Network Working Group                                         P. Eardley
Internet-Draft                                                        BT
Intended status: Informational                                 A. Morton
Expires: July 25, October 2, 2014                                       AT&T Labs
                                                              M. Bagnulo
                                                                    UC3M
                                                            T. Burbridge
                                                                      BT
                                                               P. Aitken
                                                               A. Akhter
                                                           Cisco Systems
                                                        January 21,
                                                          March 31, 2014

        A framework for large-scale measurement platforms (LMAP)
                      draft-ietf-lmap-framework-03
                      draft-ietf-lmap-framework-04

Abstract

   Measuring broadband service on a large scale requires a description
   of the logical architecture and standardisation of the key protocols
   that coordinate interactions between the components.  The document
   presents an overall framework for large-scale measurements.  It also
   defines terminology for LMAP (large-scale measurement platforms).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 25, October 2, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Outline of an LMAP-based measurement system . . . . . . . . .   5
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   8
   4.  Constraints . . . . . . . . . . . . . . . . . . . . . . . . .  11
     4.1.  Measurement system is under the direction of a single
           organisation  . . . . . . . . . . . . . . . . . . . . . .  11
     4.2.  Each MA may only have a single Controller at any point in
           time  . . . . . . . . . . . . . . . . . . . . . . . . . .  12
   5.  LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . .  12
     5.1.  Bootstrapping process . . . . . . . . . . . . . . . . . .  13
     5.2.  Control Protocol  . . . . . . . . . . . . . . . . . . . .  15  14
       5.2.1.  Measurement Suppression  Instruction . . . . . . . . . . . . . . . . . . . . .  18  14
       5.2.2.  Capabilities and Failure information  . . . . . . . .  17
     5.3.  Operation of Measurement Tasks  . . . . . . . . . . . . .  19
       5.3.1.  Starting and stopping Stopping Measurement Tasks . . . . . . .  19
       5.3.2.  Overlapping Measurement Tasks . . . . . . . . .  19 . . .  20
     5.4.  Report Protocol . . . . . . . . . . . . . . . . . . . . .  20  21
       5.4.1.  Reporting of Subsriber's service parameters . . . . .  22
     5.5.  Operation of LMAP over the underlying transport protocol   22
     5.6.  Items beyond the scope of the LMAP Protocol Model . . . .  23
       5.6.1.  Enduser-controlled  End-user-controlled measurement system  . . . . . . . .  24
   6.  Deployment considerations . . . . . . . . . . . . . . . . . .  24  25
     6.1.  Controller and the measurement system . . . . . . . . . .  25
     6.2.  Measurement Agent . . . . . . . . . . . . .  24
     6.2.  Measurement Agent . . . . . . . . . . . . .  26
       6.2.1.  Measurement Agent on a networked device . . . . . . .  25
       6.2.1.  26
       6.2.2.  Measurement Agent embedded in site gateway  . . . . .  26
       6.2.2.
       6.2.3.  Measurement Agent embedded behind site NAT /Firewall   26
       6.2.3.   27
       6.2.4.  Multi-homed Measurement Agent in a multi-homed site . . . . . . . . . . . .  27
     6.3.  Measurement Peer  . . . . . . . . . . . . . . . . . . . .  27  28
   7.  Security considerations . . . . . . . . . . . . . . . . . . .  27  28
   8.  Privacy Considerations for LMAP . . . . . . . . . . . . . . .  28  30
     8.1.  Categories of Entities with Information of Interest . . .  29  30
     8.2.  Examples of Sensitive Information . . . . . . . . . . . .  29  31
     8.3.  Key Distinction Between Active and Passive Measurement
           Tasks . . . . . . . . . . . . . . . . . . . . . . . . . .  30  32
     8.4.  Privacy analysis of the Communications Models . . . . . .  31  33
       8.4.1.  MA Bootstrapping  . . . . . . . . . . . . . . . . . .  31  33
       8.4.2.  Controller <-> Measurement Agent  . . . . . . . . . .  32  34
       8.4.3.  Collector <-> Measurement Agent . . . . . . . . . . .  33  34
       8.4.4.  Measurement Peer <-> Measurement Agent  . . . . . . .  33  35
       8.4.5.  Passive Measurement Agent . . . . . . . . . . . . . .  34  36
       8.4.6.  Storage and Reporting of Measurement Results  . . . .  35  37
     8.5.  Threats . . . . . . . . . . . . . . . . . . . . . . . . .  35  37
       8.5.1.  Surveillance  . . . . . . . . . . . . . . . . . . . .  36  38
       8.5.2.  Stored Data Compromise  . . . . . . . . . . . . . . .  36  38
       8.5.3.  Correlation and Identification  . . . . . . . . . . .  36  39
       8.5.4.  Secondary Use and Disclosure  . . . . . . . . . . . .  37  39
     8.6.  Mitigations . . . . . . . . . . . . . . . . . . . . . . .  37  39
       8.6.1.  Data Minimisation . . . . . . . . . . . . . . . . . .  37  39
       8.6.2.  Anonymity . . . . . . . . . . . . . . . . . . . . . .  38  40
       8.6.3.  Pseudonymity  . . . . . . . . . . . . . . . . . . . .  39  41
       8.6.4.  Other Mitigations . . . . . . . . . . . . . . . . . .  39  41
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  40  42
   10. Appendix: Deployment examples . . . . . . . . . . . . . . . .  42
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  40
   11.  46
   12. History . . . . . . . . . . . . . . . . . . . . . . . . . . .  41
     11.1.  47
     12.1.  From -00 to -01  . . . . . . . . . . . . . . . . . . . .  41
     11.2.  47
     12.2.  From -01 to -02  . . . . . . . . . . . . . . . . . . . .  41
     11.3.  47
     12.3.  From -02 to -03  . . . . . . . . . . . . . . . . . . . .  42
   12.  48
     12.4.  From -03 to -04  . . . . . . . . . . . . . . . . . . . .  49
   13. Informative References  . . . . . . . . . . . . . . . . . . .  42  49
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  44  51

1.  Introduction

   There is a desire to be able to coordinate the execution of broadband
   measurements and the collection of measurement results across a large
   scale set of diverse devices.  These devices could be software based
   agents on PCs, embedded agents in consumer devices (e.g. blu-ray
   players), service provider controlled devices such as set-top players
   and home gateways, or simply dedicated probes.  It is expected that
   such a system could easily comprise 100k 100,000 devices.  Such a scale
   presents unique problems in coordination, execution and measurement
   result collection.  Several use cases have been proposed for large-
   scale measurements including:

   o  Operators: to help plan their network and identify faults

   o  Regulators: to benchmark several network operators and support
      public policy development

   Further details of the use cases can be found at in
   [I-D.ietf-lmap-use-cases].  The LMAP framework should be useful for
   these, as well as other use cases that the LMAP WG doesn't
   concentrate on, cases, such as to help end users run
   diagnostic checks like a network speed test.

   The LMAP framework has four three basic elements: Measurement Agents,
   Measurement Peers,
   Controllers and Collectors.

   Measurement Agents (MAs) perform the actual measurements, which are
   called Measurement Tasks, perhaps Tasks in
   conjunction with Measurement Peers.  They are pieces of code that can
   be executed in specialized hardware (hardware probe) or on a general-
   purpose device (like a PC or mobile phone).  A device with a
   Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL,
   fibre, etc.) and the Measurement Tasks may specify any one of these.
   Measurement Tasks may be Active (the MA or Measurement Peer generates
   Active Measurement Traffic), Passive (the MA observes user traffic),
   or some hybrid form of the two.  For Active Measurement Tasks, the MA
   (or Measurement Peer) generates Active Measurement Traffic and
   measures some metric associated with its transfer over the path to
   (or from) a Measurement Peer.  For example, one Active Measurement
   Task could be to measure the UDP latency between the MA and a given
   Measurement Peer.  MAs may also conduct Passive Measurement Tasks
   through the observation of traffic.  The Measurement Tasks themselves
   may be on IPv4, IPv6, and on various services (DNS, HTTP, XMPP, FTP,
   VoIP, etc.).

   The Controller manages one or more MAs by instructing it which the LMAP terminology.

   The Controller manages one or more MAs by instructing it which
   Measurement Tasks it should perform and when.  For example it may
   instruct a MA at a home gateway: "Measure the 'UDP latency' with the
   Measurement Peer mp.example.org;
   www.example.org; repeat every hour at xx.05".  The Controller also
   manages a MA by instructing it how to report the Measurement Results,
   for example: "Report results once a day in a batch at 4am".  We refer
   to these as the Measurement Schedule and Report Schedule.

   The Collector accepts Reports from the MAs with the Results from
   their Measurement Tasks.  Therefore the MA is a device that gets
   Instructions from the Controller, initiates the Measurement Tasks,
   and reports to the Collector.

   There are additional elements that are part of a measurement system,
   but that these are out of the scope for LMAP.  We provide a detailed
   discussion of all the elements in the rest of the document.

   The desirable features for a large-scale measurement systems we are
   designing for are:

   o  Standardised - in terms of the Measurement Tasks that they
      perform, the components, the data models and protocols for
      transferring information between the components.  Amongst other
      things, standardisation enables meaningful comparisons of
      measurements made of the same metric at different times and
      places, and enables provides the operator of a measurement system to buy with a
      criteria for evaluation of the different solutions that can be
      used for various purposes including buying decisions (such as
      buying the various components from different vendors. vendors).  Today's
      systems are proprietary in some or all of these aspects.

   o  Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement
      Agents in every home gateway and edge device such as set-top-boxes
      and tablet computers.  It is expected that a measurement system
      could easily encompass a few hundred thousand Measurement Agents.
      Existing systems have up to a few thousand MAs (without judging
      how much further they could scale).

   o  Diversity - a measurement system should handle different types of
      Measurement Agent - for example Measurement Agents may come from
      different vendors, be in wired and wireless networks networks, have
      different Measurement Task capabilities and be on devices with
      IPv4 or IPv6 addresses.

2.  Outline of an LMAP-based measurement system

   Figure 1 shows the main components of a measurement system, and the
   interactions of those components.  Some of the components are outside
   the scope of LMAP.  In this section we provide an overview of the
   whole measurement system and we introduce the main terms needed for
   the LMAP framework.  The new terms are capitalized. capitalised.  In the next
   section we provide a terminology section with a compilation of all
   the LMAP terms and their definition.

   The subsequent sections study main work of the LMAP working group is to define the Control
   Protocol between the Controller and MA, and the Report Protocol
   between the MA and Collector.  Section 4 onwards considers the LMAP
   components in more detail.

   A

   The MA performs Measurement Task measures some performance or reliability Metric Tasks.  The MAs are pieces of
   interest.  An Active Measurement Task involves either code that
   can be executed in specialised hardware (hardware probe) or on a Measurement
   Agent (MA) injecting Active Measurement Traffic into the network
   destined for
   general-purpose device (like a Measurement Peer, and/or PC or mobile phone).  A device with a
   Measurement Peer sending
   Active Agent may have multiple interfaces (WiFi, Ethernet, DSL,
   fibre, etc.) and the Measurement Traffic to a MA; Tasks may specify any one of them these.
   Measurement Tasks may be Active (the MA generates Active Measurement
   Traffic and measures some
   parameter metric associated with the transfer its transfer),
   Passive (the MA observes user traffic), or some hybrid form of the packet(s).  A Passive
   Measurement Task involves only
   two.

   The MA is managed by a MA, Controller using the Control Protocol.  The MA
   receives Instructions from the Controller about which simply observes existing
   traffic - for example, it could simply count bytes or Measurement
   Tasks it might
   calculate should perform and when.  For example the average loss for Controller may
   instruct a particular flow.

   It is very useful to standardise Measurement Methods (a Measurement
   Method is MA at a generalisation home gateway: "Count the number of TCP SYN packets
   observed in a 1 minute interval; repeat every hour at xx.05 +
   Unif[0,180] seconds".  The Measurement Task), so that it is
   meaningful to compare measurements of Schedule determines when the same Metric made at
   different times and places.  It is
   Measurement Tasks are executed.  The Controller also useful to define manages a registry MA by
   instructing it how to report the Measurement Results, for commonly-used Metrics [I-D.bagnulo-ippm-new-registry-independent]
   so that example:
   "Report results once a Measurement Method can be referred to simply by its
   identifier day in a batch at 4am + Unif[0,180] seconds;
   if the registry. end user is active then delay the report 5 minutes".  The
   Report Schedule determines when the Reports are uploaded to the
   Collector.  The Measurement Methods chedule and registry
   will hopefully be referenced by other standards organisations.

   In order for Report Schedule can define
   one-off (non-recurring) actions ("Do measurement now", "Report as
   soon as possible"), as well as recurring ones.

   The Collector accepts a Measurement Agent and Report from a MA with the Measurement Peer to execute an
   Active Measurement Task, they exchange Active Results
   from its Measurement Traffic.
   The protocols used for Tasks.  It then provides the Active Results to a
   repository (see below).

   Some Measurement Traffic Tasks involve several MAs acting in a coordinated
   fashion.  This coordination is out of the
   scope of achieved by the LMAP WG and falls within Controller instructing
   the scope of other IETF WGs
   such as IPPM.

   For multiple MAs in a coherent manner.  In some Measurement Results to be truly comparable, as might be required Tasks the
   MA(s) is assisted by a regulator, one or more network entities that are not only do
   managed by the Controller.  The entities that helps the MA in the same
   Measurement Methods need to be
   used Tasks but also are not managed by the set of Controller are called
   Measurement Tasks should follow Peers (MPs).  For example consider the case of a similar "ping"
   Measurement Schedule Task, to measure the round trip delay between the MA and be of similar number.  The details of such
   a
   characterisation plan are beyond the scope of work given ICMP ECHO responder in IETF although
   certainly facilitated by IETF's work.

   The next components we consider are the Measurement Agent (MA),
   Controller and Collector.  The main work of Internet.  In this case, the LMAP working group
   responder is
   to define the Control Protocol between the Controller Measurement Peer.  The ICMP ECHO request and MA, ICMP
   ECHO Requests and the
   Report Protocol Replies flowing between the MA and Collector.  Section 4 onwards
   considers the LMAP components in more detail; here we introduce them. MP is called
   Active Measurement Traffic.  The Controller manages a MA by instructing it which Appendix has some other examples of
   possible arrangements of Measurement Tasks
   it should perform Agents and when.  For example it may instruct a MA at Peers.

   A Measurement Method defines how to measure a
   home gateway: "Run the 'download speed test' with the Metric of interest.  It
   is very useful to standardise Measurement
   Peer at the end user's first IP point in the network; if the end user Methods, so that it is active then delay the test and re-try 1 minute later, with up
   meaningful to 3
   re-tries; repeat every hour compare measurements of the same Metric made at xx.05 + Unif[0,180] seconds".  The
   Controller
   different times and places.  It is also manages a MA by instructing it how useful to report the
   Measurement Results, define a registry
   for example: "Report results once commonly-used Metrics [I-D.manyfolks-ippm-metric-registry] so
   that a day Measurement Method can be referred to simply by its identifier
   in a
   batch at 4am + Unif[0,180] seconds; if the end user is active then
   delay the report 5 minutes".  These are called the registry.  The Measurement Methods and
   Report Schedule.  As well as periodic registry will hopefully
   be referenced by other standards organisations.

   A Measurement Tasks, Task is a Controller
   can initiate specific instantiation of a one-off (non-recurring) Measurement Task ("Do
   measurement now", "Report as soon as possible").

   The Collector accepts
   Method.It generates a Report from Measurement Result.  An Active Measurement Task
   involves either a MA with the results from its Measurement Tasks.  It may also do some post-processing on Agent (MA) injecting Active Measurement
   Traffic into the
   results, network destined for instance a Measurement Peer or for
   another Measurement Agent, and/or a Measurement Peer (or another
   Measurement Agent) sending Active Measurement Traffic to eliminate outliers, as they can severely
   impact the aggregated results. a MA; one of
   them measures some parameter associated with the transfer of the
   packet(s).  A Passive Measurement Task involves a MA simply observing
   existing traffic - for example, it could count bytes or it might
   calculate the average loss for a particular flow.

   In order for a Measurement Agent and a Measurement Peer (or another
   Measurement Agent) to execute an Active Measurement Task, they
   exchange Active Measurement Traffic.  The protocols used for the
   Active Measurement Traffic are out of the scope of the LMAP WG; they
   fall within the scope of other IETF WGs such as IPPM.

   For Measurement Results to be truly comparable, as might be required
   by a regulator, not only do the same Measurement Methods need to be
   used but also the set of Measurement Tasks should follow a similar
   Measurement Schedule and be of similar number.  The details of such a
   characterisation plan are beyond the scope of work in IETF although
   certainly facilitated by IETF's work.

   Finally we introduce several components that are out of scope of the
   LMAP WG and will be provided through existing protocols or
   applications.  They affect how the measurement system uses the
   Measurement Results and how it decides what set of Measurement Tasks
   to perform.

   The MA needs to be bootstrapped with initial details about its
   Controller, including authentication credentials.  The LMAP WG
   considers the bootstrap process, since it affects the Information
   Model.  However, it does not define a bootstrap protocol, since it is
   likely to be technology specific and could be defined by the
   Broadband Forum, CableLabs or IEEE depending on the device.  Possible
   protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management
   Protocol (CWMP) from the Auto Configuration Server (ACS) (as
   specified in TR-069). TR-069 [TR-069]).

   A Subscriber parameter database contains information about the line,
   such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s),
   the line technology (DSL or fibre), the time zone where the MA is
   located, and the type of home gateway and MA.  These parameters are
   already gathered and stored by existing operations systems.  They may
   affect the choice of what Measurement Tasks to run and how to
   interpret the Measurement Results.  For example, a download test
   suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s
   line.

   A results repository records all Measurement Results in an equivalent
   form, for example an SQL database, so that they can easily be
   accessed by the data analysis tools.

   The data analysis tools also
   need to understand the Subscriber's service information, for example
   the broadband contract.

   The data analysis tools receive the results from the Collector or via
   the Results repository.  They might visualise the data or identify
   which component or link is likely to be the cause of a fault or
   degradation.  This information could help the Controller decide what
   follow-up Measurement Task to perform in order to diagnose a fault.
   The operator's OAM (Operations, Administration, and Maintenance) uses data analysis tools also need to understand the results from Subscriber's
   service information, for example the tools. broadband contract.

                                                                 ^
                                                                 |
                                    Active    +-------------+    IPPM
               +---------------+  Measurement +-------------+ | Measurement |    Scope
      +------->|
               | Measurement   |<------------>| Measurement     Peer    |    v    |
               |   Agent       |   Traffic    |     Peer    +-------------+    v
      +------->|               |                                 ^
      |        +---------------+              +-------------+                                 |
      |              ^      |                                    |
      |  Instruction |      |  Report                            |
      |              |      +-----------------+                  |
      |              |                        |                  |
      |              |                        v                  LMAP
      |         +------------+             +------------+        Scope
      |         | Controller |             |  Collector |        |
      |         +------------+             +------------+        v
      |                ^   ^                       |             ^
      |                |   |                       |             |
      |                |   +----------+            |             |
      |                |              |            v             |
   +------------+   +----------+    +--------+    +----------+   |
   |Bootstrapper|   |Subscriber|--->|  data  |<---|repository|   Out
   +------------+   |parameter |    |analysis|    +----------+   of
                    |database  |    | tools  |                   Scope
                    +----------+    +--------+                   |
                                                                 |
                                                                 v

   Figure 1: Schematic of main elements of an LMAP-based
   measurement system
   (showing the elements in and out of the scope of the LMAP WG)

3.  Terminology

   This section defines terminology for LMAP.  Please note that defined
   terms are capitalized.

   Active Measurement Method (Task): A type of Measurement Method (Task)
   that involves in
   which a Measurement Agent and a creates or receives Active Measurement Peer (or possibly
   Peers), where either the
   Traffic, by coordinating with one or more other Measurement Agent Agents or the
   Measurement Peer
   injects Peers using protocols outside LMAP's scope.

   Active Measurement Traffic into the network destined for the
   other, and which involves one of them measuring some performance or
   reliability parameter associated with the transfer of the traffic.

   Active Measurement Traffic: Traffic: the packet(s) generated by the
   Measurement Agent and/or the Measurement Peer, as part of in order to
   execute an Active Measurement Task.

   Bootstrap: A process that initialises integrates a Measurement Agent with the
   information necessary to be integrated into a
   measurement system.

   Capabilities: Information about the Measurement Methods that the MA
   can perform and the device hosting the MA, for example its interface
   type and speed and its IP address. speed, but not dynamic information.

   Channel: an Instruction Channel, Report Channel A bi-directional logical connection that is defined by a
   specific Controller and MA, or MA-to-Controller
   Channel Collector and MA, plus associated
   security.

   Collector: A function that receives a Report from a Measurement
   Agent.

   Composite Metric: A Metric that is a combination of other Metrics,
   and/or a combination of the same Metric measured over different parts
   of the network or at different times.

   Controller: A function that provides a Measurement Agent with
   Instruction(s). its
   Instruction.

   Control Channel: a communications channel Channel between a Controller and a
   MA, which is defined by a specific Controller, MA and associated
   security, and over which Instructions
   Instruction Messages and Capabilities and Failure information are
   sent.

   Control Protocol: The protocol delivering Instruction(s) from a
   Controller to a Measurement Agent.  It also delivers Failure
   Information and Capabilities Information from the Measurement Agent
   to the Controller.

   Cycle-ID: (optional) A tag that is sent by the Controller in an Instruction and
   echoed by the MA in its Report.  The same Cycle-ID is used by several
   MAs that use the same Measurement Method with the same Input
   Parameters.  Hence the Cycle-ID allows the Collector to easily
   identify Measurement Results that should be comparable.

   Data Model: The implementation of an Information Model in a
   particular data modelling language. language [RFC3444].

   Data Transfer Method: The process whereby: a Controller transfers
   information over a Control Channel to a MA; or a MA transfers
   information over a Control Channel to a Controller; or a MA transfers
   information over a Report Channel to a Collector; the generalisation
   of a Data Transfer Task.

   Data Transfer Task: The act consisting of the (single) operation of a
   Data Transfer Method at a particular time.

   Environmental Constraint: A parameter that is measured as part of the
   Measurement Task, its value determining whether the rest of the
   Measurement Task proceeds.

   Failure Information: Information about the MA's failure to action or
   execute an Instruction, whether concerning Measurement Tasks or
   Reporting.

   Group-ID: (optional) An identifier of a group of MAs.

   Information Model: The protocol-neutral definition of the semantics
   of the Instructions, the Report, the status of the different elements
   of the measurement system as well of the events in the system. system
   [RFC3444].

   Input Parameter: A parameter whose value is left open by the
   Measurement Method and is set to a specific value in a Measurement
   Task.  Altering the value of an Input Parameter does not change the
   fundamental nature of the Measurement Method.

   Instruction: The description of Measurement Tasks for a MA to perform
   and the details of the Report for it to send.  It is the collective
   description of the Measurement Task configurations, the configuration
   of the Report Channel(s), the configuration of Data Transfer Tasks,
   the configuration of the Measurement Schedules, and the details of
   any suppression.

   Instruction Message: The message that carries an Instruction is sent by from a
   Controller to a Measurement Agent.

   MA-to-Controller Channel: a communications channel between a MA and a
   Controller, which is defined by a specific Controller, MA and
   associated security, and over which Capabilities and Failure
   Information is sent.

   Measurement Agent (MA): The function that receives Instructions Instruction
   Messages from a Controller, performs Controller and operates the Instruction by executing
   Measurement Tasks (perhaps (using protocols outside LMAP's scope and perhaps
   in concert with a one or more other Measurement Agents or Measurement Peer)
   Peers) and reports (if part of the Instruction) by reporting Measurement
   Results to a Collector. Collector or Collectors.

   Measurement Agent Identifier (MA-ID): a UUID [RFC4122], which [RFC4122] that
   identifies a particular MA and is configured as part of the
   Bootstrapping and included in a
   Capabilities message, Failure Information message and optionally in a
   Report. process.

   Measurement Method: The process for assessing the value of a Metric;
   the process of measuring some performance or reliability parameter; parameter
   associated with the transfer of traffic; the generalisation of a
   Measurement Task.

   Measurement Peer: Peer (MP): The function that receives control messages and
   Active Measurement Traffic from assists a Measurement Agent
   with Measurement Tasks and may reply does not have an interface to the Measurement Agent as defined by the Active Measurement Method.
   Controller or Collector.

   Measurement Result: The output of a single Measurement Task (the
   value obtained for the parameter of interest or Metric).

   Measurement Schedule: the The schedule for performing Measurement Tasks.

   Measurement Suppression: a type of Instruction that temporarily stops
   (suppresses) Active Measurement Tasks.

   Measurement Task: The act that yields a single Measurement Result;
   the act consisting of consistsof the (single) single operation of the
   Measurement Method at a particular time and with all its parameters Input
   Parameters set to specific values.

   Metric: The quantity related to the performance and reliability of
   the network that we'd like to know the value of, and that is
   carefully specified.

   Passive Measurement Method (Task): A Measurement Method (Task) in
   which a Measurement Agent observes existing traffic but does not
   inject Active Measurement Traffic.

   Report: The set of Measurement Results and other associated
   information (as defined by the Instruction).  The Report is sent by a
   Measurement Agent to a Collector.

   Report Channel: a communications channel between a MA and a
   Collector, which is defined by a specific MA, Collector, Report
   Schedule and associated security, and over which Reports are sent.

   Report Protocol: The protocol delivering Report(s) from a Measurement
   Agent to a Collector.

   Report Schedule: the schedule for sending one or more Reports to a Collector.

   Subscriber: An entity (associated with one or more users) that is
   engaged in a subscription with a service provider.  The Subscriber is
   allowed to subscribe and un-subscribe services, and to register a
   user or a list of users authorized to enjoy these services.  [Q1741]  [Q1741].
   Both the Subscriber and service provider are allowed to set the
   limits relative to the use that associated users make of subscribed
   services.

   Suppression: the temporary cessation of Active Measurement Tasks.

4.  Constraints

   The LMAP framework makes some important assumptions, which constrain
   the scope of the work to be done.

4.1.  Measurement system is under the direction of a single organisation

   In the LMAP framework, the measurement system is under the direction
   of a single organisation that is responsible both for the data and
   the any impact that
   measurements have on a user's quality of experience delivered to its users. and privacy.
   Clear responsibility is critical given that a misbehaving large-scale
   measurement system could potentially harm user experience, user
   privacy and network security.

   However, the components of an LMAP measurement system can be deployed
   in administrative domains that are not owned by the measuring
   organisation.  Thus, the system of functions deployed by a single
   organisation constitutes a single LMAP domain which may span
   ownership or other administrative boundaries.

4.2.  Each MA may only have a single Controller at any point in time

   A MA is instructed by one Controller and is in one measurement
   system.  The constraint avoids different Controllers giving a MA
   conflicting instructions and so means that the MA does not have to
   manage contention between multiple Measurement (or Report) Schedules.
   This simplifies the design of MAs (critical for a large-scale
   infrastructure) and allows a Measurement Schedule to be tested on
   specific types of MA before deployment to ensure that the end user
   experience is not impacted (due to CPU, memory or broadband-product
   constraints).

   An operator may have several Controllers, perhaps with a Controller
   for different types of MA (home gateways, tablets) or location
   (Ipswich, Edinburgh).

5.  LMAP Protocol Model

   A protocol model [RFC4101] presents an architectural model for how
   the protocol operates and needs to answer three basic questions:

   1.  What problem is the protocol trying to achieve?

   2.  What messages are being transmitted and what do they mean?

   3.  What are the important, but unobvious, features of the protocol?

   An LMAP system goes through the following phases:

   o  a bootstrapping process before the MA can take part in the other
      three phases

   o  a Control Protocol, which delivers an Instruction from a
      Controller to a MA, detailing what Measurement Tasks the MA should
      perform and when, and how it should report the Measurement Results

   o  the actual Measurement Tasks are performed.  An Active Measurement
      Task involves sending Active Measurement Traffic between the
      Measurement Agent and a Measurement Peer, whilst a Passive
      Measurement Task involves (only) Tasks, which measure some performance or
      reliability parameter(s) associated with the Measurement Agent observing
      existing user traffic. transfer of packets.
      The LMAP WG does not define Measurement Methods, however the IPPM
      WG does.

   o  a Report Protocol, which delivers a Report from the MA to a
      Collector.  The Report contains the Measurement Results.

   In the

   The diagrams show the various LMAP messages and usesthe following convention is used:
   convention:

   o  (optional): indicated by round brackets

   o  [potentially repeated]: indicated by square brackets

   The protocol model is closely related to the Information Model
   [I-D.burbridge-lmap-information-model], which is the abstract
   definition of the information carried by the protocol model.  The
   purpose of both is to provide a protocol and device independent view,
   which can be implemented via specific protocols.  The LMAP WG will
   define a specific Control Protocol and Report Protocol, but others
   could be defined by other standards bodies or be proprietary.
   However it is important that they all implement the same Information
   Model and protocol model, in order to ease the definition, operation
   and interoperability of large-scale measurement systems.

   The diagrams show the various LMAP messages and Section 5.5 considers
   how they could be mapped onto an underlying transport protocol.

5.1.  Bootstrapping process

   The primary purpose of bootstrapping is to enable the a MA and
   Controller to be
   integrated into a measurement system.  In order to
   do that, the  The MA needs to retrieve retrieves information
   about itself (like its identity in the measurement system), system) and about
   the Controller, as well as the Controller learns information about the MA, and
   they learn about security information to communicate (such as
   certificates and credentials).

                                                        +--------------+
                                                        | Measurement  |
                                                        |  Agent       |
                                                        +--------------+
   (initial Controller details:
    address or FQDN,                      ->
    security credentials)

   +-----------------+
   |    initial      |
   |   Controller    |
   +-----------------+
                                          <-              (register)

   Controller details:
    address or FQDN,                      ->
    security credentials

   +-----------------+
   |                 |
   |   Controller    |
   +-----------------+
                                          <-              register
   MA-ID, (Group-ID),                     ->
   Control Channel,
   (Suppression Channel),
   MA-to-Controller Channel

   The MA knows how to contact a Controller through some device /access
   specific mechanism.  For example, this could be in

   Whilst the firmware,
   downloaded, manually configured or via a protocol like TR-069.  The
   Controller could either be LMAP WG considers the one that will send bootstrapping process, it Instructions or
   else an initial Controller (whose details may be statically
   configured).  The role of an initial Controller is simply to inform
   the MA how out of
   scope to contact its actual Controller, for example its FQDN
   (Fully Qualified Domain Name) [RFC1035].

   The MA learns its identifier (MA-ID).  It may also be told define a Group-ID bootstrap mechanism, as it depends on the type of
   device and whether to include access.

   As a result of the MA-ID as well as bootstrapping process the Group-ID in MA learns the following
   information:

   o  its
   Reports. identifier, MA-ID

   o  (optionally) a Group-ID.  A Group-ID would be shared by several
      MAs and could be useful for privacy reasons, for instance to
      hinder tracking of a mobile device.

   The MA is also told about device

   o  the Control Channel over Channel, which it will
   receive Instructions from is defined by:

      *  the Controller, in particular address of the
   associated Controller (such as its FQDN (Fully
         Qualified Domain Name) [RFC1035])

      *  security information, for information (for example to enable the MA to decrypt
         the Instruction.  Optionally any Suppression Instruction Message and encrypt messages can be sent over a different Channel.  The MA is also informed about the MA-
   to-Controller Channel, over which to the MA can tell
         Controller)

      *  the Controller
   about its Capabilities and any Failure Information.  This consists name of
   the address this Control Channel

   The details of the Controller, for instance its URL, and security
   details for MA-to-Controller messages.

   The MA may tell bootstrapping process are device /access specific.
   For example, the Controller its Capabilities, information could be in particular the
   Measurement Methods it can perform.

   If the device with the MA re-boots, then the MA needs to re-register,
   so that it can receive a new Instruction.  To avoid a "mass calling
   event" after firmware, manually
   configured or transferred via a widespread power restoration affecting many MAs, it is
   sensible for an MA to pause for protocol like TR-069.  There may be a random delay (perhaps in the range
   of one minute or so) before re-registering.

   Whilst
   multi-stage process where the LMAP WG considers MA contacts the bootstrapping process, it is out of
   scope to define device at a bootstrap mechanism, as it depends on 'hard-
   coded' address, which replies with the type of
   device and access. boostrapping information.

5.2.  Control Protocol

   The primary purpose of the Control Protocol is to allow the
   Controller to configure a Measurement Agent with an Instruction about
   what Measurement Tasks to do, when to do them, and how to report the
   Measurement Results. Results (Section 5.2.1).  The Measurement Agent then acts
   on the Instruction autonomously.  The Control Protocol also enables
   the MA to inform the Controller about its Capabilities and any
   Failures (Section 5.2.2).

5.2.1.  Instruction

   The Instruction is the description of the Measurement Tasks for a
   Measurement Agent to do and the details of the Measurement Reports
   for it to send.  In order to update the Instruction the Controller
   uses a Data Transfer Task to send an Instruction Message over the
   Control Channel.

+-----------------+                                      +-------------+
|                 |                                      | Measurement |
|  Controller     |===================================|     |======================================|  Agent      |
+-----------------+                                      +-------------+

(Capabilities request)                   ->
                                         <-            Capabilities
ACK                                      ->

Instruction:                            ->
[(Measurement Task (Input Parameters)),  -> configuration(
   [Input Parameter],
   (interface),
   (Cycle-ID))),
 (Report Channel),
 (Data Transfer Task),
 (Measurement Schedule),
 (Report Channel(s))]
                                         <-              ACK
 (Suppression information)]
                                         <-         Failure Information:
                                                    [reason]
ACK                                      ->          Response(details)

   The Controller needs to know Instruction defines the Capabilities following:

   o  the Measurement Task configurations, each of which needs:

      *  the MA, and in
   particular what Measurement Methods it supports, so that it can
   correctly instruct Method, specified as a URN to a registry entry.
         The registry could be defined by the MA.  It is possible that IETF
         [I-D.manyfolks-ippm-metric-registry], locally by the Controller knows
   the MA's Capabilities via some mechanism beyond the scope of LMAP,
   such as a device-specific protocol.  In LMAP, the MA can inform the
   Controller about its Capabilities.  This message could be sent in
   several circumstances: when the MA first communicates with a
   Controller; when the MA becomes capable of a new Measurement Method;
   when requested by the Controller (for example, if the Controller
   forgets what the MA can do or otherwise wants to resynchronize what
   it knows about the MA).  Note that Capabilities do not include
   dynamic information like the MA's currently unused CPU, memory or
   battery life.

   A single Instruction message contains one, two, three or all four of
   the following elements:

   o  configuration of all the Measurement Tasks, each of which needs:

      *  the Measurement Method, specified as a URN to a registry entry.
         The registry could be defined by the IETF
         [I-D.bagnulo-ippm-new-registry-independent], locally by the
         operator of operator
         of the measurement system or perhaps by another standards
         organisation.

      *  any Input Parameters that need to be set for the Measurement
         Method, such as the address of the Measurement Peer (or other
         Measurement Agent) that are involved in an Active Measurement
         Task

      *  if the device with the MA has multiple interfaces, then the
         interface to use (if not defined, then the default interface is
         used)

      *  optionally, a Cycle-ID (a tag that may help the data analysis
         tools identify Measurement Results that should be comparable)

      *  a name for this Measurement Task configuration

   o  configuration of all the Report Channels, each of which needs:

      *  the address of the Collector, for instance its URL

      *  the timing of when to report Measurement Results, for example
         every hour or immediately

      *  security for sending the Report, this Report Channel, for example the X.509
         certificate

      *  a name for this Report Channel

   o  the set  configuration of periodic Measurement Schedules, the Data Transfer Tasks, each of which needs:

      *  the name of one or several Measurement Task configurations the Channel to use

      *  the timing of when the Measurement Tasks are to be performed.
         Possible types of timing are periodic and calendar-based
         periodic operate this Data Transfer Task

      *  the name of a Report Channel or Channels on which  whether to report include the MA-ID &/or Group-ID in a Measurement Results
         Report

      *  a name for this Measurement Schedule

   o  the set of one-off Data Transfer Task

      A Data Transfer Task may concern the reporting of Measurement
      Results (when the timing could be every hour or immediately, for
      instance).  Alternatively, a Data Transfer Task may concern the MA
      informing the Controller about its Capabilities or any Failures.

   o  configuration of the Measurement Schedules, each of which needs needs:

      *  the
      same items as for a periodic name of one or several Measurement Schedule, except that Task configurations

      *  the
      possible timing of when the Measurement Tasks are to be performed.
         Possible types of timing are periodic, calendar-based periodic,
         one-off immediate and one-off at a future time. time

      *  the name of a Data Transfer Task or Tasks on which to report
         the Measurement Results

      *  a name for this Measurement Schedule

   o  Suppression information, if any (see Section 5.2.1.1)

   A single Instruction message contains one, two, three Message may contain some or all four of the above elements.  This allows the different elements to be updated
   independently at different times and intervals, for example it
   parts.  The finest level of granularity possible in an Instruction
   Message is
   likely that determined by the periodic Measurement Schedule will be updated more
   often than implementation and operation of the other elements.

   Note that an Instruction message replaces (rather than adds to) those
   elements that it includes.
   Control Protocol.  For example, if the message includes
   (only) a periodic Measurement Schedule, then that replaces the old
   periodic single Instruction Message may be
   able to add or update an individual Measurement Schedule but does not alter - or it may
   only be able to update the configuration complete set of
   the Measurement Tasks and Report Channels.

   Periodic Schedules; a
   single Instruction Message may be able to update both Measurement
   Schedules contain the name of one or several and Measurement Task configurations that are to be carried out on - or only one at a
   recurring basis, whilst one-off Measurement Schedules contain non-
   recurring Measurement Tasks.  One-off
   time; and periodic Measurement
   Schedules are kept separate so that on.

   The MA informs the Controller can instruct the
   MA to perform an ad hoc Measurement Task (for instance to help
   isolate a fault) without having to re-notify the MA about the
   periodic Measurement Schedule.

   Note that it has successfully understood the
   Instruction informs the MA; the Control Protocol does
   not allow the MA to negotiate, as this would add complexity to the
   MA, Controller and Control Protocol for little benefit.

   The MA can inform the Controller about a Failure.  There are two
   broad categories of failure: (1) the MA Message, or that it cannot action the Instruction
   (for - for
   example, if it doesn't include a parameter that is mandatory for the
   requested Measurement Method; Method, or it is missing details of the target Collector). (2) the MA cannot execute the Measurement Task or
   deliver the Report (for example,
   Collector.

   The Instruction Message instructs the MA unexpectedly has no spare CPU
   cycles; or MA; the Collector is not responding).  Note that it is Control Protocol does
   not
   considered a failure if a Measurement Task (correctly) doesn't start;
   for example if allow the MA detects cross-traffic, to negotiate, as this is reported would add complexity to the
   Collector in the normal manner.  Note also that the MA does not
   inform the Controller about normal operation of its Measurement Tasks
   and Reports.

   In the Figure, ACK means that the message has been delivered
   successfully.

   Finally, note that the MA doesn't do a 'safety check' with the
   Controller (that it should still continue with the requested
   Measurement Tasks) - nor does it inform the
   MA, Controller about
   Measurement Tasks starting and stopping.  It simply carries out the
   Measurement Tasks as instructed, unless it gets an updated
   Instruction.

   The LMAP WG will define a Control Protocol and its associated Data
   Model that implements the Protocol & Information Model.  This for little benefit.

5.2.1.1.  Suppression

   The Instruction may be
   a simple instruction-response protocol.

5.2.1.  Measurement include Suppression

   Measurement information.  Suppression is
   used if the measurement system wants to eliminate inessential
   traffic, because there is some unexpected network issue for example.  The Controller instructs
   By default, Suppression means that the MA to
   temporarily does not begin any new
   Active Measurement Tasks.  By default,
   suppression applies to all Task.  The impact on other Measurement Tasks is
   not defined by LMAP; since they do not involve the MA creating any
   Active Measurement Tasks, Traffic there is no need to suppress them, however
   it may be simpler for an implementation to do so.  Also, by default
   Suppression starts immediately and continues until an un-suppress
   message is received.  Optionally the suppress message Suppression information may
   include:

   o  a set of Active Measurement Tasks to suppress; the others are not
      suppressed.  For example, this could be useful if a particular
      Measurement Task may be is overloading a Measurement Peer.

   o  a set of Measurement Schedules to suppress; the others are not
      suppressed.  For example, suppose the measurement system has
      defined two Schedules, one with the most critical Active Measurement
      Tasks and the other with less critical ones that create a lot of traffic,
      Active Measurement Traffic, then it may only want to suppress the
      second.

   o  a start time, at which suppression begins

   o  an end time, at which suppression ends.

   It is not standardised what the impact of Suppression is on:

   o  Passive Measurement Tasks; since they do not create any Active
      Measurement Traffic there is no need to suppress them, however it
      may be simpler for an implementation to do so ends

   o  that the MA should end its on-going Active Measurement Tasks; see Section 5.3 Task(s).

   Note that Suppression is not intended to permanently stop a
   Measurement Task (instead, the Controller should send a new
   Measurement Schedule), nor to permanently disable a MA (instead, some
   kind of management action is suggested).

   +-----------------+                                   +-------------+
   |                 |                                   | Measurement |
   |  Controller     |===================================|  Agent      |
   +-----------------+                                   +-------------+

   Suppress:
   [(Measurement Task),                     ->
    (Measurement Schedule),
    start time,
    end time]
                                            <-              ACK time,
    on-going suppressed?]

   Un-suppress                              ->
                                            <-              ACK

5.3.  Starting

5.2.2.  Capabilities and stopping Measurement Tasks

   The LMAP WG is neutral to what the actual Measurement Task is. Failure information

   The
   WG does not define a generic start and stop process, since the
   correct approach depend on Control Protocol also enables the particular Measurement Task; MA to inform the
   details are defined Controller
   about various information, such as part of each Measurement Method, its Capabilities and hence
   potentially any Failures,
   by the IPPM WG.  This section provides some general
   hints.

   Once MA operating a Data Transfer Task.  It is also possible that a
   device-specific mechanism beyond the scope of LMAP is used.

   Capabilities are information about the MA gets its Measurement and Report Schedules from its that the Controller then it acts autonomously, needs
   to know in terms of operation of order to correctly instruct the
   Measurement Tasks and reporting of MA, such as:

   o  the result.  One implication is Measurement Methods that the MA initiates Measurement Tasks.  As an example, for supports
   o  the
   common case where interfaces that the MA is on a home gateway, has

   o  the version of the MA initiates a
   'download speed test' by asking a Measurement Peer to send

   o  the file.

   Many Active Measurement Tasks begin version of the hardware, firmware or software of the device
      with a pre-check before the test
   traffic is sent.  Action could include: MA

   o  but not dynamic information like the currently unused CPU, memory
      or battery life of the device with the MA.

   The MA checking that there is no cross-traffic; could do this in other words, response to a
      check that request from the user isn't already sending traffic;

   o Controller
   (for example, if the Controller forgets what the MA checking with can do or
   otherwise wants to resynchronize what it knows about the Measurement Peer that MA) or on
   its own initiative (for example when the MA first communicates with a
   Controller or if it can handle becomes capable of a new Measurement Task (in case Method).
   Another example of the Measurement Peer latter case is already handling
      many Measurement Tasks with other MAs);

   o if the first part of device with the Measurement Task consisting of traffic that
      probes MA re-
   boots, then the path MA should notify its Controller in case its
   Instruction needs to make sure be updated; to avoid a "mass calling event"
   after a widespread power restoration affecting many MAs, it isn't overloaded.

   It is possible that similar checks continue during
   sensible for an MA to pause for a random delay, perhaps in the Measurement
   Task, especially range
   of one that minute or so.

   Failure information is long-running and/or creates a lot sent on the initiative of
   Active the MA and concerns
   why the MA has been unable to execute a Measurement Traffic, which may be abandoned whilst in-
   progress.  A Task or Data
   Transfer Task, for example:

   o  the Measurement Task could also be abandoned in response failed to
   a "suppress" message (see Section 5.2.1).  Action could include:

   o  For 'upload' tests, run properly because the MA not sending traffic
      (unexpectedly) has no spare CPU cycles

   o  For 'download' tests,  the MA closing failed record the TCP connection or sending
      a TWAMP Stop control message [RFC5357].

   The Controller may want Measurement Results because it
      (unexpectedly) is out of spare memory

   o  a MA Data Transfer Task failed to run deliver Measurement Results because
      the same Collector (unexpectedly) is not responding

   o  but not if a Measurement Task
   indefinitely (for correctly doesn't start.  For
      example, "run the 'upload speed' first step of some Measurement Task
   once an hour until further notice").  To avoid Methods is for the MA generating
   traffic forever after
      to check there is no cross-traffic.

   Logging information is sent by the MA in response to a Controller has permanently failed, request from
   the Controller; it concerns how the MA is
   suggested that operating and may help
   debugging, for example:

   o  the Measurement Schedule includes a last time limit ("run the 'upload speed' MA ran a Measurement Task once an hour for the next 30
   days") and that

   o  the Measurement Schedule is updated regularly (say,
   every 10 days).

   {Comment: It is possible that last time the set of measurement schedules
   implies overlapping MA sent a Measurement Tasks.  It is not clear Report

   o  the best
   thing to do.  Our current suggestion is to leave this to last time the protocol
   document.}

5.4.  Report Protocol

   The primary purpose of MA received an Instruction Message
   o  whether the Report Protocol MA is to allow a Measurement
   Agent to report its currently Suppressing Measurement Results to a Collector, and the
   context in which they were obtained. Tasks

   .

 +-----------------+                                   +-------------+
 |                 |                                   | Measurement |
 |   Collector  Controller     |===================================|  Agent      |
 +-----------------+                                   +-------------+

                                     <-          Report:
                                                   [MA-ID &/or Group-ID,
                                                    Measurement Results,
                                            details of Measurement Task]
  ACK

 (Capabilities request)                   ->

   The Report contains:

   o  the MA-ID or a Group-ID (to anonymise results)

   o
                                          <-         Capabilities

                                          <-         Failure Information
                                                     [reason]

 Logging request                          ->
                                          <-         Logging Information
                                                     [details]

5.3.  Operation of Measurement Tasks

   The LMAP WG is neutral to what the actual Measurement Results, including Task is.  It
   does not define Measurement Methods, however the time they were
      measured

   o IPPM WG does.

   The MA carries out the details Measurement Tasks as instructed, unless it
   gets an updated Instruction.  The MA acts autonomously, in terms of
   operation of the Measurement Task (to avoid Tasks and reporting of the Collector having Results; it
   doesn't do a 'safety check' with the Controller to ask whether it
   should still continue with the Controller for this information later) requested Measurement Tasks.

5.3.1.  Starting and Stopping Measurement Tasks

   The MA sends Reports as WG does not define a generic start and stop process, since the
   correct approach depends on the particular Measurement Task; the
   details are defined by as part of each Measurement Method.  This section
   provides some general hints.  The MA does not inform the Report Channel in Controller
   about Measurement Tasks starting and stopping.

   Before sending Active Measurement Traffic the
   Controller's Instruction.  It MA may run a pre-check.
   Action could include:

   o  the MA checking that there is possible no cross-traffic.  In other words, a
      check that the Instruction tells end-user isn't already sending traffic;

   o  the MA to report checking with the same Results to more than one Collector, or to
   report a different subset of Results to different Collectors.  It is
   also possible Measurement Peer (or other Measurement
      Agent involved in the Measurement Task) that it can handle a new
      Measurement Task may create two (or more) (in case, for example, the Measurement Results, which could be reported differently (for
   example, one Result could be reported periodically, whilst the second
   Result could be an alarm that Peer is created as soon as
      already handling many Measurement Tasks with other MAs);

   o  the measured
   value first part of the Metric crosses a threshold and that is reported
   immediately).

   Optionally, a Report is not sent when there are no Measurement
   Results.

   In the initial LMAP Information Model and Report Protocol, for
   simplicity we assume that all Measurement Results are reported as-is,
   but allow extensibility so that a measurement system (or perhaps a
   second phase Task consisting of LMAP) could allow a MA traffic that
      probes the path to pre-process Measurement
   Results before make sure it reports them.  Potential examples of pre-processing
   by the MA are: isn't overloaded;

   o  labelling, or perhaps not including, Measurement Results impacted
      by, for instance, cross-traffic or  the Measurement Peer being busy

   o  not reporting first part of the Measurement Results if Task checking that the device
      with the MA believes that they
      are invalid

   o  detailing when suppression started and ended

   o  filtering outlier Results

   o  calculating some statistic like average (beyond that defined by has enough resources to execute the Measurement Task itself)

   The
      reliably.  Note that the designer of the measurement system may define what happens if a Collector
   unexpectedly does not hear from a MA, for example should
      ensure that the Controller
   could send a fresh Report Schedule device's capabilities are normally sufficient to
      comfortably operate the MA.

   The LMAP WG will define a Report Protocol and its associated Data
   Model Measurement Tasks.

   It is possible that implements similar checks continue during the Information Model and protocol model.  This
   may be Measurement
   Task, especially one that is long-running and/or creates a simple instruction-response protocol.

5.5.  Operation lot of LMAP over the underlying transport protocol

   The above sections have described LMAP's protocol model.  The LMAP
   working group will also specify how it operates over an existing
   protocol,
   Active Measurement Traffic, and might lead to be selected, for example REST-style HTTP(S).  It is it being abandoned
   whilst in-progress.  A Measurement Task could also
   possible that a different choice is made for the Control and Report
   Protocols, for example NETCONF-YANG and IPFIX respectively.  It is
   even possible that be abandoned in
   response to a different choice "suppress" message (see Section 5.2.1).  Action could be made for Suppression
   and for other Instruction messages.
   include:

   o  For 'upload' tests, the Control Protocol, the underlying transport protocol could be: MA not sending traffic

   o  a 'push' protocol (that is, from  For 'download' tests, the Controller to MA closing the MA)

   o TCP connection or sending
      a multicast protocol (from the TWAMP Stop control message [RFC5357].

   The Controller to a group of MAs)

   o may want a 'pull' protocol.  The MA periodically checks with Controller if to run the same Measurement Task
   indefinitely (for example, "run the 'upload speed' Measurement Task
   once an hour until further notice").  To avoid the Instruction has changed and pulls a new Instruction if
      necessary.  A pull protocol seems attractive for a MA behind generating
   traffic forever after a NAT
      (as Controller has permanently failed, it is typical for
   suggested that the Measurement Schedule includes a MA on time limit ("run
   the 'upload speed' Measurement Task once an end-user's device), so hour for the next 30
   days") and that it can
      initiate the communications.  A pull mechanism Measurement Schedule is likely to
      require the MA to be configured with how frequently it should
      check in with the Controller, and perhaps what it should do if the
      Controller updated regularly (say,
   every 10 days).

5.3.2.  Overlapping Measurement Tasks

   It is unreachable after a certain number of attempts.

   o possible that a hybrid protocol.  In addition to MA starts a pull protocol, new Measurement Task before another
   Measurement Task has completed.  This may be intentional (the way
   that the Controller
      can measurement system has designed the Measurement Schedules),
   but it could also push be unintentional - for instance, if a Measurement
   Task has a 'wait for X' step which pauses for an alert to unexpectedly long
   time.  The operator of the MA that measurement system can handle (or not)
   overlapping Measurement Tasks in any way they choose - it should immediately pull is a
      new Instruction.

   For the Report Protocol, policy
   or implementation issue and not the underlying transport protocol could be:

   o  a 'push' protocol (that is, from concern of LMAP.  Some possible
   approaches are: to configure the MA not to begin the Collector)
   o  perhaps supplemented by second
   Measurement Task; to start the ability second Measurement Task as usual; for
   the Collector action to 'pull'
      Measurement Results from a MA.

5.6.  Items beyond the scope of the LMAP Protocol Model

   There are several potential interactions between LMAP elements that
   are out of scope be an Input Parameter of definition by the LMAP WG:

   1.  It does not define a coordination process between MAs.  Whilst a
       measurement system may define coordinated Measurement Schedules
       across its various MAs, there is no direct coordination between
       MAs.

   2.  It does not define interactions between the Collector Task; and
       Controller. so
   on.

   It is quite likely that there will to be such
       interactions, optionally intermediated by important to include in the data analysis
       tools.  For example if there is an "interesting" Measurement
       Result then Report the measurement system may want to trigger extra
       Measurement Tasks
   fact that explore the potential cause in more
       detail.

   3.  It does not define coordination between different measurement
       systems.  For example, it does not define the interaction of a MA
       in one measurement system Measurement Task overlapped with another.

5.4.  Report Protocol

   The primary purpose of the Report Protocol is to allow a Controller or Collector in Measurement
   Agent to report its Measurement Results to a
       different measurement system.  Whilst it is likely that Collector, along with
   the
       Control and context in which they were obtained.

 +-----------------+                                   +-------------+
 |                 |                                   | Measurement |
 |   Collector     |===================================|  Agent      |
 +-----------------+                                   +-------------+

                                    <-    Report:
                                                  [MA-ID &/or Group-ID],
                                                    [Measurement Result
                                          [details of Measurement Task]]
 ACK                                ->

   The Report Protocols could be re-used contains:

   o  the MA-ID or adapted for this
       scenario, any form of coordination between different
       organisations involves difficult commercial and technical issues
       and so, given a Group-ID (to anonymise results)

   o  the novelty of large-scale measurement efforts, any
       form of inter-organisation coordination is outside actual Measurement Results, including the scope time they were
      measured

   o  the details of the LMAP WG.  Note that a single MA is instructed by a single Measurement Task (to avoid the Collector having
      to ask the Controller and is only in one measurement system.

       *  An interesting scenario is where a home contains two
          independent MAs, for example one controlled by a regulator and
          one controlled by an ISP.  Then this information later)

   o  perhaps the Active Measurement Traffic
          of one Subscriber's service parameters (see Section 5.4.1).

   The MA is treated sends Reports as defined by the other MA just like any other user
          traffic.

   4. Data Transfer Task in the
   Controller's Instruction.  It does not consider how is possible that the Instruction tells
   the MA to prevent a malicious party "gaming report the
       system".  For example, where a regulator is running same Results to more than one Collector, or to
   report a measurement
       system in order different subset of Results to benchmark operators, different Collectors.  It is
   also possible that a malicious operator Measurement Task may create two (or more)
   Measurement Results, which could try to identify be reported differently (for
   example, one Result could be reported periodically, whilst the broadband lines second
   Result could be an alarm that is created as soon as the regulator was
       measuring measured
   value of the Metric crosses a threshold and prioritise that traffic.  It is assumed this is a
       policy issue and would be dealt with through reported
   immediately).

   Optionally, a code of conduct
       for instance.

   5.  It does Report is not define how to analyse sent when there are no Measurement Results, including
       how to interpret missing
   Results.

   6.  It does not specifically define a enduser-controlled measurement
       system, see sub-section 5.6.1.

5.6.1.  Enduser-controlled measurement system

   The WG concentrates on the cases where an ISP or a regulator runs

   In the
   measurement system.  However, initial LMAP Information Model and Report Protocol, for
   simplicity we expect assume that LMAP functionality will
   also be used in the context of an enduser-controlled measurement
   system.  There all Measurement Results are at least two ways this could happen (they have
   various pros and cons):

   1.  an enduser could somehow request the ISP- (or regulator-) run reported as-is,
   but allow extensibility so that a measurement system to test his/her line.  The ISP (or regulator)
       Controller would then send an Instruction to the perhaps a
   second phase of LMAP) could allow a MA in to:

   o  label, or perhaps not include, Measurement Results impacted by,
      for instance, cross-traffic or the usual
       LMAP way.  Note that a user can't directly initiate Measurement Peer (or other
      Measurment Agent) being busy

   o  label Measurement Results obtained by a Measurement Task on an ISP- (or regulator-) controlled MA.

   2.  an enduser could deploy their own measurement system, that
      overlapped with their
       own MA, Controller and Collector.  For example, the user could
       implement all three functions onto the same enduser-owned end
       device, perhaps by downloading the functions from another

   o  not report the ISP or
       regulator.  Then Measurement Results if the LMAP Control MA believes that they
      are invalid

   o  detail when Suppression started and Report Protocols do not
       need ended

5.4.1.  Reporting of Subsriber's service parameters

   The Subscriber's service parameters are information about his/her
   broadband contract, line rate and so on.  Such information is likely
   to be used, but using LMAP's Information Model would still
       be beneficial.  The needed to help analyse the Measurement Peer Results, for example to
   help decide whether the measured download speed is reasonable.

   The information could be in transferred directly from the home gateway
       or outside Subscriber
   parameter database to the home network; in data analysis tools.  It may also be
   possible to transfer the latter case information via the Measurement
       Peer MA.  How (and if) the MA
   knows such information is highly likely to be run by a different organisation,
       which raises extra privacy considerations.

   In both cases there will be some way for the user to initiate depend on the
   Measurement Task(s). device type.  The mechanism is out-of-scope of the LMAP WG,
   but
   MA could either include the user clicking information in a button on a GUI Measurement Report or sending
   run a
   text message.  Presumably separate Data Transfer Task.  All such considerations are out
   of scope of LMAP.

5.5.  Operation of LMAP over the user underlying transport protocol

   The above sections have described LMAP's protocol model.  As part of
   the design of the Control and Report Protocols, the LMAP working
   group will also be able specify operation over an existing protocol, to see the
   Measurement Results, perhaps summarised on a webpage. be
   selected, for example REST-style HTTP(S).  It is
   suggested also possible that these interfaces conform to the LMAP guidance on the
   privacy in Section 8.

6.  Deployment considerations

6.1.  Controller

   The Controller should understand both a
   different choice is made for the MA's LMAP Capabilities (for
   instance what Measurement Methods it can perform) Control and about the MA's
   other capabilities like processing power Report Protocols, for
   example NETCONF-YANG and memory.  This allows IPFIX respectively.

   From an LMAP perspective, the Controller needs to make sure know that the Measurement Schedule of Measurement
   Tasks and the Reporting Schedule are sensible for each MA
   has received the Instruction Message, or at least that it
   Instructs.

   An Instruction is likely needs to include several Measurement Tasks.
   Typically these run at different times, but be
   re-sent as it is also possible for
   them may have failed to run at the same time, if be delivered.  Similarly the Controller is sure that one Task
   will not affect MA
   needs to know about the Results delivery of another Task.

   The Capabilities and Failure
   information to the Controller should ensure that and Reports to the Active Measurement Tasks do not
   have an adverse effect Collector.  How this
   is done depends on the end user.  Typically Tasks, especially
   those that generate a substantial amount design of traffic, will include a
   pre-check that the user isn't already sending traffic (Section 5.3).
   Another consideration is whether Active Measurement Traffic will
   impact a Subscriber's bill or traffic cap.

   The different elements of Control and Report Protocols and
   the Instruction can be updated
   independently. underlying transport protocol.

   For example, the Measurement Tasks could be
   configured with different Input Parameters whilst keeping Control Protocol, the same
   Measurement Schedule.  In general this should not create any issues,
   since Measurement Methods should be defined so their fundamental
   nature does not change for a new value of Input Parameter.  There underlying transport protocol could be be:

   o  a problem if, for example, 'push' protocol (that is, from the Controller to the MA)

   o  a Measurement Task involving multicast protocol (from the Controller to a
   1kB file upload could be group of MAs)

   o  a 'pull' protocol.  The MA periodically checks with Controller if
      the Instruction has changed into and pulls a 1GB file upload. new Instruction if
      necessary.  A measurement system may have multiple Controllers (but note the
   overriding principle that pull protocol seems attractive for a single MA is instructed by behind a single
   Controller at any point in time (Section 4.2)).  For example, there
   could be different Controllers NAT
      (as is typical for different types of a MA (home
   gateways, tablets) or locations (Ipswich, Edinburgh), for load
   balancing or to cope with failure of one Controller.  One possibility
   is that Bootstrapping involves on an initial Controller, whose role end-user's device), so that it can
      initiate the communications.  A pull mechanism is
   simply likely to inform
      require the MA how to contact its actual Controller.

6.2.  Measurement Agent

   The Measurement Agent could take a be configured with how frequently it should
      check in with the Controller, and perhaps what it should do if the
      Controller is unreachable after a certain number of forms: attempts.

   o  a dedicated
   probe, software on hybrid protocol.  In addition to a PC, embedded into pull protocol, the Controller
      can also push an appliance, or even embedded
   into a gateway.  A single site (home, branch office etc.) alert to the MA that is
   participating in it should immediately pull a measurement
      new Instruction.

   For the Report Protocol, the underlying transport protocol could make use of one or multiple
   Measurement Agents in be:

   o  a single measurement.  If 'push' protocol (that is, from the site is multi
   homed there might be a Measurement Agent per interface.

   The MA to the Collector)

   o  perhaps supplemented by the ability for the Collector to 'pull'
      Measurement Agent could be deployed in Results from a variety of locations.
   Not all deployment locations are available to every kind MA.

5.6.  Items beyond the scope of
   Measurement Agent. the LMAP Protocol Model

   There are also a variety several potential interactions between LMAP elements that
   are out of limitations and
   trade-offs depending on the final placement.  The next sections
   outline some scope of definition by the locations LMAP WG:

   1.  It does not define a Measurement Agent coordination process between MAs.  Whilst a
       measurement system may be deployed.
   This define coordinated Measurement Schedules
       across its various MAs, there is no direct coordination between
       MAs.

   2.  It does not an exhaustive list and combinations may also apply.

   If define interactions between the Instruction includes several Measurement Tasks, these could Collector and
       Controller.  It is quite likely that there will be
   scheduled to run at different times or possibly at such
       interactions, optionally intermediated by the same time -
   some Tasks data analysis
       tools.  For example, if there is an "interesting" Measurement
       Result then the measurement system may be compatible, in want to trigger extra
       Measurement Tasks that they do explore the potential cause in more
       detail; or if the Collector unexpectedly does not affect each other's
   Results, whilst with others great care would need to be taken.

   The hear from a MA,
       then the measurement system also needs may want to consider carefully how trigger the Controller to
       send a fresh Instruction Message to
   interpret missing Results; for example, if the missing Results are
   ignored and MA.

   3.  It does not define coordination between different measurement
       systems.  For example, it does not define the lack interaction of a Report is caused by its broadband being
   broken, then the estimate of overall performance, averaged across all
   MAs, would be too optimistic.

6.2.1.  Measurement Agent embedded MA
       in site gateway

   A Measurement Agent embedded one measurement system with the site gateway, for example a
   home router Controller or the edge router of a branch office Collector in a managed
   service environment,
       different measurement system.  Whilst it is one of better places the Measurement Agent
   could be deployed.  All site-to-ISP traffic would traverse through likely that the gateway
       Control and passive measurements Report Protocols could easily be performed.
   Similarly, due to re-used or adapted for this user traffic visibility, an Active
   Measurements Task could be rescheduled so as not to compete with user
   traffic.  Generally NAT
       scenario, any form of coordination between different
       organisations involves difficult commercial and firewall services are built into the
   gateway, allowing the Measurement Agent technical issues
       and so, given the option to offer its
   Controller facing management interface outside novelty of the NAT/firewall.
   This placement large-scale measurement efforts, any
       form of inter-organisation coordination is outside the management interface allows scope of
       the LMAP WG.  Note that a single MA is instructed by a single
       Controller to
   unilaterally contact the Measurement Agent for instructions.
   However, if the site gateway and is owned only in one measurement system.

       *  An interesting scenario is where a home contains two
          independent MAs, for example one controlled by a regulator and operated
          one controlled by an ISP.  Then the service
   provider, the Active Measurement Agent will generally not be directly
   available for over Traffic
          of one MA is treated by the top providers, other MA just like any other end-
          user traffic.

   4.  It does not consider how to prevent a malicious party "gaming the regulator, end users or
   enterprises.

6.2.2.  Measurement Agent embedded behind site NAT /Firewall

   The Measurement Agent could also be embedded behind
       system".  For example, where a NAT, regulator is running a
   firewall, or both.  In this case the Controller may not be able measurement
       system in order to
   unilaterally contact benchmark operators, a malicious operator
       could try to identify the Measurement Agent unless either static port
   forwarding configuration or firewall pin holing is configured, broadband lines that the regulator was
       measuring and
   might not always be possible. prioritise that traffic.  It would require user intervention or
   pre-provisioning by the operator via a mechanisms such as TR-069.
   The Measurement Agent may originate is assumed this is a session towards the Controller
       policy issue and maintain the session for bidirectional communications.  This would alleviate the need to have user intervention be dealt with through a code of conduct
       for instance.

   5.  It does not define how to analyse Measurement Results, including
       how to interpret missing Results.

   6.  It does not specifically define a end-user-controlled measurement
       system, see sub-section 5.6.1.

5.6.1.  End-user-controlled measurement system

   The WG concentrates on the gateway,
   but would reduce cases where an ISP or a regulator runs the overall saleability
   measurement system.  However, we expect that LMAP functionality will
   also be used in the context of an end-user-controlled measurement
   system.  There are at least two ways this could happen (they have
   various pros and cons):

   1.  an end-user could somehow request the ISP- (or regulator-) run
       measurement system to test his/her line.  The ISP (or regulator)
       Controller as it would have to maintain a higher number of active sessions.  That
   said, sending keepalives then send an Instruction to prop open the firewall could serve a dual
   purpose MA in testing network reachability for the Measurement Agent.
   An alternative would be to use usual
       LMAP way.  Note that a protocol such as UPnP or PCP
   [RFC6887] to control the NAT/firewall if the gateway supports this
   kind of control.

6.2.3.  Measurement Agent in user can't directly initiate a multi-homed site

   A broadband site may be multi-homed. Measurement
       Task on an ISP- (or regulator-) controlled MA.

   2.  an end-user could deploy their own measurement system, with their
       own MA, Controller and Collector.  For example, the site may be
   connected to multiple broadband ISPs, user could
       implement all three functions onto the same end-user-owned end
       device, perhaps for redundancy or load-
   sharing, by downloading the functions from the ISP or have both wired
       regulator.  Then the LMAP Control and wireless broadband connectivity.  It
   may also be helpful to think of dual stack IPv4 and IPv6 broadband
   devices as multi-homed.  In these cases, there needs Report Protocols do not
       need to be clarity on
   which network connectivity option is being measured.  Sometimes this
   is easily resolved by the location of the used, but using LMAP's Information Model would still
       be beneficial.  The Measurement Peer (or other MA itself.  For example, if involved in the MA is built into
       Measurement Task) could be in the home gateway (and or outside the gateway only has
       home network; in the latter case the Measurement Peer is highly
       likely to be run by a single
   WAN side interface), different organisation, which raises extra
       privacy considerations.

   In both cases there is little confusion or choice.  However,
   for multi-homed gateways or devices behind the gateway(s) of multi-
   homed sites it would will be preferable to explicitly select some way for the network end-user to measure ([RFC5533]) but the network measured should be included in initiate the
   Measurement Result.  Section 3.2 Task(s).  The mechanism is out-of-scope of [I-D.ietf-homenet-arch]
   describes dual-stack and multi-homing topologies that might be
   encountered in the LMAP WG,
   but could include the user clicking a home network (which is generally button on a broadband
   connected site).  The Multiple Interfaces (mif) working group covers
   cases where hosts are either directly attached to multiple networks
   (physical or virtual) GUI or indirectly (multiple default routers, etc.).
   [RFC6419] provides the current practices of multi-interfaces hosts
   today.  As one aim is for sending a MA is to measure
   text message.  Presumably the end user's quality
   of experience, it is important user will also be able to understand see the current practices.

6.3.  Measurement Peer

   A Measurement Peer participates in Active
   Measurement Tasks. Results, perhaps summarised on a webpage.  It may
   have specific functionality to enable it is
   suggested that these interfaces conform to participate in a
   particular Measurement Method.  On the other hand, other Measurement
   Methods may require no special functionality, for example if the
   Measurement Agent sends a ping to example.com then the server at
   example.com plays the role of a Measurement Peer.

   A device may participate in some Measurement Tasks as a Measurement
   Agent and LMAP guidance on
   privacy in others as a Measurement Peer.

7.  Security Section 8.

6.  Deployment considerations

   The security Appendix has some examples of the LMAP framework should protect the interests possible deployment arrangements of
   the measurement operator(s), the network user(s)
   Measurement Agents and other actors who
   could be impacted by a compromised measurement deployment.  The Peers.

6.1.  Controller and the measurement system must secure the various components of

   The Controller should understand both the system
   from unauthorised access or corruption.

   We assume that each MA's LMAP Capabilities (for
   instance what Measurement Agent (MA) will receive its
   Instructions from a single organisation, which operates the
   Controller.  These Instructions must be authenticated (to ensure that
   they come from the trusted Controller), checked for integrity (to
   ensure no-one has tampered with them) and not vulnerable to replay
   attacks.  If a malicious party can gain control of the MA they can
   use Methods it to launch DoS attacks at targets, reduce can perform) and about the end user's
   quality of experience MA's
   other capabilities like processing power and corrupt memory.  This allows the Measurement Results that are
   reported
   Controller to the Collector.  By altering the Measurement Tasks and/or
   the address make sure that Results are reported to, they can also compromise the confidentiality Measurement Schedule of the network user Measurement
   Tasks and the Reporting Schedule are sensible for each MA environment (such
   as information about the location of devices or their traffic).

   Reporting by the MA must also be secured to maintain confidentiality.
   The results must be encrypted such that only the authorised Collector
   can decrypt the results it
   Instructs.

   An Instruction is likely to prevent the leakage of confidential or
   private information.  In addition include several Measurement Tasks.
   Typically these run at different times, but it must be authenticated that the
   results have come from is also possible for
   them to run at the expected MA and same time.  Some Tasks may be compatible, in that
   they have not been
   tampered with.  It must do not be possible to fool a MA into injecting
   falsified data into the measurement platform or affect each other's Results, whilst with others great
   care would need to corrupt the
   results of a real MA.  The results must also be held and processed
   securely after collection and analysis.

   Availability taken.

   The Controller should also be considered.  While ensure that the loss of some MAs
   may Active Measurement Tasks do not be considered critical, the unavailability of
   have an adverse effect on the Collector
   could mean end user.  Typically Tasks, especially
   those that valuable business data or data critical to generate a
   regulatory process is lost.  Similarly, the unavailability substantial amount of traffic, will include a
   Controller could mean
   pre-check that the MAs do not operate a correct
   Measurement Schedule.

   A malicious party could "game the system".  For example, where a
   regulator user isn't already sending traffic (Section 5.3).
   Another consideration is running whether Active Measurement Traffic will
   impact a Subscriber's bill or traffic cap; if it will, then the
   measurement system in order may need to benchmark
   operators, compensate the Subscriber, for
   instance.

   The different elements of the Instruction can be updated
   independently.  For example, the Measurement Tasks could be
   configured with different Input Parameters whilst keeping the same
   Measurement Schedule.  In general this should not create any issues,
   since Measurement Methods should be defined so their fundamental
   nature does not change for a new value of Input Parameter.  There
   could be a problem if, for example, a Measurement Task involving a
   1kB file upload could be changed into a 1GB file upload.

   A measurement system may have multiple Controllers (but note the
   overriding principle that a single MA is instructed by a single
   Controller at any point in time (Section 4.2)).  For example, there
   could be different Controllers for different types of MA (home
   gateways, tablets) or locations (Ipswich, Edinburgh), for load
   balancing or to cope with failure of one Controller.

   The measurement system also needs to consider carefully how to
   interpret missing Results; for example, if the missing Results are
   ignored and the lack of a Report is caused by its broadband being
   broken, then the estimate of overall performance, averaged across all
   MAs, would be too optimistic.

6.2.  Measurement Agent

   The Measurement Agent could take a number of forms: a dedicated
   probe, software on a PC, embedded into an appliance, or even embedded
   into a gateway.  A single site (home, branch office etc.) that is
   participating in a measurement could make use of one or multiple
   Measurement Agents or Measurement Peers in a single measurement.

   The Measurement Agent could be deployed in a variety of locations.
   Not all deployment locations are available to every kind of
   Measurement Agent.  There are also a variety of limitations and
   trade-offs depending on the final placement.  The next sections
   outline some of the locations a Measurement Agent may be deployed.
   This is not an exhaustive list and combinations may also apply.

6.2.1.  Measurement Agent on a networked device

   A MA may be embedded on a device that is directly connected to the
   network, such as a MA on a smartphone.

6.2.2.  Measurement Agent embedded in site gateway

   A Measurement Agent embedded with the site gateway, for example a
   home router or the edge router of a branch office in a managed
   service environment, is one of better places the Measurement Agent
   could be deployed.  All site-to-ISP traffic would traverse through
   the gateway and passive measurements could easily be performed.
   Similarly, due to this user traffic visibility, an Active Measurement
   Task could be rescheduled so as not to compete with user traffic.

   Generally NAT and firewall services are built into the gateway,
   allowing the Measurement Agent the option to offer its Controller-
   facing management interface outside of the NAT/firewall.  This
   placement of the management interface allows the Controller to
   unilaterally contact the Measurement Agent for instructions.
   However, if the site gateway is owned and operated by the service
   provider, the Measurement Agent will generally not be directly
   available for over the top providers, the regulator, end users or
   enterprises.

6.2.3.  Measurement Agent embedded behind site NAT /Firewall

   The Measurement Agent could also be embedded behind a NAT, a
   firewall, or both.  In this case the Controller may not be able to
   unilaterally contact the Measurement Agent unless either static port
   forwarding configuration or firewall pin holing is configured.  For
   the former, protocols such as PCP [RFC6887], TR-069 [TR-069]or UPnP
   [UPnP]could be used.  For the latter, the Measurement Agent could
   send keepalives towards the Controller to prop open the firewall (and
   perhaps use these also as a network reachability test).

6.2.4.  Multi-homed Measurement Agent

   If the device with the Measurement Agent is single homed then there
   is no confusion about what interface to measure.  Similarly, if the
   MA is at the gateway and the gateway only has a single WAN-side and a
   single LAN-side interface, there is little confusion - for an Active
   Measurement Task, the location of the other MA or Measurement Peer
   determines whether the WAN or LAN is measured.

   However, the device with the Measurement Agent may be multi-homed.
   For example, a home or campus may be connected to multiple broadband
   ISPs, such as a wired and wireless broadband provider, perhaps for
   redundancy or load- sharing.  It may also be helpful to think of dual
   stack IPv4 and IPv6 broadband devices as multi-homed.  More
   generally, Section 3.2 of [I-D.ietf-homenet-arch] describes dual-
   stack and multi-homing topologies that might be encountered in a home
   network, [RFC6419] provides the current practices of multi-interfaces
   hosts, and the Multiple Interfaces (mif) working group covers cases
   where hosts are either directly attached to multiple networks
   (physical or virtual) or indirectly (multiple default routers, etc.).
   In these cases, there needs to be clarity on which network
   connectivity option is being measured.

   One possibility is to have a Measurement Agent per interface.  Then
   the Controller's choice of MA determines which interface is measured.
   However, if a MA can measure any of the interfaces, then the
   Controller defines in the Instruction which interface the MA should
   use for a Measurement Task; if the choice of interface is not defined
   then the MA uses the default one.  Explicit definition is preferred
   if the measurement system wants to measure the performance of a
   particular network, whereas using the default is better if the
   measurement system wants to include the impact of the MA's interface
   selection algorithm.  In any case, the Measurement Result should
   include the network that was measured.

6.3.  Measurement Peer

   A Measurement Peer participates in Active Measurement Tasks.  It may
   have specific functionality to enable it to participate in a
   particular Measurement Method.  On the other hand, other Measurement
   Methods may require no special functionality, for example if the
   Measurement Agent sends a ping to example.com then the server at
   example.com plays the role of a Measurement Peer.

   A device may participate in some Measurement Tasks as a Measurement
   Agent and in others as a Measurement Peer.

   Measurement schedules should account for limited resources in a
   Measurement Peer when instructing a MA to execute measurements with a
   Measurement Peer.  In some measurement protocols, such as [RFC4656]
   and [RFC5357], the Measurement Peer can reject a measurement session
   or refuse a control connection prior to setting-up a measurement
   session and so protect itself from resource exhaustion.  This is a
   valuable capability because the MP may be used by more than one
   organisation.

7.  Security considerations

   The security of the LMAP framework should protect the interests of
   the measurement operator(s), the network user(s) and other actors who
   could be impacted by a compromised measurement deployment.  The
   measurement system must secure the various components of the system
   from unauthorised access or corruption.  Much of the general advice
   contained in section 6 of [RFC4656] is applicable here.

   We assume that each Measurement Agent (MA) will receive its
   Instructions from a single organisation, which operates the
   Controller.  These Instructions must be authenticated (to ensure that
   they come from the trusted Controller), checked for integrity (to
   ensure no-one has tampered with them) and not vulnerable to replay
   attacks.  If a malicious party can gain control of the MA they can
   use it to launch DoS attacks at targets, reduce the end user's
   quality of experience and corrupt the Measurement Results that are
   reported to the Collector.  By altering the Measurement Tasks and/or
   the address that Results are reported to, they can also compromise
   the confidentiality of the network user and the MA environment (such
   as information about the location of devices or their traffic).

   The process to upgrade the firmware in an MA is out-of-scope for this
   phase of LMAP development, similar to the protocol to bootstrap the
   MAs (as specified in the charter).  However, systems which provide
   remote upgrade must secure authorised access and integrity of the
   process.

   Reporting by the MA must also be secured to maintain confidentiality.
   The results must be encrypted such that only the authorised Collector
   can decrypt the results to prevent the leakage of confidential or
   private information.  In addition it must be authenticated that the
   results have come from the expected MA and that they have not been
   tampered with.  It must not be possible to fool a MA into injecting
   falsified data into the measurement platform or to corrupt the
   results of a real MA.  The results must also be held and processed
   securely after collection and analysis.  See section 8.5.2 below for
   additional considerations on stored data compromise, and section 8.6
   on potential mitigations for compromise.

   Since Collectors will be contacted repeatedly by MAs using the
   Collection Protocol to convey their recent results, a successful
   attack to exhaust the communication resources would prevent a
   critical operation: reporting.  Therefore, all LMAP Collectors should
   implement technical mechanisms to:

   o  limit the number of reporting connections from a single MA
      (simultaneous, and connections per unit time).

   o  limit the transmission rate from a single MA.

   o  limit the memory/storage consumed by a single MA's reports.

   o  efficiently reject reporting connections from unknown sources.

   o  separate resources if multiple authentication strengths are used,
      where the resources should be separated according to each class of
      strength.

   o  limit iteration counters to generate keys with both a lower and
      upper limit, to prevent an attacking system from requesting the
      maximum and causing the Controller to stall on the process (see
      section 6 of [RFC5357]).

   Many of the above considerations are applicable to Controllers using
   a "push" model, where the MA must contact the Controller because NAT
   or other network aspect prevents Controllers from contacting MAs
   directly.

   Availability should also be considered.  While the loss of some MAs
   may not be considered critical, the unavailability of the Collector
   could mean that valuable business data or data critical to a
   regulatory process is lost.  Similarly, the unavailability of a
   Controller could mean that the MAs do not operate a correct
   Measurement Schedule.

   A malicious party could "game the system".  For example, where a
   regulator is running a measurement system in order to benchmark
   operators, an operator could try to identify the broadband lines that
   the regulator was measuring and prioritise that traffic.  This
   potential issue is currently handled by a code of conduct.  It is
   outside the scope of the LMAP WG to consider the issue.

8.  Privacy Considerations for LMAP

   The LMAP Working Group will consider privacy as a core requirement
   and will ensure that by default the Control and Report Protocols
   operate in a privacy-sensitive manner and that privacy features are
   well-defined.

   This section provides a set of privacy considerations for LMAP.  This
   section benefits greatly from the timely publication of [RFC6973].
   Privacy and security (Section 7) are related.  In some jurisdictions
   privacy is called data protection.

   We begin with a set of assumptions related to protecting the
   sensitive information of individuals and organisations participating
   in LMAP-orchestrated measurement and data collection.

8.1.  Categories of Entities with Information of Interest

   LMAP protocols need to protect the sensitive information of the
   following entities, including individuals and organisations who
   participate in measurement and collection of results.

   o  Individual Internet users: Persons who utilise Internet access
      services for communications tasks, according to the terms of
      service of a service agreement.  Such persons may be a service
      Subscriber, or have been given permission by the Subscriber to use
      the service.

   o  Internet service providers: Organisations who offer Internet
      access service subscriptions, and thus have access to sensitive
      information of individuals who choose to use the service.  These
      organisations desire to protect their Subscribers and their own
      sensitive information which may be stored in the process of
      performing Measurement Tasks and collecting and Results.

   o  Regulators: Public authorities responsible for exercising
      supervision of the electronic communications sector, and which may
      have access to sensitive information of individuals who
      participate in a measurement campaign.  Similarly, regulators
      desire to protect the participants and their own sensitive
      information.

   o  Other LMAP system operators: Organisations who operate measurement
      systems or participate in measurements in some way.

   Although privacy is a protection extended to individuals, we include
   discussion of ISPs and other LMAP system operators in this section.
   These organisations have sensitive information involved in the LMAP
   system, and many of the same dangers and mitigations are applicable.
   Further, the ISPs store information on their Subscribers beyond that
   used in the LMAP system (for instance billing information), and there
   should be a benefit in considering all the needs and potential
   solutions coherently.

8.2.  Examples of Sensitive Information

   This section gives examples of sensitive information which may be
   measured or stored in a measurement system, and which is to be kept
   private by default in the LMAP core protocols.

   Examples of Subscriber or authorised Internet user sensitive
   information:

   o  Sub-IP layer addresses and names (MAC address, base station ID,
      SSID)

   o  IP address in use

   o  Personal Identification (real name)

   o  Location (street address, city)

   o  Subscribed service parameters

   o  Contents of traffic (activity, DNS queries, destinations,
      equipment types, account info for other services, etc.)

   o  Status as a study volunteer and Schedule of (Active) Measurement
      Tasks

   Examples of Internet Service Provider sensitive information:

   o  Measurement device identification (equipment ID and IP address)

   o  Measurement Instructions (choice of measurements)

   o  Measurement Results (some may be shared, others may be private)

   o  Measurement Schedule (exact times)

   o  Network topology (locations, connectivity, redundancy)

   o  Subscriber billing information, and any of the above Subscriber
      information known to the provider.

   o  Authentication credentials (such as certificates)

   Other organisations will have some combination of the lists above.
   The LMAP system would not typically expose all of the information
   above, but could expose a combination of items which could be
   correlated with other pieces collected by an attacker (as discussed
   in the section on Threats below).

8.3.  Key Distinction Between Active and Passive Measurement Tasks

   Passive and Active Measurement Tasks raise different privacy issues.

   Passive Measurement Tasks are conducted on a user's traffic, such
   that sensitive information is present and stored in the measurement
   system (however briefly this storage may be).  We note that some
   authorities make a distinction on time of storage, and information
   that is kept only temporarily to perform a communications function is
   not subject to regulation (for example, active queue management, deep
   packet inspection).  Passive Measurement Tasks could reveal all the
   websites a Subscriber visits and the applications and/or services
   they use.

   Active Measurement Tasks are conducted on traffic which is created
   specifically for the purpose.  Even if a user host generates Active
   Measurement Traffic, there is significantly limited sensitive information about the
   Subscriber present and stored in the measurement system compared to
   the passive case, as follows:

   o  IP address in use (and possibly sub-IP addresses and names)

   o  Status as a study volunteer and Schedule of Active Measurement
      Tasks

   On the other hand, for a service provider the sensitive information
   like Measurement Results is the same for Passive and Active
   Measurement Tasks.

   From the Subscriber perspective, both Active and Passive Measurement
   Tasks potentially expose the description of Internet access service
   and specific service parameters, such as subscribed rate and type of
   access.

8.4.  Privacy analysis of the Communications Models

   This section examines each of the protocol exchanges described at a
   high level in Section 5 and some example Measurement Tasks, and
   identifies specific sensitive information which must be secured
   during communication for each case.  With the protocol-related
   sensitive information identified, we have can better consider the threats
   described in the following section.

   From the privacy perspective, all entities participating in LMAP
   protocols can be considered "observers" according to the definition
   in [RFC6973].  Their stored information potentially poses a threat to
   privacy, especially if one or more of these functional entities has
   been compromised.  Likewise, all devices on the paths used for
   control, reporting, and measurement are also observers.

8.4.1.  MA Bootstrapping

   Section 5.1 provides the communication model for the Bootstrapping
   process.

   Although the specification of mechanisms for Bootstrapping the MA are
   beyond the LMAP scope, designers should recognize that the
   Bootstrapping process is extremely powerful and could cause an MA to
   join a new or different LMAP system with a different Controller and
   Collector, or simply install new Measurement Methods (for example to
   passively record DNS queries).  A Bootstrap attack could result in a
   breach of the LMAP system with significant sensitive information
   exposure depending on the capabilities of the MA, so sufficient
   security protections are warranted.

   The Bootstrapping process provides sensitive information about the
   LMAP system and the organisation that operates it, such as

   o  Initial Controller IP address or FQDN

   o  Assigned Controller IP address or FQDN

   o  Security certificates and credentials
   During the Bootstrap process, the MA receives its MA-ID which is a
   persistent pseudonym for the Subscriber in the case that the MA is
   located at a service demarcation point.  Thus, the MA-ID is
   considered sensitive information, because it could provide the link
   between Subscriber identification and Measurements Results.

   Also, the Bootstrap process could assign a Group-ID to the MA.  The
   specific definition of information represented in a Group-ID is to be
   determined, but several examples are envisaged including use as a
   pseudonym for a set of Subscribers, a class of service, an access
   technology, or other important categories.  Assignment of a Group-ID
   enables anonymisation sets to be formed on the basis of service type/
   grade/rates.  Thus, the mapping between Group-ID and MA-ID is
   considered sensitive information.

8.4.2.  Controller <-> Measurement Agent

   The high-level communication model for interactions between the LMAP
   Controller and Measurement Agent is illustrated in Section 5.2.  The
   primary purpose of this exchange is to authenticate and task a
   Measurement Agent with Measurement Instructions, which the
   Measurement Agent then acts on autonomously.

   Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged
   with a capability request, then measurement-related information of
   interest such as the parameters, schedule, metrics, parameters, schedule, metrics, and IP addresses
   of measurement devices.  Thus, the measurement Instruction contains
   sensitive information which must be secured.  For example, the fact
   that an ISP is running additional measurements beyond the set
   reported externally is sensitive information, as are the additional
   Measurements Tasks themselves.  The Measurement Schedule is also
   sensitive, because an attacker intending to bias the results without
   being detected can use this information to great advantage.

   An organisation operating the Controller having no service
   relationship with a user who hosts the Measurement Agent *could* gain
   real-name mapping to a public IP address through user participation
   in an LMAP system (this applies to the Measurement Collection
   protocol, as well).

8.4.3.  Collector <-> Measurement Agent

   The high-level communication model for interactions between the
   Measurement Agent and Collector is illustrated in Section 5.4.  The
   primary purpose of this exchange is to authenticate and collect
   Measurement Results from a MA, which the MA has measured autonomously
   and IP addresses
   of measurement devices.  Thus, stored.

   The Measurement Results are the measurement Instruction contains additional sensitive information which
   included in the Collector-MA exchange.  Organisations collecting LMAP
   measurements have the responsibility for data control.  Thus, the
   Results and other information communicated in the Collector protocol
   must be secured.  For example,

8.4.4.  Measurement Peer <-> Measurement Agent

   Although the fact
   that specification of the mechanisms for an ISP Active
   Measurement Task is running additional measurements beyond the set
   reported externally is sensitive information, as are scope of LMAP, it raises potential
   privacy issues.  The high-level communications model below
   illustrates the additional
   Measurements various exchanges to execute Active Measurement Tasks themselves.
   and store the Results.

   We note the potential for additional observers in the figures below
   by indicating the possible presence of a NAT, which has additional
   significance to the protocols and direction of initiation.

   The various messages are optional, depending on the nature of the
   Active Measurement Schedule is also
   sensitive, because an attacker intending Task.  It may involve sending Active Measurement
   Traffic from the Measurement Peer to bias MA, MA to Measurement Peer, or
   both.

    _________________                              _________________
   |                 |                            |                 |
   |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
   |_________________|                            |_________________|

                                  <-              (Key Negotiation &
                                                  Encryption Setup)
   (Encrypted Channel             ->
   Established)
   (Announce capabilities         ->
   & status)
                                  <-              (Select capabilities)
   ACK                            ->
                                  <-              (Measurement Request
                                                 (MA+MP IPAddrs,set of
                                                   Metrics, Schedule))
   ACK                            ->

   Active Measurement Traffic     <>        Active Measurement Traffic
   (may/may not be encrypted)               (may/may not be encrypted)

                                  <-            (Stop Measurement Task)

   Measurement Results            ->
   (if applicable)
                                  <-               ACK, Close

   This exchange primarily exposes the IP addresses of measurement
   devices and the results without
   being detected can use this inference of measurement participation from such
   traffic.  There may be sensitive information on key points in a
   service provider's network included.  There may also be access to great advantage.

   An organisation operating
   measurement-related information of interest such as the Controller having no service
   relationship with a user who hosts Metrics,
   Schedule, and intermediate results carried in the Active Measurement Agent *could* gain
   real-name mapping to
   Traffic (usually a public IP address through user participation
   in an LMAP system (this applies to set of timestamps).

   If the Active Measurement Collection
   protocol, Traffic is unencrypted, as well).

8.4.3.  Collector <-> found in many
   systems today, then both timing and limited results are open to on-
   path observers.

8.4.5.  Passive Measurement Agent

   Although the specification of the mechanisms for a Passive
   Measurement Task is beyond the scope of LMAP, it raises potential
   privacy issues.

   The high-level communication communications model for interactions between below illustrates the collection
   of user information of interest with the Measurement Agent performing
   the monitoring and Collector is illustrated in Section 5.4.  The
   primary purpose storage of this the Results.  This particular exchange
   is to authenticate and collect for passive measurement of DNS Response Time, which most
   frequently uses UDP transport.

    _________________                                      ____________
   |                 |                                    |            |
   |  DNS Server     |=========== NAT ? ==========*=======| User client|
   |_________________|                            ^       |____________|
                                            ______|_______
                                           |              |
                                           |  Measurement Results from |
                                           |    Agent     |
                                           |______________|

                                  <-              Name Resolution Req
                                                 (MA+MP IPAddrs,
                                                  Desired Domain Name)
   Return Record                  ->

   This exchange primarily exposes the IP addresses of measurement
   devices and the intent to communicate with or access the services of
   "Domain Name".  There may be information on key points in a MA, which service
   provider's network, such as the MA has measured autonomously
   and stored. address of one of its DNS servers.
   The Measurement Results are the additional sensitive information
   included Agent may be embedded in the Collector-MA exchange.  Organisations collecting LMAP
   measurements have the responsibility for data control.  Thus, user host, or it may be
   located in another device capable of observing user traffic.

   In principle, any of the
   Results and other user sensitive information communicated of interest
   (listed above) can be collected and stored in the Collector protocol passive monitoring
   scenario and so must be secured.

8.4.4.  Measurement Peer <->

   It would also be possible for a Measurement Agent

   Although to source the specification DNS
   query itself.  But then, as with any active measurement task, there
   are few privacy concerns.

8.4.6.  Storage and Reporting of Measurement Results

   Although the mechanisms for an Active
   Measurement Task is communicating results (beyond the initial
   Collector) are beyond the scope of LMAP, it raises LMAP scope, there are potential privacy issues.  The high-level communications model below
   illustrates the various exchanges
   issues related to execute Active Measurement Tasks a single organisation's storage and store the reporting of
   Measurement Results.

   We note the potential for additional observers in the figures below  Both storage and reporting functions can help
   to preserve privacy by indicating implementing the possible presence mitigations described below.

8.5.  Threats

   This section indicates how each of a NAT, which has additional
   significance the threats described in [RFC6973]
   apply to the protocols LMAP entities and direction their communication and storage of initiation.

   The various messages are optional, depending on the nature
   "information of interest".

8.5.1.  Surveillance

   Section 5.1.1 of [RFC6973] describes Surveillance as the
   Active Measurement Task.  It may involve sending Active Measurement
   Traffic from the Measurement Peer to MA, MA to Measurement Peer, "observation
   or
   both.

    _________________                              _________________
   |                 |                            |                 |
   |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
   |_________________|                            |_________________|

                                  <-              (Key Negotiation &
                                                  Encryption Setup)
   (Encrypted Channel             ->
   Established)
   (Announce capabilities         ->
   & status)
                                  <-              (Select capabilities)
   ACK                            ->
                                  <-              (Measurement Request
                                                 (MA+MP IPAddrs,set monitoring of
                                                   Metrics, Schedule))
   ACK                            ->

   Active and individual's communications or activities."
   Hence all Passive Measurement Traffic     <> Tasks are a form of surveillance, with
   inherent risks.

   Active Measurement Traffic
   (may/may not be encrypted)               (may/may not be encrypted)

                                  <-            (Stop Measurement Task)

   Measurement Results            ->
   (if applicable)
                                  <-               ACK, Close

   This exchange primarily exposes the IP addresses Methods which avoid periods of measurement
   devices and the inference user transmission
   indirectly produce a record of measurement participation from such
   traffic.  There may be sensitive information on key points in times when a
   service provider's subscriber or authorised
   user has used their network included.  There access service.

   Active Measurement Methods may also be access to
   measurement-related information of interest such as the Metrics,
   Schedule, utilise and intermediate results carried in store a Subscriber's
   currently assigned IP address when conducting measurements that are
   relevant to a specific Subscriber.  Since the Active Measurement
   Traffic (usually Results are
   time-stamped, they could provide a set record of IP address assignments
   over time.

   Either of timestamps).

   If the Active Measurement Traffic is unencrypted, as found above pieces of information could be useful in many
   correlation and identification, described below.

8.5.2.  Stored Data Compromise

   Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
   resulting from inadequate measures to secure stored data from
   unauthorised or inappropriate access.  For LMAP systems today, then both timing and limited results are open this includes
   deleting or modifying collected measurement records, as well as data
   theft.

   The primary LMAP entity subject to on-
   path observers.

8.4.5.  Passive Measurement Agent

   Although compromise is the specification of repository,
   which stores the mechanisms for a Passive Measurement Task is beyond the scope of LMAP, it raises potential Results; extensive security and privacy issues.
   threat mitigations are warranted.  The Collector and MA also store
   sensitive information temporarily, and need protection.  The high-level
   communications model below illustrates between the collection
   of user information local storage of interest with the Measurement Agent performing the monitoring Collector and storage of the Results.  This particular exchange
   repository is for passive measurement of DNS Response Time, which most
   frequently uses UDP transport.

    _________________                                      ____________
   |                 |                                    |            |
   |  DNS Server     |=========== NAT ? ==========*=======| User client|
   |_________________|                            ^       |____________|
                                            ______|_______
                                           |              |
                                           |  Measurement |
                                           |    Agent     |
                                           |______________|

                                  <-              Name Resolution Req
                                                 (MA+MP IPAddrs,
                                                  Desired Domain Name)
   Return Record                  ->

   This exchange primarily exposes beyond the IP addresses scope of measurement
   devices and the intent to communicate with or access the services of
   "Domain Name".  There may be information on key points in a service
   provider's network, such LMAP work at this time, though
   this communications channel will certainly need protection as well as
   the address of one of its DNS servers. mass storage itself.

   The Measurement Agent may be embedded in the user host, or it LMAP Controller may be
   located in another device capable of observing user traffic.

   In principle, any of the user sensitive information have direct access to storage of interest
   (listed above) can be collected Subscriber
   information (location, billing, service parameters, etc.) and stored in other
   information which the passive monitoring
   scenario controlling organisation considers private, and so must be secured.

   It would also be possible for a Measurement Agent to source the DNS
   query itself.  But then, as with any active measurement task,
   again needs protection.

   Note that there
   are few privacy concerns.

8.4.6.  Storage and Reporting of Measurement Results

   Although is tension between the mechanisms for communicating desire to store all raw
   results (beyond the initial
   Collector) are beyond in the LMAP scope, there are potential privacy
   issues related to a single organisation's storage Collector (for reproduceability and reporting of
   Measurement Results.  Both storage custom
   analysis), and reporting functions can help the need to preserve protect the privacy by implementing of measurement
   participants.  Many of the compromise mitigations described below.

8.5.  Threats

   This in
   section indicates how each of 8.6 below are most efficient when deployed at the threats described in MA,
   therefore minimizing the risks with stored results.

8.5.3.  Correlation and Identification

   Sections 5.2.1 and 5.2.2 of [RFC6973]
   apply describes Correlation as
   combining various pieces of information to obtain desired
   characteristics of an individual, and Identification as using this
   process to infer identity.

   The main risk is that the LMAP entities and their communication and storage system could unwittingly provide a key
   piece of
   "information the correlation chain, starting with an unknown Subscriber's
   IP address and another piece of interest".

8.5.1.  Surveillance

   Section 5.1.1 information.  For example, a
   Subscriber utilised Internet access from 2000 to 2310 UTC, because
   the Active Measurement Tasks were deferred, or sent a name resolution
   for www.example.com at 2300 UTC.

8.5.4.  Secondary Use and Disclosure

   Sections 5.2.3 and 5.2.4 of [RFC6973] describes Surveillance Secondary Use as the "observation
   or monitoring
   unauthorised utilisation of and an individual's communications information for a purpose
   the individual did not intend, and Disclosure is when such
   information is revealed causing other's notions of the individual to
   change, or activities."
   Hence all confidentiality to be violated.

   Passive Measurement Tasks are a form of surveillance, with
   inherent risks. Secondary Use, and the
   Subscribers' permission and the measured ISP's permission should be
   obtained beforehand.  Although user traffic is only indirectly
   involved, the Measurement Results from Active Measurement Methods which avoid periods Tasks
   provide some limited information about the Subscriber/ISP and could
   be used for Secondary Uses.  For example, the use of user transmission
   indirectly produce a record the Results in
   unauthorised marketing campaigns would qualify as Secondary Use.

8.6.  Mitigations

   This section examines the mitigations listed in section 6 of times when a subscriber or authorised
   user has used
   [RFC6973] and their network access service.

   Active Measurement Methods may also utilise applicability to LMAP systems.  Note that each
   section in [RFC6973] identifies the threat categories that each
   technique mitigates.

8.6.1.  Data Minimisation

   Section 6.1 of [RFC6973] encourages collecting and store storing the
   minimal information needed to perform a Subscriber's
   currently assigned IP address when conducting measurements that task.

   There are
   relevant two levels of information needed for LMAP results to be
   useful for a specific Subscriber.  Since task: troubleshooting and general results
   reporting.

   For general results, the Measurement Results are
   time-stamped, they could provide a record results can be aggregated into large
   categories (the month of March, all subscribers West of the
   Mississippi River).  In this case, all individual identifications
   (including IP address assignments
   over time.

   Either of the above pieces of information could MA) can be useful in
   correlation excluded, and identification, described below.

8.5.2.  Stored Data Compromise

   Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
   resulting from inadequate measures to secure stored data from
   unauthorised or inappropriate access.  For LMAP systems only relevant
   results are provided.  However, this includes
   deleting or modifying collected measurement records, as well as data
   theft.

   The primary LMAP entity subject implies a filtering process to compromise is
   reduce the repository,
   which stores information fields, because greater detail was needed to
   conduct the Measurement Results; extensive security and privacy
   threat mitigations are warranted.  The Collector and MA also store
   sensitive Tasks in the first place.

   For troubleshooting, so that a network operator or end user can
   identify a performance issue or failure, potentially all the network
   information temporarily, (IP addresses, equipment IDs, location), Measurement
   Schedule, service configuration, Measurement Results, and need protection.  The
   communications between other
   information may assist in the local storage of process.  This includes the Collector information
   needed to conduct the Measurements Tasks, and represents a need where
   the
   repository maximum relevant information is beyond desirable, therefore the scope greatest
   protections should be applied.

   We note that a user may give temporary permission for Passive
   Measurement Tasks to enable detailed troubleshooting, but withhold
   permission for them in general.  Here the greatest breadth of
   sensitive information is potentially exposed, and the LMAP work at this time, though
   this communications channel will certainly need maximum privacy
   protection as well as
   the mass storage itself.

   The LMAP Controller may have direct must be provided.

   For MAs with access to storage the sensitive information of users (e.g.,
   within a home or a personal host/handset), it is desirable for the
   results collection to minimise the data reported, but also to balance
   this desire with the needs of Subscriber
   information (location, billing, troubleshooting when a service parameters, etc.)
   subscription exists between the user and other organisation operating the
   measurements.

   For passive measurements where the MA reports flow information which to the controlling organisation considers private, and
   again needs protection.

8.5.3.  Correlation and Identification

   Sections 5.2.1
   Collector, the Collector may perform pre-storage minimisation and 5.2.2
   other mitigations (below) to help preserve privacy.

8.6.2.  Anonymity

   Section 6.1.1 of [RFC6973] describes Correlation as
   combining various pieces of information to obtain desired
   characteristics of an individual, and Identification as using this
   process to infer identity.

   The main risk a way in which anonymity is that the LMAP system could unwittingly provide
   achieved: "there must exist a key
   piece set of individuals that appear to have
   the correlation chain, starting with same attributes as the individual", defined as an unknown Subscriber's
   IP address and another piece "anonymity
   set".

   Experimental methods for anonymisation of information.  For example, a
   Subscriber utilised Internet access from 2000 user identifiable data
   applicable to 2310 UTC, because
   the Active Passive Measurement Tasks were deferred, or sent a name resolution
   for www.example.com at 2300 UTC.

8.5.4.  Secondary Use and Disclosure

   Sections 5.2.3 and 5.2.4 Methods have been identified in
   [RFC6235].  However, the findings of [RFC6973] describes Secondary Use as
   unauthorised utilisation several of an individual's information for a purpose the individual did not intend, and Disclosure same authors is when such
   information
   that "there is revealed causing other's notions of increasing evidence that anonymisation applied to
   network trace or flow data on its own is insufficient for many data
   protection applications as in [Bur10]."

   Essentially, the individual to
   change, or confidentiality to be violated.

   Passive Measurement Tasks are a form details of Secondary Use, and the
   Subscribers' permission and the measured ISP's permission should be
   obtained beforehand.  Although user traffic is passive measurement tasks can only indirectly
   involved, be
   accessed by closed organisations, and unknown injection attacks are
   always less expensive than the Measurement Results protections from Active Measurement Tasks
   provide them.  However, some limited information about
   forms of summary may protect the Subscriber/ISP user's sensitive information
   sufficiently well, and could so each Metric must be used for Secondary Uses.  For example, evaluated in the use light
   of the Results privacy.

   The methods in
   unauthorised marketing campaigns [RFC6235] could be applied more successfully in Active
   Measurement Methods, where there are protections from injection
   attack.  The successful attack would qualify as Secondary Use.

8.6.  Mitigations

   This section examines require breaking the mitigations listed in section 6 integrity
   protection of
   [RFC6973] and their applicability to the LMAP systems.  Note that each Reporting Protocol and injecting Measurement
   Results (known fingerprint, see section in [RFC6973] identifies the threat categories that each
   technique mitigates.

8.6.1.  Data Minimisation

   Section 6.1 3.2 of [RFC6973] encourages collecting and storing [RFC6973]) for
   inclusion with the
   minimal information needed shared and anonymised results, then fingerprinting
   those records to perform a task.

   There are two levels ascertain the anonymisation process.

   Beside anonymisation of information needed for LMAP results to be
   useful measured Results for a specific task: troubleshooting and general user or
   provider, the value of sensitive information can be further diluted
   by summarising the results
   reporting. over many individuals or areas served by
   the provider.  There is an opportunity enabled by forming anonymity
   sets [RFC6973] based on the reference path measurement points in
   [I-D.ietf-ippm-lmap-path].  For general results, example, all measurements from the results
   Subscriber device can be aggregated into large
   categories (the month of March, all subscribers West identified as "mp000", instead of using the
   Mississippi River).  In this case, all individual identifications
   (including
   IP address of or other device information.  The same anonymisation
   applies to the MA) can Internet Service Provider, where their Internet
   gateway would be excluded, and only relevant
   results referred to as "mp190".

8.6.3.  Pseudonymity

   Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
   are provided.  However, this implies a filtering process possible mitigation to
   reduce the information fields, because greater detail was needed revealing one's true identity, since
   there is no requirement to
   conduct the Measurement Tasks use real names in the first place.

   For troubleshooting, so that a network operator or end user can
   identify a performance issue or failure, potentially almost all the network
   information (IP addresses, equipment IDs, location), Measurement
   Schedule, service configuration, Measurement Results, and other
   information may assist in the process.  This includes the information
   needed to conduct the Measurements Tasks, and represents protocols.

   A pseudonym for a need where
   the maximum relevant information is desirable, therefore the greatest
   protections should measurement device's IP address could be an LMAP-
   unique equipment ID.  However, this would likely be applied.

   We note that a user may give temporary permission permanent
   handle for Passive
   Measurement Tasks the device, and long-term use weakens a pseudonym's power
   to enable detailed troubleshooting, but withhold
   permission obscure identity.

8.6.4.  Other Mitigations

   Data can be de-personalised by blurring it, for them in general.  Here example by adding
   synthetic data, data-swapping, or perturbing the greatest breadth values in ways that
   can be reversed or corrected.

   Sections 6.2 and 6.3 of
   sensitive information is potentially exposed, [RFC6973] describe User Participation and
   Security, respectively.

   Where LMAP measurements involve devices on the maximum privacy
   protection must be provided.

   For MAs with access to the sensitive information of users (e.g.,
   within a home Subscriber's premises
   or a personal host/handset), Subscriber-owned equipment, it is desirable for the
   results collection essential to minimise secure the data reported, but also to balance
   this desire
   Subscriber's permission with regard to the needs specific information that
   will be collected.  The informed consent of troubleshooting when a service
   subscription exists between the user and organisation operating Subscriber (and, if
   different, the
   measurements.

   For passive measurements where end user) is needed, including the MA reports flow information to specific purpose of
   the
   Collector, measurements.  The approval process could involve showing the Collector may perform pre-storage minimisation
   Subscriber their measured information and
   other mitigations (below) to help preserve privacy.

8.6.2.  Anonymity

   Section 6.1.1 results before instituting
   periodic collection, or before all instances of [RFC6973] describes a way collection, with the
   option to cancel collection temporarily or permanently.

   It should also be clear who is legally responsible for data
   protection (privacy); in which anonymity some jurisdictions this role is
   achieved: "there must exist a set called the
   'data controller'.  It is good practice to time limit the storage of individuals that appear
   personal information.

   Although the details of verification would be impenetrable to have most
   subscribers, the MA could be architected as an "app" with open
   source-code, pre-download and embedded terms of use and agreement on
   measurements, and protection from code modifications usually provided
   by the same attributes as app-stores.  Further, the individual", defined as an "anonymity
   set".

   Experimental methods for anonymisation of user identifiable app itself could provide data
   applicable
   reduction and temporary storage mitigations as appropriate and
   certified through code review.

   LMAP protocols, devices, and the information they store clearly need
   to Passive Measurement Methods have been identified in
   [RFC6235].  However, be secure from unauthorised access.  This is the findings of several of hand-off between
   privacy and security considerations (Section 7).  The Data Controller
   has the same authors is
   that "there is increasing evidence that anonymisation applied (legal) responsibility to
   network trace or flow data on its own is insufficient for many maintain data
   protection applications as protections described
   in [Bur10]."

   Essentially, the details of passive measurement tasks can only be
   accessed by closed organisations, Subscriber's agreement and unknown injection attacks agreements with other
   organisations.

9.  IANA Considerations

   There are
   always less expensive than the protections from them.  However, no IANA considerations in this memo.

10.  Appendix: Deployment examples

   In this section we describe some
   forms deployment scenarios that are
   feasible within the LMAP framework defined in this document.

   The LMAP framework defines two types of summary may protect components involved in the user's sensitive information
   sufficiently well,
   actual measurement task, namely the Measurement Agent (MA) and so each Metric must be evaluated in the light
   of privacy.
   Measurement Peer (MP).  The methods in [RFC6235] could be applied more successfully fundamental difference conveyed in Active
   Measurement Methods, where there are protections from injection
   attack. the
   definition of these terms is that the MA has a interface with the
   Controller/Collector while the MP does not.  The successful attack would require breaking MP is broadly
   defined as a function that assists the integrity
   protection of MA in the LMAP Reporting Protocol and injecting Measurement
   Results (known fingerprint, see section 3.2 of [RFC6973]) for
   inclusion Task but
   has no interface with the shared and anonymised results, then fingerprinting
   those records to ascertain Controller/Collector.  There are many
   elements in the anonymisation process.

   Beside anonymisation network that can fall into this broad definition of measured Results for a specific user or
   provider,
   MP.  We believe that the value MP terminology is useful to allow us to
   refer an element of sensitive information can be further diluted
   by summarising the results over many individuals or areas served by the provider.  There network that plays a role that is an opportunity enabled by forming anonymity
   sets [RFC6973] based on
   conceptually important to understand and describe the reference path measurement points
   task being performed.  We next illustrate these concepts by
   describing several deployment scenarios.

   A very simple example of a Measurement Peer is a web server that the
   MA is downloading a web page from (such as www.example.com) in
   [I-D.ietf-ippm-lmap-path].  For example, all measurements order
   to perform a speed test.  The web server is an MP and from its
   perspective, the
   Subscriber device can be identified as "mp000", instead of using MA is just another customer; the
   IP address or other device information.  The same anonymisation
   applies to MP doesn't have a
   specific function for assisting measurements.  This is described in
   the Internet Service Provider, where their Internet
   gateway figure A1.

                                                            ^
      +----------------+  Web Traffic +----------------+  IPPM
      |   Web Client   |<------------>| MP: Web Server |  Scope
      |                |              +----------------+    |
   ...|................|....................................V...
      | LMAP interface |                                    ^
      +----------------+                                    |
               ^     |                                      |
   Instruction |     |  Report                              |
               |     +-----------------+                    |
               |                       |                    |
               |                       v                   LMAP
          +------------+             +------------+        Scope
          | Controller |             |  Collector |         |
          +------------+             +------------+         V

   Figure A1: Schematic of LMAP-based measurement system,
   with Web server as Measurement Peer

   Another case that is slightly different than this would be referred to as "mp190".

8.6.3.  Pseudonymity

   Section 6.1.2 the one of [RFC6973] indicates that pseudonyms, or nicknames,
   are
   a possible mitigation to revealing one's true identity, since
   there ping responder.  This is no requirement also an MP, with a helper function, the
   ping server, which is specially deployed to use real names assist the MAs that
   perform pings.  It only has the data plane interface.  This example
   is described in almost all protocols. Section 2.

   A pseudonym for a measurement device's IP address could be an LMAP-
   unique equipment ID.  However, this third related example would likely be a permanent
   handle for the device, and long-term use weakens case of a pseudonym's power
   to obscure identity.

8.6.4.  Other Mitigations

   Data can be de-personalised by blurring it, traceroute like
   measurement.  In this case, for example by adding
   synthetic data, data-swapping, or perturbing each packet sent, the values in ways that
   can be reversed or corrected.

   Sections 6.2 router where
   the TTL expires is performing the MP function.  So for a given
   Measurement Task, there is one MA involved and 6.3 several MPs, one per
   hop.

   In figure A2 we depict the case of [RFC6973] describe User Participation an OWAMP responder acting as an
   MP.  In this case, the helper function in addition reports results
   back to the MA.  So it has both a data plane and
   Security, respectively.

   Where LMAP measurements involve devices on control interface
   with the Subscriber's premises
   or Subscriber-owned equipment, MA.

      +----------------+    OWAMP     +----------------+    ^
      | OWAMP          |<--control--->| MP:            |    |
      | control-client |>test-traffic>| OWAMP server & |   IPPM
      | fetch-client & |<----fetch----| session-rec'ver|  Scope
      | session-sender |              |                |    |
      |                |              +----------------+    |
   ...|................|....................................v...
      | LMAP interface |                                    ^
      +----------------+                                    |
               ^     |                                      |
   Instruction |     |  Report                              |
               |     +-----------------+                    |
               |                       |                    |
               |                       v                  LMAP
          +------------+             +------------+       Scope
          | Controller |             |  Collector |         |
          +------------+             +------------+         v
                                                          IPPM

   Figure A2: Schematic of LMAP-based measurement system,
   with OWAMP server as Measurement Peer

   However, it is essential to secure the
   Subscriber's permission with regard also possible to use two Measurement Agents when
   performing one way Measurement Tasks, as described in figure A3
   below.  In this case, MA1 generates the specific information that
   will be collected.  The informed consent of traffic and MA2 receives the Subscriber (and, if
   different,
   traffic and send the end user) is needed, including reports to the specific purpose of Collector.  Note that both MAs
   are instructed by the measurements.  The approval process could involve showing Controller.  MA1 receives an Instruction to
   send the
   Subscriber their traffic and MA2 receives an Instruction to measured information the
   received traffic and results before instituting
   periodic collection, or before all instances send Reports to the Collector.

      +----------------+              +----------------+    ^
      |  MA1           |              |  MA2           |  IPPM
      | iperf -u sender|-UDP traffic->| iperf -u recvr |  Scope
      |                |              |                |    v
   ...|................|..............|................|....v...
      | LMAP interface |              | LMAP interface |    ^
      +----------------+              +----------------+    |
               ^                        ^   |               |
   Instruction |    Instruction{Report} |   | Report        |
   {task,      |    +-------------------+   |               |
    schedule}  |    |                       |               |
               |    |                       v              LMAP
          +------------+             +------------+       Scope
          | Controller |             |  Collector |         |
          +------------+             +------------+         v
                                                          IPPM

   Figure A3: Schematic of collection, LMAP-based measurement system,
   with the
   option two Measurement Agents cooperating to cancel collection temporarily or permanently.

   It should also be clear who measure UDP traffic

   Next, we consider Passive Measurement Tasks.  Traffic generated in
   one point in the network flowing towards a given destination and the
   traffic is legally responsible for data
   protection (privacy); passively observed in some jurisdictions this role is called point along the
   'data controller'.  It is good practice path.  One way
   to time limit implement this is that the storage of
   personal information.

   Although endpoints generating and receiving the details of verification would be impenetrable to most
   subscribers,
   traffic are not instructed by the Controller; hence they are MPs.
   The MA could be architected as an "app" is located along the path with open
   source-code, pre-download and embedded terms of use and agreement on
   measurements, and protection from code modifications usually provided
   by a passive monitor function that
   measures the app-stores.  Further, traffic.  The MA is instructed by the app itself could provide data
   reduction and temporary storage mitigations as appropriate and
   certified through code review.

   LMAP protocols, devices, Controller to
   monitor that particular traffic and to send the information they store clearly need Report to be secure from unauthorised access.  This is the hand-off between
   privacy and security considerations (Section 7).  The Data
   Collector.  It is depicted in figure A4 below.

   +-----+   +----------------+              +------+   ^
   | MP  |   | Passive Monitor|              | MP   | IPPM
   |     |<--|----------------|---traffic--->|      | Scope
   +-----+   |                |              +------+   |
      .......|................|.........................v...........
             | LMAP interface |                                ^
             +----------------+                                |
                        ^     |                                |
            Instruction |     |  Report                        |
                        |     +-----------------+              |
                        |                       |              |
                        |                       v             LMAP
                  +------------+             +------------+   Scope
                  | Controller
   has |             |  Collector |    |
                  +------------+             +------------+    v

   Figure A4: Schematic of LMAP-based measurement system,
   with a Measurement Agent passively monitoring traffic

   Finally, we should consider the (legal) responsibility to maintain data protections described case of a router or a switch along
   the measurement path.  This certainly performs an important role in
   the Subscriber's agreement and agreements with other
   organisations.

9.  IANA Considerations

   There measurement - if packets are no IANA considerations in this memo.

10. not forwarded, the measurement task
   will not work.  Whilst it doesn't has an interface with the
   Controller or Collector, and so fits into the definition of MP,
   usually it is not particularly useful to highlight it as a MP.

11.  Acknowledgments

   This document is a merger of three individual drafts: draft-eardley-
   lmap-terminology-02, draft-akhter-lmap-framework-00, and draft-
   eardley-lmap-framework-02.

   Thanks to Juergen Schoenwaelder for his detailed review of the
   terminology.  Thanks to Charles Cook for a very detailed review of
   -02.

   Thanks to numerous people for much discussion, directly and on the
   LMAP list (apologies to those unintentionally omitted): Alan Clark,
   Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
   Trammell, Charles Cook, Dave Thorne, Frode Soerensen, Greg Mirsky,
   Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit,
   Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Michael
   Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller,
   Ted Lemon, Timothy Carey, Vaibhav Bajpai, William Lupton.

   Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
   the Leone research project, which receives funding from the European
   Union Seventh Framework Programme [FP7/2007-2013] under grant
   agreement number 317647.

11.

12.  History

   First WG version, copy of draft-folks-lmap-framework-00.

11.1.

12.1.  From -00 to -01

   o  new sub-section of possible use of Group-IDs for privacy

   o  tweak to definition of Control protocol

   o  fix typo in figure in S5.4

11.2.

12.2.  From -01 to -02

   o  change to INFORMATIONAL track (previous version had typo'd
      Standards track)

   o  new definitions for Capabilities Information and Failure
      Information

   o  clarify that diagrams show LMAP-level information flows.
      Underlying protocol could do other interactions, eg to get through
      NAT or for Collector to pull a Report

   o  add hint that after a re-boot should pause random time before re-
      register (to avoid mass calling event)

   o  delete the open issue "what happens if a Controller fails" (normal
      methods can handle)

   o  add some extra words about multiple Tasks in one Schedule

   o  clarify that new Schedule replaces (rather than adds to) and old
      one.  Similarly for new configuration of Measurement Tasks or
      Report Channels.

   o  clarify suppression is temporary stop; send a new Schedule to
      permanently stop Tasks

   o  alter suppression so it is ACKed

   o  add un-suppress message
   o  expand the text on error reporting, to mention Reporting failures
      (as well as failures to action or execute Measurement Task &
      Schedule)

   o  add some text about how to have Tasks running indefinitely

   o  add that optionally a Report is not sent when there are no
      Measurement Results

   o  add that a Measurement Task may create more than one Measurement
      Result

   o  clarify /amend /expand that Reports include the "raw" Measurement
      Results - any pre-processing is left for lmap2.0

   o  add some cautionary words about what if the Collector unexpectedly
      doesn't hear from a MA

   o  add some extra words about the potential impact of Measurement
      Tasks

   o  clarified various aspects of the privacy section

   o  updated references

   o  minor tweaks

11.3.

12.3.  From -02 to -03

   o  alignment with the Information Model
      [I-D.burbridge-lmap-information-model] as this is agreed as a WG
      document

   o  One-off and periodic Measurement Schedules are kept separate, so
      that they can be updated independently

   o  Measurement Suppression in a separate sub-section.  Can now
      optionally include particular Measurement Tasks &/or Schedules to
      suppress, and start/stop time

   o  for clarity, concept of Channel split into Control, Report and MA-
      to-Controller Channels

   o  numerous editorial changes, mainly arising from a very detailed
      review by Charles Cook

   o

12.

12.4.  From -03 to -04

   o  updates following the WG Last Call, with the proposed consensus on
      the various issues as detailed in http://tools.ietf.org/agenda/89/
      slides/slides-89-lmap-2.pdf.  In particular:

   o  tweaked definitions, especially of Measurement Agent and
      Measurement Peer

   o  Instruction - left to each implementation & deployment of LMAP to
      decide on the granularity at which an Instruction Message works

   o  words added about overlapping Measurement Tasks (measurement
      system can handle any way they choose; Report should mention if
      the Task overlapped with another)

   o  Suppression: no defined impact on Passive Measurement Task; extra
      option to suppress on-going Active Measurement Tasks; suppression
      doesn't go to Measurement Peer, since they don't understand
      Instructions

   o  new concept of Data Transfer Task (and therefore adjustment of the
      Channel concept)

   o  enhancement of Results with Subscriber's service parameters -
      could be useful, don't define how but can be included in Report to
      various other sections

   o  various other smaller improvements, arising from the WGLC

   o  Appendix added with examples of Measurement Agents and Peers in
      various deployment scenarios.  To help clarify what these terms
      mean.

   o

13.  Informative References

   [Bur10]    Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
              "The Role of Network Trace anonymisation Under Attack",
              January 2010.

   [Q1741]    Q.1741.7, , "IMT-2000 references to Release 9 of GSM-
              evolved UMTS core network",
              http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011.

   [TR-069]   TR-069, , "CPE WAN Management Protocol",
              http://www.broadband-forum.org/technical/trlist.php,
              November 2013.

   [UPnP]     ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP
              Device Control Protocols specifications",
              http://upnp.org/sdcps-and-certification/standards/, 2011.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC4101]  Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
              June 2005.

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122, July
              2005.

   [RFC5357]  Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
              Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
              RFC 5357, October 2008.

   [I-D.ietf-lmap-use-cases]
              Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
              "Large-Scale Broadband Measurement Use Cases", draft-ietf-
              lmap-use-cases-01
              lmap-use-cases-02 (work in progress), December 2013.

   [I-D.bagnulo-ippm-new-registry-independent] January 2014.

   [I-D.manyfolks-ippm-metric-registry]
              Bagnulo, M., Burbridge, T., Crawford, S., Claise, B., Eardley, P., and A. Morton, "A registry
              "Registry for commonly used metrics.
              Independent registries", draft-bagnulo-ippm-new-registry-
              independent-01 Performance Metrics", draft-manyfolks-ippm-
              metric-registry-00 (work in progress), July 2013. February 2014.

   [I-D.ietf-homenet-arch]
              Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil,
              "IPv6 Home Networking Architecture Principles", draft-
              ietf-homenet-arch-11
              ietf-homenet-arch-13 (work in progress), October 2013. March 2014.

   [RFC6419]  Wasserman, M. and P. Seite, "Current Practices for
              Multiple-Interface Hosts", RFC 6419, November 2011.

   [RFC6887]  Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
              Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
              2013.

   [RFC5533]  Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
              Shim Protocol for IPv6", RFC 5533, June 2009.

   [I-D.burbridge-lmap-information-model]
              Burbridge, T., Eardley, P., Bagnulo, M., and J.
              Schoenwaelder, "Information Model for Large-Scale
              Measurement Platforms (LMAP)", draft-burbridge-lmap-
              information-model-01 (work in progress), October 2013.

   [RFC6235]  Boschi, E. and B. Trammell, "IP Flow Anonymization
              Support", RFC 6235, May 2011.

   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973, July
              2013.

   [I-D.ietf-ippm-lmap-path]
              Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
              A. Morton, "A Reference Path and Measurement Points for
              LMAP", draft-ietf-ippm-lmap-path-01 draft-ietf-ippm-lmap-path-02 (work in progress),
              February 2014.

   [RFC4656]  Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
              Zekauskas, "A One-way Active Measurement Protocol
              (OWAMP)", RFC 4656, September 2013. 2006.

   [RFC5357]  Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
              Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
              RFC 5357, October 2008.

   [RFC3444]  Pras, A. and J. Schoenwaelder, "On the Difference between
              Information Models and Data Models", RFC 3444, January
              2003.

Authors' Addresses

   Philip Eardley
   British Telecom
   BT
   Adastral Park, Martlesham Heath
   Ipswich
   ENGLAND

   Email: philip.eardley@bt.com
   Al Morton
   AT&T Labs
   200 Laurel Avenue South
   Middletown, NJ
   USA

   Email: acmorton@att.com

   Marcelo Bagnulo
   Universidad Carlos III de Madrid
   Av. Universidad 30
   Leganes, Madrid  28911
   SPAIN

   Phone: 34 91 6249500
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es

   Trevor Burbridge
   British Telecom
   BT
   Adastral Park, Martlesham Heath
   Ipswich
   ENGLAND

   Email: trevor.burbridge@bt.com

   Paul Aitken
   Cisco Systems, Inc.
   96 Commercial Street
   Edinburgh, Scotland  EH6 6LX
   UK

   Email: paitken@cisco.com

   Aamer Akhter
   Cisco Systems, Inc.
   7025 Kit Creek Road
   RTP, NC  27709
   USA

   Email: aakhter@cisco.com