draft-ietf-lmap-framework-12.txt   draft-ietf-lmap-framework-13.txt 
Network Working Group P. Eardley Network Working Group P. Eardley
Internet-Draft BT Internet-Draft BT
Intended status: Informational A. Morton Intended status: Informational A. Morton
Expires: September 13, 2015 AT&T Labs Expires: October 18, 2015 AT&T Labs
M. Bagnulo M. Bagnulo
UC3M UC3M
T. Burbridge T. Burbridge
BT BT
P. Aitken P. Aitken
Brocade Brocade
A. Akhter A. Akhter
Consultant Consultant
March 12, 2015 April 16, 2015
A framework for Large-Scale Measurement of Broadband Performance (LMAP) A framework for Large-Scale Measurement of Broadband Performance (LMAP)
draft-ietf-lmap-framework-12 draft-ietf-lmap-framework-13
Abstract Abstract
Measuring broadband service on a large scale requires a description Measuring broadband service on a large scale requires a description
of the logical architecture and standardisation of the key protocols of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document that coordinate interactions between the components. The document
presents an overall framework for large-scale measurements. It also presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (Large-Scale Measurement of Broadband defines terminology for LMAP (Large-Scale Measurement of Broadband
Performance). Performance).
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 13, 2015. This Internet-Draft will expire on October 18, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
4.1. The measurement system is under the direction of a single 4.1. The measurement system is under the direction of a single
organisation . . . . . . . . . . . . . . . . . . . . . . 13 organisation . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Each MA may only have a single Controller at any point in 4.2. Each MA may only have a single Controller at any point in
time . . . . . . . . . . . . . . . . . . . . . . . . . . 13 time . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13 5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 14 5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 14
5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15
5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15
5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16
5.2.3. Capabilities, Failure and Logging Information . . . . 20 5.2.3. Capabilities, Failure and Logging Information . . . . 20
5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 21 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 22
5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22
5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 23 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 23
5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 23 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 24
5.4.1. Reporting of Subscriber's service parameters . . . . 25 5.4.1. Reporting of Subscriber's service parameters . . . . 25
5.5. Operation of LMAP over the underlying packet transfer 5.5. Operation of LMAP over the underlying packet transfer
mechanism . . . . . . . . . . . . . . . . . . . . . . . . 25 mechanism . . . . . . . . . . . . . . . . . . . . . . . . 26
5.6. Items beyond the scope of the initial LMAP work . . . . . 26 5.6. Items beyond the scope of the initial LMAP work . . . . . 27
5.6.1. End-user-controlled measurement system . . . . . . . 28 5.6.1. End-user-controlled measurement system . . . . . . . 28
6. Deployment considerations . . . . . . . . . . . . . . . . . . 28 6. Deployment considerations . . . . . . . . . . . . . . . . . . 28
6.1. Controller and the measurement system . . . . . . . . . . 28 6.1. Controller and the measurement system . . . . . . . . . . 28
6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 29 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 29
6.2.1. Measurement Agent on a networked device . . . . . . . 30 6.2.1. Measurement Agent on a networked device . . . . . . . 30
6.2.2. Measurement Agent embedded in site gateway . . . . . 30 6.2.2. Measurement Agent embedded in site gateway . . . . . 30
6.2.3. Measurement Agent embedded behind site NAT /firewall 30 6.2.3. Measurement Agent embedded behind site NAT /firewall 30
6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 30 6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 31
6.2.5. Measurement Agent embedded in ISP network . . . . . . 31 6.2.5. Measurement Agent embedded in ISP network . . . . . . 31
6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 31 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 32
6.4. Deployment examples . . . . . . . . . . . . . . . . . . . 32 6.4. Deployment examples . . . . . . . . . . . . . . . . . . . 32
7. Security considerations . . . . . . . . . . . . . . . . . . . 35 7. Security considerations . . . . . . . . . . . . . . . . . . . 35
8. Privacy considerations . . . . . . . . . . . . . . . . . . . 37 8. Privacy considerations . . . . . . . . . . . . . . . . . . . 37
8.1. Categories of entities with information of interest . . . 37 8.1. Categories of entities with information of interest . . . 38
8.2. Examples of sensitive information . . . . . . . . . . . . 38 8.2. Examples of sensitive information . . . . . . . . . . . . 38
8.3. Different privacy issues raised by different sorts of 8.3. Different privacy issues raised by different sorts of
Measurement Methods . . . . . . . . . . . . . . . . . . . 39 Measurement Methods . . . . . . . . . . . . . . . . . . . 39
8.4. Privacy analysis of the communication models . . . . . . 40 8.4. Privacy analysis of the communication models . . . . . . 40
8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 40 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 40
8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 41 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 41
8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 42 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 42
8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 42 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 42
8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 44 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 44
8.4.6. Storage and reporting of Measurement Results . . . . 45 8.4.6. Storage and reporting of Measurement Results . . . . 45
skipping to change at page 3, line 32 skipping to change at page 3, line 32
8.5.2. Stored data compromise . . . . . . . . . . . . . . . 45 8.5.2. Stored data compromise . . . . . . . . . . . . . . . 45
8.5.3. Correlation and identification . . . . . . . . . . . 46 8.5.3. Correlation and identification . . . . . . . . . . . 46
8.5.4. Secondary use and disclosure . . . . . . . . . . . . 46 8.5.4. Secondary use and disclosure . . . . . . . . . . . . 46
8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 47 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 47
8.6.1. Data minimisation . . . . . . . . . . . . . . . . . . 47 8.6.1. Data minimisation . . . . . . . . . . . . . . . . . . 47
8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 48 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 48
8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 49 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 49
8.6.4. Other mitigations . . . . . . . . . . . . . . . . . . 49 8.6.4. Other mitigations . . . . . . . . . . . . . . . . . . 49
9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 50 9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 50
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50
11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 50 11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 51
11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 51 11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 51
11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 52 11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 52
11.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 52 11.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 52
11.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 53 11.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 53
11.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 54 11.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 54
11.7. From -06 to -07 . . . . . . . . . . . . . . . . . . . . 54 11.7. From -06 to -07 . . . . . . . . . . . . . . . . . . . . 54
11.8. From -07 to -08 . . . . . . . . . . . . . . . . . . . . 54 11.8. From -07 to -08 . . . . . . . . . . . . . . . . . . . . 54
11.9. From -08 to -09 . . . . . . . . . . . . . . . . . . . . 54 11.9. From -08 to -09 . . . . . . . . . . . . . . . . . . . . 55
11.10. From -09 to -10 . . . . . . . . . . . . . . . . . . . . 54 11.10. From -09 to -10 . . . . . . . . . . . . . . . . . . . . 55
11.11. From -10 to -11 . . . . . . . . . . . . . . . . . . . . 55 11.11. From -10 to -11 . . . . . . . . . . . . . . . . . . . . 55
11.12. From -11 to -12 . . . . . . . . . . . . . . . . . . . . 55 11.12. From -11 to -12 . . . . . . . . . . . . . . . . . . . . 55
12. Informative References . . . . . . . . . . . . . . . . . . . 55 12. Informative References . . . . . . . . . . . . . . . . . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction 1. Introduction
There is a desire to be able to coordinate the execution of broadband There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large measurements and the collection of measurement results across a large
scale set of Measurement Agents (MAs). These MAs could be software scale set of Measurement Agents (MAs). These MAs could be software
skipping to change at page 5, line 29 skipping to change at page 5, line 29
[RFC7398]. It is expected that a Measurement System could easily [RFC7398]. It is expected that a Measurement System could easily
encompass a few hundred thousand or even millions of Measurement encompass a few hundred thousand or even millions of Measurement
Agents. Existing systems have up to a few thousand MAs (without Agents. Existing systems have up to a few thousand MAs (without
judging how much further they could scale). judging how much further they could scale).
o Diversity - a Measurement System should handle Measurement Agents o Diversity - a Measurement System should handle Measurement Agents
from different vendors, that are in wired and wireless networks, from different vendors, that are in wired and wireless networks,
can execute different sorts of Measurement Task, are on devices can execute different sorts of Measurement Task, are on devices
with IPv4 or IPv6 addresses, and so on. with IPv4 or IPv6 addresses, and so on.
o Privacy Respecting - the protocols and procedures should respect
the sensitive information of all those involved in measurements.
2. Outline of an LMAP-based measurement system 2. Outline of an LMAP-based measurement system
In this section we provide an overview of the whole Measurement In this section we provide an overview of the whole Measurement
System. New LMAP-specific terms are capitalised; Section 3 provides System. New LMAP-specific terms are capitalised; Section 3 provides
a terminology section with a compilation of all the LMAP terms and a terminology section with a compilation of all the LMAP terms and
their definition. Section 4 onwards considers the LMAP components in their definition. Section 4 onwards considers the LMAP components in
more detail. more detail.
Other LMAP specifications will define an information model, the Other LMAP specifications will define an information model, the
associated data models, and select/extend one or more protocols for associated data models, and select/extend one or more protocols for
skipping to change at page 9, line 6 skipping to change at page 9, line 6
The data analysis tools receive the results from the Collector or via The data analysis tools receive the results from the Collector or via
the Results repository. They might visualise the data or identify the Results repository. They might visualise the data or identify
which component or link is likely to be the cause of a fault or which component or link is likely to be the cause of a fault or
degradation. This information could help the Controller decide what degradation. This information could help the Controller decide what
follow-up Measurement Task to perform in order to diagnose a fault. follow-up Measurement Task to perform in order to diagnose a fault.
The data analysis tools also need to understand the Subscriber's The data analysis tools also need to understand the Subscriber's
service information, for example the broadband contract. service information, for example the broadband contract.
+-----------+ +-----------+ ^ +-----------+ +-----------+ ^
|End user or| |End user or| | | | | | |
|Measurement| |Measurement| | | End user | | End user | |
| Peer | | Peer | Non-LMAP | | | | Non-LMAP
+-----------+ +-----------+ Scope +-----------+ +-----------+ Scope
^ Observed ^ ^ | ^ Observed ^ ^ |
\ traffic flow +-------------+ / / | \ traffic flow +-------------+ / / |
\...............|.............|..../ / Measurement | \...............|.............|..../ / Measurement |
| Measurement |......../ traffic v | Measurement |......../ traffic v
| Agent | ^ | Agent | ^
+----------------->| | | +----------------->| | |
| +-------------+ | | +-------------+ |
| ^ | | | ^ | |
| Instruction | | Report | | Instruction | | Report |
skipping to change at page 17, line 4 skipping to change at page 17, line 4
<- Response(details) <- Response(details)
The Instruction defines information with the following aims The Instruction defines information with the following aims
([I-D.ietf-lmap-information-model] defines the consequent list of ([I-D.ietf-lmap-information-model] defines the consequent list of
information elements): information elements):
o the Measurement Task configurations, each of which needs: o the Measurement Task configurations, each of which needs:
* the Metric, specified as a URI to a registry entry; it includes * the Metric, specified as a URI to a registry entry; it includes
the specification of a Measurement Method. The registry could the specification of a Measurement Method. The registry could
be defined by the IETF [I-D.ietf-ippm-metric-registry], locally be defined by a standards organisation or locally by the
by the operator of the Measurement System or perhaps by another operator of the Measurement System. Note that, at the time of
standards organisation. writing, the IETF works on such a registry specification
[I-D.ietf-ippm-metric-registry].
* the Measurement Method role. For some Measurement Methods, * the Measurement Method role. For some Measurement Methods,
different parties play different roles; for example (see different parties play different roles; for example (see
Section 6.4) an iperf sender and receiver. Each Metric and its Section 6.4) an iperf sender and receiver. Each Metric and its
associated Measurement Method will describe all measurement associated Measurement Method will describe all measurement
roles involved in the process. roles involved in the process.
* a boolean flag (suppress or do-not-suppress) indicating if such * a boolean flag (suppress or do-not-suppress) indicating if such
a Measurement Task is impacted by a Suppression message (see a Measurement Task is impacted by a Suppression message (see
Section 5.2.2.1). Thus, the flag is an Input Parameter. Section 5.2.2.1). Thus, the flag is an Input Parameter.
skipping to change at page 32, line 32 skipping to change at page 33, line 5
In this section we describe some deployment scenarios that are In this section we describe some deployment scenarios that are
feasible within the LMAP framework defined in this document. feasible within the LMAP framework defined in this document.
A very simple example of a Measurement Peer (MP) is a web server that A very simple example of a Measurement Peer (MP) is a web server that
the MA is downloading a web page from (such as www.example.com) in the MA is downloading a web page from (such as www.example.com) in
order to perform a speed test. The web server is a MP and from its order to perform a speed test. The web server is a MP and from its
perspective, the MA is just another client; the MP doesn't have a perspective, the MA is just another client; the MP doesn't have a
specific function for assisting measurements. This is described in specific function for assisting measurements. This is described in
the figure below. the figure below.
^ ^
+----------------+ Web Traffic +----------------+ non-LMAP +------------------+ Web Traffic +----------------+ non-LMAP
|MA: Web Client |<------------>| MP: Web Server | Scope | Web Client |<------------>| Web Server | Scope
| | +----------------+ | | | +----------------+ |
...|................|....................................V... ...|..................|....................................V...
| LMAP interface | ^ |MA:LMAP interface | <MP:> ^
+----------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ V +------------+ +------------+ V
Schematic of LMAP-based Measurement System, Schematic of LMAP-based Measurement System,
with Web server as Measurement Peer with Web server as Measurement Peer
Another case that is slightly different than this would be the one of Another case that is slightly different than this would be the one of
a TWAMP-responder. This is also a MP, with a helper function, the a TWAMP-responder. This is also a MP, with a helper function, the
TWAMP server, which is specially deployed to assist the MAs that TWAMP server, which is specially deployed to assist the MAs that
perform TWAMP tests. Another example is with a ping server, as perform TWAMP tests. Another example is with a ping server, as
described in Section 2. described in Section 2.
A further example is the case of a traceroute like measurement. In A further example is the case of a traceroute like measurement. In
this case, for each packet sent, the router where the TTL expires is this case, for each packet sent, the router where the TTL expires is
performing the MP function. So for a given Measurement Task, there performing the MP function. So for a given Measurement Task, there
is one MA involved and several MPs, one per hop. is one MA involved and several MPs, one per hop.
In the figure below we depict the case of an OWAMP (One-Way Active In the figure below we depict the case of an OWAMP (One-Way Active
Measurement Protocol) responder acting as an MP. In this case, the Measurement Protocol) responder acting as an MP. In this case, the
helper function in addition reports results back to the MA. So it helper function in addition reports results back to the MA. So it
has both a data plane and control interface with the MA. has both a data plane and control interface with the MA.
+----------------+ OWAMP +----------------+ ^ +------------------+ OWAMP +----------------+ ^
| MA: OWAMP |<--control--->| MP: | | | OWAMP |<--control--->| | |
| control-client |-test-traffic>| OWAMP server & | non-LMAP | control-client |-test-traffic>| OWAMP server & | non-LMAP
| fetch-client & |<----fetch----| session-rec'ver| Scope | fetch-client & |<----fetch----| session-rec'ver| Scope
| session-sender | | | | | session-sender | | | |
| | +----------------+ | | | +----------------+ |
...|................|....................................v... ...|..................|....................................v...
| LMAP interface | ^ |MA:LMAP interface | <MP:> ^
+----------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ v +------------+ +------------+ v
Schematic of LMAP-based Measurement System, Schematic of LMAP-based Measurement System,
with OWAMP server as Measurement Peer with OWAMP server as Measurement Peer
However, it is also possible to use two Measurement Agents when However, it is also possible to use two Measurement Agents when
performing one way Measurement Tasks, as described in the figure performing one way Measurement Tasks, as described in the figure
below. Both MAs are instructed by the Controller: MA-1 to send the below. Both MAs are instructed by the Controller: MA-1 to send the
traffic and MA-2 to measure the received traffic and send Reports to traffic and MA-2 to measure the received traffic and send Reports to
the Collector. Note that the Measurement Task at MA-2 can listen for the Collector. Note that the Measurement Task at MA-2 can listen for
traffic from MA-1 and respond multiple times without having to be traffic from MA-1 and respond multiple times without having to be
rescheduled. rescheduled.
+----------------+ +----------------+ ^ +----------------+ +----------------+ ^
| MA-1: | | MA-2: | non-LMAP | | | | non-LMAP
| iperf -u sender|-UDP traffic->| iperf -u recvr | Scope | iperf -u sender|-UDP traffic->| iperf -u recvr | Scope
| | | | v | | | | v
...|................|..............|................|....v... ...|................|..............|................|........
| LMAP interface | | LMAP interface | ^ | MA-1: | | MA-2: | ^
+----------------+ +----------------+ | | LMAP interface | | LMAP interface | |
^ ^ | | +----------------+ +----------------+ |
Instruction | Instruction{Report} | | Report | ^ ^ | |
{task, | +-------------------+ | | Instruction | Instruction{Report} | | Report |
schedule} | | | | {task, | +-------------------+ | |
| | v LMAP schedule} | | | |
+------------+ +------------+ Scope | | v LMAP
| Controller | | Collector | | +------------+ +------------+ Scope
+------------+ +------------+ v | Controller | | Collector | |
+------------+ +------------+ v
Schematic of LMAP-based Measurement System, with two
Measurement Agents cooperating to measure UDP traffic
Schematic of LMAP-based Measurement System, with two
Measurement Agents cooperating to measure UDP traffic
Next, we consider Measurement Methods that meter the Observed Traffic Next, we consider Measurement Methods that meter the Observed Traffic
Flow. Traffic generated in one point in the network flowing towards Flow. Traffic generated in one point in the network flowing towards
a given destination and the traffic is observed in some point along a given destination and the traffic is observed in some point along
the path. One way to implement this is that the endpoints generating the path. One way to implement this is that the endpoints generating
and receiving the traffic are not instructed by the Controller; hence and receiving the traffic are not instructed by the Controller; hence
they are MPs. The MA is located along the path with a monitor they are MPs. The MA is located along the path with a monitor
function that measures the traffic. The MA is instructed by the function that measures the traffic. The MA is instructed by the
Controller to monitor that particular traffic and to send the Report Controller to monitor that particular traffic and to send the Report
to the Collector. It is depicted in the figure below. to the Collector. It is depicted in the figure below.
+--------+ +----------------+ +--------+ ^ +--------+ +------------------+ +--------+ ^
|End user| | MA: Monitor | Observed |End user| | |End user| | Monitor | Observed |End user| |
| or MP |<--|----------------|--traffic-->| or MP | non-LMAP | |<--|------------------|--traffic-->| | non-LMAP
| | | | flow | | Scope | | | | flow | | Scope
+--------+ | | +--------+ | +--------+ | | +--------+ |
...|................|............................v.. ...|..................|............................v..
| LMAP interface | ^ |MA:LMAP interface | <MP:> ^
+----------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ v +------------+ +------------+ v
Schematic of LMAP-based Measurement System, Schematic of LMAP-based Measurement System,
with a Measurement Agent monitoring traffic with a Measurement Agent monitoring traffic
7. Security considerations 7. Security considerations
The security of the LMAP framework should protect the interests of The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who the measurement operator(s), the network user(s) and other actors who
could be impacted by a compromised measurement deployment. The could be impacted by a compromised measurement deployment. The
Measurement System must secure the various components of the system Measurement System must secure the various components of the system
from unauthorised access or corruption. Much of the general advice from unauthorised access or corruption. Much of the general advice
contained in section 6 of [RFC4656] is applicable here. contained in section 6 of [RFC4656] is applicable here.
skipping to change at page 38, line 24 skipping to change at page 38, line 34
o Regulators: Public authorities responsible for exercising o Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive desire to protect the participants and their own sensitive
information. information.
o Other LMAP system operators: Organisations who operate Measurement o Other LMAP system operators: Organisations who operate Measurement
Systems or participate in measurements in some way. Systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we include Although privacy is a protection extended to individuals, we discuss
discussion of ISPs and other LMAP system operators in this section. data protection by ISPs and other LMAP system operators in this
These organisations have sensitive information involved in the LMAP section. These organisations have sensitive information involved in
system, and many of the same dangers and mitigations are applicable. the LMAP system, and many of the same dangers and mitigations are
Further, the ISPs store information on their Subscribers beyond that applicable. Further, the ISPs store information on their Subscribers
used in the LMAP system (for instance billing information), and there beyond that used in the LMAP system (for instance billing
should be a benefit in considering all the needs and potential information), and there should be a benefit in considering all the
solutions coherently. needs and potential solutions coherently.
8.2. Examples of sensitive information 8.2. Examples of sensitive information
This section gives examples of sensitive information which may be This section gives examples of sensitive information which may be
measured or stored in a Measurement System, and which is to be kept measured or stored in a Measurement System, and which is to be kept
private by default in the LMAP core protocols. private by default in the LMAP core protocols.
Examples of Subscriber or authorised Internet user sensitive Examples of Subscriber or authorised Internet user sensitive
information: information:
skipping to change at page 42, line 36 skipping to change at page 42, line 45
communications model below illustrates the various exchanges to communications model below illustrates the various exchanges to
execute such a Measurement Method and store the Results. execute such a Measurement Method and store the Results.
We note the potential for additional observers in the figures below We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation. significance to the protocols and direction of initiation.
The various messages are optional, depending on the nature of the The various messages are optional, depending on the nature of the
Measurement Method. It may involve sending Measurement Traffic from Measurement Method. It may involve sending Measurement Traffic from
the Measurement Peer to MA, MA to Measurement Peer, or both. the Measurement Peer to MA, MA to Measurement Peer, or both.
Similarly, a second (or more) MAs may be involved. Similarly, a second (or more) MAs may be involved. (Note: For
simplicity, the Figure and description don't show the non-LMAP
functionality that is associated with the transfer of the Measurement
Traffic and is located at the devices with the MA and MP.)
_________________ _________________ _________________ _________________
| | | | | | | |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent| |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________| |_________________| |_________________| |_________________|
<- (Key Negotiation & <- (Key Negotiation &
Encryption Setup) Encryption Setup)
(Encrypted Channel -> (Encrypted Channel ->
Established) Established)
(Announce capabilities -> (Announce capabilities ->
skipping to change at page 44, line 16 skipping to change at page 44, line 16
Some Measurement Methods only involve a single Measurement Agent Some Measurement Methods only involve a single Measurement Agent
observing existing traffic. They raise potential privacy issues, observing existing traffic. They raise potential privacy issues,
although the specification of the mechanisms is beyond the scope of although the specification of the mechanisms is beyond the scope of
the initial LMAP work. the initial LMAP work.
The high-level communications model below illustrates the collection The high-level communications model below illustrates the collection
of user information of interest with the Measurement Agent performing of user information of interest with the Measurement Agent performing
the monitoring and storage of the Results. This particular exchange the monitoring and storage of the Results. This particular exchange
is for measurement of DNS Response Time, which most frequently uses is for measurement of DNS Response Time, which most frequently uses
UDP transport. UDP transport. (Note: For simplicity, the Figure and description
don't show the non-LMAP functionality that is associated with the
transfer of the Measurement Traffic and is located at the devices
with the MA.)
_________________ ____________ _________________ ____________
| | | | | | | |
| DNS Server |=========== NAT ? ==========*=======| User client| | DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________| |_________________| ^ |____________|
______|_______ ______|_______
| | | |
| Measurement | | Measurement |
| Agent | | Agent |
|______________| |______________|
skipping to change at page 46, line 37 skipping to change at page 46, line 37
characteristics of an individual, and Identification as using this characteristics of an individual, and Identification as using this
combination to infer identity. combination to infer identity.
The main risk is that the LMAP system could unwittingly provide a key The main risk is that the LMAP system could unwittingly provide a key
piece of the correlation chain, starting with an unknown Subscriber's piece of the correlation chain, starting with an unknown Subscriber's
IP address and another piece of information. For example, a IP address and another piece of information. For example, a
Subscriber utilised Internet access from 2000 to 2310 UTC, because Subscriber utilised Internet access from 2000 to 2310 UTC, because
the Measurement Tasks were deferred, or sent a name resolution for the Measurement Tasks were deferred, or sent a name resolution for
www.example.com at 2300 UTC. www.example.com at 2300 UTC.
If a user's access with another system already gave away sensitive
info, correlation is clearly easier and can result in re-
identification, even when an LMAP conserves sensitive information to
great extent.
8.5.4. Secondary use and disclosure 8.5.4. Secondary use and disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as
unauthorised utilisation of an individual's information for a purpose unauthorised utilisation of an individual's information for a purpose
the individual did not intend, and Disclosure is when such the individual did not intend, and Disclosure is when such
information is revealed causing other's notions of the individual to information is revealed causing other's notions of the individual to
change, or confidentiality to be violated. change, or confidentiality to be violated.
Measurement Methods that measure user traffic are a form of Secondary Measurement Methods that measure user traffic are a form of Secondary
Use, and the Subscribers' permission should be obtained beforehand. Use, and the Subscribers' permission should be obtained beforehand.
skipping to change at page 50, line 12 skipping to change at page 50, line 16
reduction and temporary storage mitigations as appropriate and reduction and temporary storage mitigations as appropriate and
certified through code review. certified through code review.
LMAP protocols, devices, and the information they store clearly need LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorised access. This is the hand-off between to be secure from unauthorised access. This is the hand-off between
privacy and security considerations (Section 7). The Data Controller privacy and security considerations (Section 7). The Data Controller
has the (legal) responsibility to maintain data protections described has the (legal) responsibility to maintain data protections described
in the Subscriber's agreement and agreements with other in the Subscriber's agreement and agreements with other
organisations. organisations.
Finally, it is recommended that each entity in section 8.1,
(individuals, ISPs, Regulators, others) assess the risks of LMAP data
collection by conducting audits of their data protection methods.
9. IANA considerations 9. IANA considerations
There are no IANA considerations in this memo. There are no IANA considerations in this memo.
10. Acknowledgments 10. Acknowledgments
This document originated as a merger of three individual drafts: This document originated as a merger of three individual drafts:
draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00,
and draft-eardley-lmap-framework-02. and draft-eardley-lmap-framework-02.
skipping to change at page 56, line 26 skipping to change at page 56, line 38
Multiple-Interface Hosts", RFC 6419, November 2011. Multiple-Interface Hosts", RFC 6419, November 2011.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. [RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013. 2013.
[I-D.ietf-lmap-information-model] [I-D.ietf-lmap-information-model]
Burbridge, T., Eardley, P., Bagnulo, M., and J. Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", draft-ietf-lmap- Measurement Platforms (LMAP)", draft-ietf-lmap-
information-model-04 (work in progress), March 2015. information-model-05 (work in progress), April 2015.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Support", RFC 6235, May 2011. Support", RFC 6235, May 2011.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973, July
2013. 2013.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
 End of changes. 29 change blocks. 
105 lines changed or deleted 123 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/