status)
<- Select Capabilities <- (Select capabilities)
ACK -> ACK ->
<- Measurement Request <- (Measurement Request
(MA+MP IPAddrs,set of (MA+MP IPAddrs,set of
Metrics, Schedule) Metrics, Schedule))
ACK -> ACK ->
Measurement Traffic <> Measurement Traffic Active Measurement Traffic <> Active Measurement Traffic
(may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted)
<- Stop Tests <- (Stop Measurement Task)
Return Results -> Measurement Results ->
(if applicable) (if applicable)
<- ACK, Close <- ACK, Close
This exchange primarily exposes the IP addresses of measurement This exchange primarily exposes the IP addresses of measurement
devices and the inference of measurement participation from such devices and the inference of measurement participation from such
traffic. There may be sensitive information on key points in a traffic. There may be sensitive information on key points in a
service provider's network included. There may also be access to service provider's network included. There may also be access to
measurement-related information of interest such as the metrics, measurement-related information of interest such as the Metrics,
schedule, and intermediate results carried in the measurement packets Schedule, and intermediate results carried in the Active Measurement
(usually a set of timestamps). Traffic (usually a set of timestamps).
If the measurement traffic is unencrypted, as found in many systems If the Active Measurement Traffic is unencrypted, as found in many
today, then both timing and limited results are open to on-path systems today, then both timing and limited results are open to on-
observers, and this should be avoided when the degradation of secure path observers.
measurement is minimal.
8.4.5. Passive Measurement Peer <-> Measurement Agent 8.4.5. Passive Measurement Agent
Although the specification of the mechanisms for measurement is Although the specification of the mechanisms for a Passive
beyond the LMAP scope, the high-level communications model below Measurement Task is beyond the scope of LMAP, it raises potential
illustrates passive monitoring and measurement of information flowing privacy issues.
between production network devices as a potential privacy issue. The
primary purpose of this model is to illustrate collection of user
information of interest with the Measurement Agent performing the
monitoring and storage of the results. This particular exchange is
for DNS Response Time, which most frequently uses UDP transport.
_________________ ___________ _____ The high-level communications model below illustrates the collection
| | | | | | of user information of interest with the Measurement Agent performing
| Meas Peer DNS |=========== NAT ? ==========| Meas Agent|=|User | the monitoring and storage of the Results. This particular exchange
|_________________| |___________| |_____| is for passive measurement of DNS Response Time, which most
frequently uses UDP transport.
_________________ ____________
| | | |
| DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________|
______|_______
| |
| Measurement |
| Agent |
|______________|
<- Name Resolution Req <- Name Resolution Req
(MA+MP IPAddrs, (MA+MP IPAddrs,
Desired Domain Name) Desired Domain Name)
Return Record -> Return Record ->
This exchange primarily exposes the IP addresses of measurement This exchange primarily exposes the IP addresses of measurement
devices and the intent to communicate with, or access the services of devices and the intent to communicate with or access the services of
"Domain Name". There may be information on key points in a service "Domain Name". There may be information on key points in a service
provider's network, such as the address of one of its DNS servers. provider's network, such as the address of one of its DNS servers.
The Measurement Agent may be embedded in the User host, or it may be The Measurement Agent may be embedded in the user host, or it may be
located in another device capable of observing user traffic. located in another device capable of observing user traffic.
In principle, any of the Internet User sensitive information of In principle, any of the user sensitive information of interest
interest (listed above) can be collected and stored in the passive (listed above) can be collected and stored in the passive monitoring
monitoring scenario. Thus, the LMAP Collection of passive scenario and so must be secured.
measurements provides the additional sensitive information exposure
to a Collection-path observer, and this information must be secured. It would also be possible for a Measurement Agent to source the DNS
query itself. But then, as with any active measurement task, there
are few privacy concerns.
8.4.6. Storage and Reporting of Measurement Results
8.4.6. Result Storage and Reporting
Although the mechanisms for communicating results (beyond the initial Although the mechanisms for communicating results (beyond the initial
Collector) are beyond the LMAP scope, there are potential privacy Collector) are beyond the LMAP scope, there are potential privacy
issues related to a single organization's storage and reporting of issues related to a single organisation's storage and reporting of
measurement results. Both storage and reporting functions can help Measurement Results. Both storage and reporting functions can help
to preserve privacy by implementing the mitigations described below. to preserve privacy by implementing the mitigations described below.
8.5. Threats 8.5. Threats
This section indicates how each of the threats described in [RFC6973] This section indicates how each of the threats described in [RFC6973]
apply to the LMAP entities and their communication and storage of apply to the LMAP entities and their communication and storage of
"information of interest". "information of interest".
8.5.1. Surveillance 8.5.1. Surveillance
Section 5.1.1 of [RFC6973] describes Surveillance as the "observation Section 5.1.1 of [RFC6973] describes Surveillance as the "observation
or monitoring of and individual's communications or activities." or monitoring of and individual's communications or activities."
Hence all Passive Measurement Tasks are a form of surveillance, with
inherent risks.
All of passive measurement is surveillance, with inherent risks. Active Measurement Methods which avoid periods of user transmission
indirectly produce a record of times when a subscriber or authorised
Active measurement methods which avoid periods of user transmission user has used their network access service.
indirectly produce a record of times when a subscriber or authorized
user has utilized their Internet access service.
Active measurements may also utilize and store a subscriber's Active Measurement Methods may also utilise and store a Subscriber's
currently assigned IP address when conducting measurements that are currently assigned IP address when conducting measurements that are
relevant to a specific subscriber. Since the measurements are time- relevant to a specific Subscriber. Since the Measurement Results are
stamped, the measurement results could provide a record of IP address time-stamped, they could provide a record of IP address assignments
assignments over time. over time.
Either of the above pieces of information could be useful in Either of the above pieces of information could be useful in
correlation and identification, described below. correlation and identification, described below.
8.5.2. Stored Data Compromise 8.5.2. Stored Data Compromise
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
resulting from inadequate measures to secure stored data from resulting from inadequate measures to secure stored data from
unauthorized or inappropriate access. For LMAP systems this includes unauthorised or inappropriate access. For LMAP systems this includes
deleting or modifying collected measurement records, as well as data deleting or modifying collected measurement records, as well as data
theft. theft.
The primary LMAP entity subject to compromise is the results storage The primary LMAP entity subject to compromise is the repository,
which serves the Collector function (also applicable to temporary which stores the Measurement Results; extensive security and privacy
storage on the Collector itself). Extensive security and privacy threat mitigations are warranted. The Collector and MA also store
threat mitigations are warranted for the storage system. Although sensitive information temporarily, and need protection. The
the scope of its measurement and storage is smaller than the communications between the local storage of the Collector and the
collector's, an individual Measurement Agent stores sensitive repository is beyond the scope of the LMAP work at this time, though
information temporarily, and also needs protections. this communications channel will certainly need protection as well as
the mass storage itself.
The LMAP Controller may have direct access to storage of Service
Parameters, Subscriber information (location, billing, etc.), and
other information which the controlling organization considers
private, and needs protection in this case.
The communications between the local storage of the Collector and The LMAP Controller may have direct access to storage of Subscriber
other storage facilities (possibly permanent mass storage), is beyond information (location, billing, service parameters, etc.) and other
the scope of the LMAP work at this time, though this communications information which the controlling organisation considers private, and
channel will certainly need protection as well as the mass storage again needs protection.
itself.
8.5.3. Correlation and Identification 8.5.3. Correlation and Identification
Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as
combining various pieces of information to obtain desired combining various pieces of information to obtain desired
characteristics of an individual, and Identification as using this characteristics of an individual, and Identification as using this
process to infer identity. process to infer identity.
The main risk is that the LMAP system could un-wittingly provide a The main risk is that the LMAP system could unwittingly provide a key
key piece of the correlation chain, starting with an unknown piece of the correlation chain, starting with an unknown Subscriber's
Subscriber's IP address and another piece of information (e.g., IP address and another piece of information. For example, a
Subscriber X utilized Internet access from 2000 to 2310 UTC, because Subscriber utilised Internet access from 2000 to 2310 UTC, because
the active measurements were deferred, or sent a name resolution for the Active Measurement Tasks were deferred, or sent a name resolution
www.example.com at 2300 UTC). for www.example.com at 2300 UTC.
8.5.4. Secondary Use and Disclosure 8.5.4. Secondary Use and Disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as
unauthorized utilization of an individual's information for a purpose unauthorised utilisation of an individual's information for a purpose
the individual did not intend, and Disclosure is when such the individual did not intend, and Disclosure is when such
information is revealed causing other's notions of the individual to information is revealed causing other's notions of the individual to
change, or confidentiality to be violated. change, or confidentiality to be violated.
The collection and reporting of passive traffic measurements is a Passive Measurement Tasks are a form of Secondary Use, and the
form of secondary use, and subscribers' permission and measured ISP's Subscribers' permission and the measured ISP's permission should be
permission should be obtained before measurement. Although user obtained beforehand. Although user traffic is only indirectly
traffic is only indirectly involved, active measurement results involved, the Measurement Results from Active Measurement Tasks
provide limited information about the subscriber/ISP and may provide some limited information about the Subscriber/ISP and could
constitute secondary use. Use of the measurements in unauthorized be used for Secondary Uses. For example, the use of the Results in
marketing campaigns would qualify as Secondary Use. unauthorised marketing campaigns would qualify as Secondary Use.
8.6. Mitigations 8.6. Mitigations
This section examines the mitigations listed in section 6 of This section examines the mitigations listed in section 6 of
[RFC6973] and their applicability to LMAP systems. Note that each [RFC6973] and their applicability to LMAP systems. Note that each
section in [RFC6973] identifies the threat categories that each section in [RFC6973] identifies the threat categories that each
technique mitigates. technique mitigates.
8.6.1. Data Minimization 8.6.1. Data Minimisation
Section 6.1 of [RFC6973] encourages collecting and storing the Section 6.1 of [RFC6973] encourages collecting and storing the
minimal information needed to perform a task. minimal information needed to perform a task.
There are two levels of information needed for LMAP results to be There are two levels of information needed for LMAP results to be
useful for a specific task: Network Operator and User useful for a specific task: troubleshooting and general results
troubleshooting, and General results reporting. reporting.
The minimal supporting information for general results is conducive For general results, the results can be aggregated into large
to protection of sensitive information, as long as the results can be categories (the month of March, all subscribers West of the
aggregated into large categories (e.g., the month of March, all Mississippi River). In this case, all individual identifications
subscribers West of the Mississippi River). In this case, all (including IP address of the MA) can be excluded, and only relevant
individual identifications (including IP address of the MA) can be results are provided. However, this implies a filtering process to
excluded, and only the results applicable to the desired measurement reduce the information fields, because greater detail was needed to
path are provided.. However, this implies a filtering process to conduct the Measurement Tasks in the first place.
reduce the information fields allocated to this task, because greater
detail was needed to conduct the measurements in the first place.
For a Network Operator and User troubleshooting a performance issue For troubleshooting, so that a network operator or end user can
or failure, potentially all the network information (e.g., IP identify a performance issue or failure, potentially all the network
addresses, equipment IDs, location), measurement schedule, service information (IP addresses, equipment IDs, location), Measurement
configuration, measurement results and other information may assist Schedule, service configuration, Measurement Results, and other
in the process. This includes the information needed to conduct the information may assist in the process. This includes the information
measurements, and represents a need where the maximum relevant needed to conduct the Measurements Tasks, and represents a need where
information is desirable, therefore the greatest protections should the maximum relevant information is desirable, therefore the greatest
be applied. protections should be applied.
We note that a user may give temporary permission for passive We note that a user may give temporary permission for Passive
measurements to enable detailed troubleshooting, but withhold Measurement Tasks to enable detailed troubleshooting, but withhold
permission for passive measurements in general. Here the greatest permission for them in general. Here the greatest breadth of
breadth of sensitive information is potentially exposed, and the sensitive information is potentially exposed, and the maximum privacy
maximum privacy protection must be provided. protection must be provided.
For MAs with access to the sensitive information of users (e.g., For MAs with access to the sensitive information of users (e.g.,
within a home or a personal host/handset), it is desirable for the within a home or a personal host/handset), it is desirable for the
results collection to minimize the data reported, but also to balance results collection to minimise the data reported, but also to balance
this desire with the needs of troubleshooting when a service this desire with the needs of troubleshooting when a service
subscription exists between the user and organization operating the subscription exists between the user and organisation operating the
measurements. measurements.
For passive measurements where the MA reports flow information to the For passive measurements where the MA reports flow information to the
Collector, the Collector may perform pre-storage minimization and Collector, the Collector may perform pre-storage minimisation and
other mitigations (below) to help preserve privacy. other mitigations (below) to help preserve privacy.
8.6.2. Anonymity 8.6.2. Anonymity
Section 6.1.1 of [RFC6973] describes a way in which anonymity is Section 6.1.1 of [RFC6973] describes a way in which anonymity is
achieved: "there must exist a set of individuals that appear to have achieved: "there must exist a set of individuals that appear to have
the same attributes as the individual", defined as an "anonymity the same attributes as the individual", defined as an "anonymity
set". set".
Experimental Methods for anonymization of user identifiable data Experimental methods for anonymisation of user identifiable data
applicable to passive measurement have been identified in [RFC6235]. applicable to Passive Measurement Methods have been identified in
However, the findings of several of the same authors is that "there [RFC6235]. However, the findings of several of the same authors is
is increasing evidence that anonymization applied to network trace or that "there is increasing evidence that anonymisation applied to
flow data on its own is insufficient for many data protection network trace or flow data on its own is insufficient for many data
applications as in [Bur10]." protection applications as in [Bur10]."
Essentially, the details of passive flow measurements can only be Essentially, the details of passive measurement tasks can only be
accessed by closed organizations, and unknown injection attacks are accessed by closed organisations, and unknown injection attacks are
always less expensive than the protections from them. However, some always less expensive than the protections from them. However, some
forms of summarized passive measurement may protect the user's forms of summary may protect the user's sensitive information
sensitive information sufficiently well, and so each metric must be sufficiently well, and so each Metric must be evaluated in the light
evaluated in the light of privacy. of privacy.
The methods in [RFC6235] could be applied more successfully in active The methods in [RFC6235] could be applied more successfully in Active
measurement, where there are protections from injection attack. The Measurement Methods, where there are protections from injection
successful attack would require breaking the integrity protection of attack. The successful attack would require breaking the integrity
the LMAP reporting protocol and injecting measurement results (known protection of the LMAP Reporting Protocol and injecting Measurement
fingerprint, see section 3.2 of [RFC6973]) for inclusion with the Results (known fingerprint, see section 3.2 of [RFC6973]) for
shared and anonymized results, then fingerprinting those records to inclusion with the shared and anonymised results, then fingerprinting
ascertain the anonymization process. those records to ascertain the anonymisation process.
Beside anonymization of measured results for a specific user or Beside anonymisation of measured Results for a specific user or
provider, the value of sensitive information can be further diluted provider, the value of sensitive information can be further diluted
by summarizing the results over many individuals or areas served by by summarising the results over many individuals or areas served by
the provider. There is an opportunity enabled by forming anonymity the provider. There is an opportunity enabled by forming anonymity
sets [RFC6973] based on the reference path measurement points in [I-D sets [RFC6973] based on the reference path measurement points in
.ietf-ippm-lmap-path]. For example, all measurements from the [I-D.ietf-ippm-lmap-path]. For example, all measurements from the
Subscriber device can be identified as "mp000", instead of using the Subscriber device can be identified as "mp000", instead of using the
IP address or other device information. The same anonymization IP address or other device information. The same anonymisation
applies to the Internet Service Provider, where their Internet applies to the Internet Service Provider, where their Internet
gateway would be referred to as "mp190". gateway would be referred to as "mp190".
8.6.3. Pseudonymity 8.6.3. Pseudonymity
Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
are a possible mitigation to revealing one's true identity, since are a possible mitigation to revealing one's true identity, since
there is no requirement to use real names in almost all protocols. there is no requirement to use real names in almost all protocols.
A pseudonym for a measurement device's IP address could be an LMAP- A pseudonym for a measurement device's IP address could be an LMAP-
unique equipment ID. However, this would likely be a permanent unique equipment ID. However, this would likely be a permanent
handle for the device, and long-term use weakens a pseudonym's power handle for the device, and long-term use weakens a pseudonym's power
to obscure identity. to obscure identity.
8.6.4. Other Mitigations 8.6.4. Other Mitigations
Data can be de-personalised by blurring it, for example by adding
synthetic data, data-swapping, or perturbing the values in ways that
can be reversed or corrected.
Sections 6.2 and 6.3 of [RFC6973] describe User Participation and Sections 6.2 and 6.3 of [RFC6973] describe User Participation and
Security, respectively. Security, respectively.
Where LMAP measurements involve devices on the Subscriber's premises Where LMAP measurements involve devices on the Subscriber's premises
or Subscriber-owned equipment, it is essential to secure the or Subscriber-owned equipment, it is essential to secure the
Subscriber's permission with regard to the specific information that Subscriber's permission with regard to the specific information that
will be collected. The informed consent of the Subscriber (and, if will be collected. The informed consent of the Subscriber (and, if
different, the end user) is needed, including the specific purpose of different, the end user) is needed, including the specific purpose of
the measurements. The approval process could involve showing the the measurements. The approval process could involve showing the
Subscriber their measured information and results before instituting Subscriber their measured information and results before instituting
skipping to change at page 34, line 34 skipping to change at page 40, line 19
Although the details of verification would be impenetrable to most Although the details of verification would be impenetrable to most
subscribers, the MA could be architected as an "app" with open subscribers, the MA could be architected as an "app" with open
source-code, pre-download and embedded terms of use and agreement on source-code, pre-download and embedded terms of use and agreement on
measurements, and protection from code modifications usually provided measurements, and protection from code modifications usually provided
by the app-stores. Further, the app itself could provide data by the app-stores. Further, the app itself could provide data
reduction and temporary storage mitigations as appropriate and reduction and temporary storage mitigations as appropriate and
certified through code review. certified through code review.
LMAP protocols, devices, and the information they store clearly need LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorized access. This is the hand-off between to be secure from unauthorised access. This is the hand-off between
privacy and security considerations, found elsewhere in this memo. privacy and security considerations (Section 7). The Data Controller
The Data Controller has the (legal) responsibility to maintain data has the (legal) responsibility to maintain data protections described
protections described in the Subscriber's agreement and agreements in the Subscriber's agreement and agreements with other
with other organizations. organisations.
Another standard method for de-personalising data is to blur it by
adding synthetic data, data-swapping, or perturbing the values in
ways that can be reversed or corrected.
9. IANA Considerations 9. IANA Considerations
There are no IANA considerations in this memo. There are no IANA considerations in this memo.
10. Acknowledgments 10. Acknowledgments
This document is a merger of three individual drafts: draft-eardley- This document is a merger of three individual drafts: draft-eardley-
lmap-terminology-02, draft-akhter-lmap-framework-00, and draft- lmap-terminology-02, draft-akhter-lmap-framework-00, and draft-
eardley-lmap-framework-02. eardley-lmap-framework-02.
Thanks to numerous people for much discussion, directly and on the
LMAP list. This document tries to capture the current conclusions.
Thanks to Juergen Schoenwaelder for his detailed review of the Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. terminology. Thanks to Charles Cook for a very detailed review of
-02.
Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dave Thorne, Frode Soerensen, Greg Mirsky,
Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit,
Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Michael
Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller,
Ted Lemon, Timothy Carey, Vaibhav Bajpai, William Lupton.
Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
the Leone research project, which receives funding from the European the Leone research project, which receives funding from the European
Union Seventh Framework Programme [FP7/2007-2013] under grant Union Seventh Framework Programme [FP7/2007-2013] under grant
agreement number 317647. agreement number 317647.
11. History 11. History
First WG version, copy of draft-folks-lmap-framework-00. First WG version, copy of draft-folks-lmap-framework-00.
skipping to change at page 36, line 4 skipping to change at page 41, line 36
Underlying protocol could do other interactions, eg to get through Underlying protocol could do other interactions, eg to get through
NAT or for Collector to pull a Report NAT or for Collector to pull a Report
o add hint that after a re-boot should pause random time before re- o add hint that after a re-boot should pause random time before re-
register (to avoid mass calling event) register (to avoid mass calling event)
o delete the open issue "what happens if a Controller fails" (normal o delete the open issue "what happens if a Controller fails" (normal
methods can handle) methods can handle)
o add some extra words about multiple Tasks in one Schedule o add some extra words about multiple Tasks in one Schedule
o clarify that new Schedule replaces (rather than adds to) and old o clarify that new Schedule replaces (rather than adds to) and old
one. similarly for new configuration of Measurement Tasks or one. Similarly for new configuration of Measurement Tasks or
Report Channels. Report Channels.
o clarify suppression is temporary stop; send a new Schedule to o clarify suppression is temporary stop; send a new Schedule to
permanently stop Tasks permanently stop Tasks
o alter suppression so it is ACKed o alter suppression so it is ACKed
o add un-suppress message o add un-suppress message
o expand the text on error reporting, to mention Reporting failures o expand the text on error reporting, to mention Reporting failures
skipping to change at page 36, line 36 skipping to change at page 42, line 19
o clarify /amend /expand that Reports include the "raw" Measurement o clarify /amend /expand that Reports include the "raw" Measurement
Results - any pre-processing is left for lmap2.0 Results - any pre-processing is left for lmap2.0
o add some cautionary words about what if the Collector unexpectedly o add some cautionary words about what if the Collector unexpectedly
doesn't hear from a MA doesn't hear from a MA
o add some extra words about the potential impact of Measurement o add some extra words about the potential impact of Measurement
Tasks Tasks
o clarified varous aspects of the privacy section o clarified various aspects of the privacy section
o updated references o updated references
o minor tweaks o minor tweaks
11.3. From -02 to -03
o alignment with the Information Model
[I-D.burbridge-lmap-information-model] as this is agreed as a WG
document
o One-off and periodic Measurement Schedules are kept separate, so
that they can be updated independently
o Measurement Suppression in a separate sub-section. Can now
optionally include particular Measurement Tasks &/or Schedules to
suppress, and start/stop time
o for clarity, concept of Channel split into Control, Report and MA-
to-Controller Channels
o numerous editorial changes, mainly arising from a very detailed
review by Charles Cook
o
12. Informative References 12. Informative References
[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
"The Role of Network Trace Anonymization Under Attack", "The Role of Network Trace anonymisation Under Attack",
January 2010. January 2010.
[Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM- [Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM-
evolved UMTS core network", evolved UMTS core network",
http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011. http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
June 2005.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, July
2005.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, October 2008.
[I-D.ietf-lmap-use-cases] [I-D.ietf-lmap-use-cases]
Linsner, M., Eardley, P., and T. Burbridge, "Large-Scale Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
Broadband Measurement Use Cases", draft-ietf-lmap-use- "Large-Scale Broadband Measurement Use Cases", draft-ietf-
cases-00 (work in progress), October 2013. lmap-use-cases-01 (work in progress), December 2013.
[I-D.bagnulo-ippm-new-registry-independent] [I-D.bagnulo-ippm-new-registry-independent]
Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
A. Morton, "A registry for commonly used metrics. A. Morton, "A registry for commonly used metrics.
Independent registries", draft-bagnulo-ippm-new-registry- Independent registries", draft-bagnulo-ippm-new-registry-
independent-01 (work in progress), July 2013. independent-01 (work in progress), July 2013.
[I-D.ietf-homenet-arch] [I-D.ietf-homenet-arch]
Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil,
"IPv6 Home Networking Architecture Principles", draft- "IPv6 Home Networking Architecture Principles", draft-
skipping to change at page 37, line 45 skipping to change at page 44, line 19
information-model-01 (work in progress), October 2013. information-model-01 (work in progress), October 2013.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Support", RFC 6235, May 2011. Support", RFC 6235, May 2011.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
[I-D.ietf-ippm-lmap-path]
Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
A. Morton, "A Reference Path and Measurement Points for
LMAP", draft-ietf-ippm-lmap-path-01 (work in progress),
September 2013.
Authors' Addresses Authors' Addresses
Philip Eardley Philip Eardley
British Telecom British Telecom
Adastral Park, Martlesham Heath Adastral Park, Martlesham Heath
Ipswich Ipswich
ENGLAND ENGLAND
Email: philip.eardley@bt.com Email: philip.eardley@bt.com
Al Morton Al Morton
AT&T Labs AT&T Labs
 End of changes. 229 change blocks. 
714 lines changed or deleted 982 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/