draft-ietf-lmap-framework-14.txt   rfc7594.txt 
Network Working Group P. Eardley Internet Engineering Task Force (IETF) P. Eardley
Internet-Draft BT Request for Comments: 7594 BT
Intended status: Informational A. Morton Category: Informational A. Morton
Expires: October 31, 2015 AT&T Labs ISSN: 2070-1721 AT&T Labs
M. Bagnulo M. Bagnulo
UC3M UC3M
T. Burbridge T. Burbridge
BT BT
P. Aitken P. Aitken
Brocade Brocade
A. Akhter A. Akhter
Consultant Consultant
April 29, 2015 September 2015
A framework for Large-Scale Measurement of Broadband Performance (LMAP) A Framework for Large-Scale Measurement of Broadband Performance (LMAP)
draft-ietf-lmap-framework-14
Abstract Abstract
Measuring broadband service on a large scale requires a description Measuring broadband service on a large scale requires a description
of the logical architecture and standardisation of the key protocols of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document that coordinate interactions between the components. This document
presents an overall framework for large-scale measurements. It also presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (Large-Scale Measurement of Broadband defines terminology for LMAP (Large-Scale Measurement of Broadband
Performance). Performance).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on October 31, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7594.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Outline of an LMAP-based measurement system . . . . . . . . . 5 2. Outline of an LMAP-Based Measurement System . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 12 4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. The measurement system is under the direction of a single 4.1. The Measurement System Is Under the Direction of a Single
organisation . . . . . . . . . . . . . . . . . . . . . . 13 Organisation . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Each MA may only have a single Controller at any point in 4.2. Each MA May Only Have a Single Controller at Any Point in
time . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Time . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13 5. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 14 5.1. Bootstrapping Process . . . . . . . . . . . . . . . . . . 14
5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15 5.2. Control Protocol . . . . . . . . . . . . . . . . . . . . 15
5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15 5.2.1. Configuration . . . . . . . . . . . . . . . . . . . . 15
5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16 5.2.2. Instruction . . . . . . . . . . . . . . . . . . . . . 16
5.2.3. Capabilities, Failure and Logging Information . . . . 20 5.2.3. Capabilities, Failure, and Logging Information . . . 20
5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 22 5.3. Operation of Measurement Tasks . . . . . . . . . . . . . 22
5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22 5.3.1. Starting and Stopping Measurement Tasks . . . . . . . 22
5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 23 5.3.2. Overlapping Measurement Tasks . . . . . . . . . . . . 24
5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 24 5.4. Report Protocol . . . . . . . . . . . . . . . . . . . . . 24
5.4.1. Reporting of Subscriber's service parameters . . . . 25 5.4.1. Reporting of the Subscriber's Service Parameters . . 26
5.5. Operation of LMAP over the underlying packet transfer 5.5. Operation of LMAP over the Underlying Packet Transfer
mechanism . . . . . . . . . . . . . . . . . . . . . . . . 26 Mechanism . . . . . . . . . . . . . . . . . . . . . . . . 26
5.6. Items beyond the scope of the initial LMAP work . . . . . 27 5.6. Items beyond the Scope of the Initial LMAP Work . . . . . 27
5.6.1. End-user-controlled measurement system . . . . . . . 28 5.6.1. End-User-Controlled Measurement System . . . . . . . 28
6. Deployment considerations . . . . . . . . . . . . . . . . . . 28 6. Deployment Considerations . . . . . . . . . . . . . . . . . . 29
6.1. Controller and the measurement system . . . . . . . . . . 28 6.1. Controller and the Measurement System . . . . . . . . . . 29
6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 29 6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 30
6.2.1. Measurement Agent on a networked device . . . . . . . 30 6.2.1. Measurement Agent on a Networked Device . . . . . . . 30
6.2.2. Measurement Agent embedded in site gateway . . . . . 30 6.2.2. Measurement Agent Embedded in a Site Gateway . . . . 31
6.2.3. Measurement Agent embedded behind site NAT /firewall 30 6.2.3. Measurement Agent Embedded behind a Site NAT or
6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 31 Firewall . . . . . . . . . . . . . . . . . . . . . . 31
6.2.5. Measurement Agent embedded in ISP network . . . . . . 31
6.2.4. Multihomed Measurement Agent . . . . . . . . . . . . 31
6.2.5. Measurement Agent Embedded in an ISP Network . . . . 32
6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 32 6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 32
6.4. Deployment examples . . . . . . . . . . . . . . . . . . . 32 6.4. Deployment Examples . . . . . . . . . . . . . . . . . . . 33
7. Security considerations . . . . . . . . . . . . . . . . . . . 35 7. Security Considerations . . . . . . . . . . . . . . . . . . . 36
8. Privacy considerations . . . . . . . . . . . . . . . . . . . 37 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 38
8.1. Categories of entities with information of interest . . . 38 8.1. Categories of Entities with Information of Interest . . . 38
8.2. Examples of sensitive information . . . . . . . . . . . . 38 8.2. Examples of Sensitive Information . . . . . . . . . . . . 39
8.3. Different privacy issues raised by different sorts of 8.3. Different Privacy Issues Raised by Different Sorts of
Measurement Methods . . . . . . . . . . . . . . . . . . . 39 Measurement Methods . . . . . . . . . . . . . . . . . . . 40
8.4. Privacy analysis of the communication models . . . . . . 40 8.4. Privacy Analysis of the Communication Models . . . . . . 41
8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 40 8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 41
8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 41 8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 42
8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 42 8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 43
8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 42 8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 43
8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 44 8.4.5. Measurement Agent . . . . . . . . . . . . . . . . . . 45
8.4.6. Storage and reporting of Measurement Results . . . . 45 8.4.6. Storage and Reporting of Measurement Results . . . . 46
8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 45 8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 45 8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 46
8.5.2. Stored data compromise . . . . . . . . . . . . . . . 45 8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 47
8.5.3. Correlation and identification . . . . . . . . . . . 46 8.5.3. Correlation and Identification . . . . . . . . . . . 47
8.5.4. Secondary use and disclosure . . . . . . . . . . . . 46 8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 48
8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 47 8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 48
8.6.1. Data minimisation . . . . . . . . . . . . . . . . . . 47 8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 48
8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 48 8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 49
8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 49 8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 50
8.6.4. Other mitigations . . . . . . . . . . . . . . . . . . 49 8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 50
9. IANA considerations . . . . . . . . . . . . . . . . . . . . . 50 9. Informative References . . . . . . . . . . . . . . . . . . . 51
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 54
11. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
11.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 51
11.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 51
11.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 52
11.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 52
11.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 53
11.6. From -05 to -06 . . . . . . . . . . . . . . . . . . . . 54
11.7. From -06 to -07 . . . . . . . . . . . . . . . . . . . . 54
11.8. From -07 to -08 . . . . . . . . . . . . . . . . . . . . 54
11.9. From -08 to -09 . . . . . . . . . . . . . . . . . . . . 55
11.10. From -09 to -10 . . . . . . . . . . . . . . . . . . . . 55
11.11. From -10 to -11 . . . . . . . . . . . . . . . . . . . . 55
11.12. From -11 to -12 . . . . . . . . . . . . . . . . . . . . 55
11.13. From -12 to -13 . . . . . . . . . . . . . . . . . . . . 55
11.14. From -13 to -14 . . . . . . . . . . . . . . . . . . . . 55
12. Informative References . . . . . . . . . . . . . . . . . . . 55
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57
1. Introduction 1. Introduction
There is a desire to be able to coordinate the execution of broadband There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large measurements and the collection of measurement results across a large
scale set of Measurement Agents (MAs). These MAs could be software scale set of Measurement Agents (MAs). These MAs could be
based agents on PCs, embedded agents in consumer devices (such as TVs software-based agents on PCs, embedded agents in consumer devices
or gaming consoles), embedded in service provider controlled devices (such as TVs or gaming consoles), embedded in service-provider-
such as set-top boxes and home gateways, or simply dedicated probes. controlled devices such as set-top boxes and home gateways, or simply
MAs may also be embedded on a device that is part of an ISP's dedicated probes. MAs may also be embedded on a device that is part
network, such as a DSLAM (Digital Subscriber Line Access of an ISP's network, such as a DSLAM (Digital Subscriber Line Access
Multiplexer), router, Carrier Grade NAT (Network Address Translator) Multiplexer), router, Carrier Grade NAT (Network Address Translator),
or ISP Gateway. It is expected that a measurement system could or ISP Gateway. It is expected that a measurement system could
easily encompass a few hundred thousand or even millions of such MAs. easily encompass a few hundred thousand or even millions of such MAs.
Such a scale presents unique problems in coordination, execution and Such a scale presents unique problems in coordination, execution, and
measurement result collection. Several use cases have been proposed measurement result collection. Several use cases have been proposed
for large-scale measurements including: for large-scale measurements including:
o Operators: to help plan their network and identify faults o Operators: to help plan their network and identify faults
o Regulators: to benchmark several network operators and support o Regulators: to benchmark several network operators and support
public policy development public policy development
Further details of the use cases can be found in Further details of the use cases can be found in [RFC7536]. The LMAP
[I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for framework should be useful for these, as well as other use cases,
these, as well as other use cases, such as to help end users run such as to help end users run diagnostic checks like a network speed
diagnostic checks like a network speed test. test.
The LMAP Framework has three basic elements: Measurement Agents, The LMAP framework has three basic elements: Measurement Agents,
Controllers and Collectors. Controllers, and Collectors.
Measurement Agents (MAs) initiate the actual measurements, which are Measurement Agents (MAs) initiate the actual measurements, which are
called Measurement Tasks in the LMAP terminology. In principle, called Measurement Tasks in the LMAP terminology. In principle,
there are no restrictions on the type of device in which the MA there are no restrictions on the type of device in which the MA
function resides. function resides.
The Controller instructs one or more MAs and communicates the set of The Controller instructs one or more MAs and communicates the set of
Measurement Tasks an MA should perform and when. For example it may Measurement Tasks an MA should perform and when. For example, it may
instruct a MA at a home gateway: "Measure the 'UDP latency' with instruct an MA at a home gateway: "Measure the 'UDP latency' with
www.example.org; repeat every hour at xx.05". The Controller also www.example.org; repeat every hour at xx.05". The Controller also
manages a MA by instructing it how to report the Measurement Results, manages an MA by instructing it on how to report the Measurement
for example: "Report results once a day in a batch at 4am". We refer Results, for example: "Report results once a day in a batch at 4am".
to these as the Measurement Schedule and Report Schedule. We refer to these as the Measurement Schedule and Report Schedule.
The Collector accepts Reports from the MAs with the Results from The Collector accepts Reports from the MAs with the Results from
their Measurement Tasks. Therefore the MA is a device that gets their Measurement Tasks. Therefore, the MA is a device that gets
Instructions from the Controller, initiates the Measurement Tasks, Instructions from the Controller, initiates the Measurement Tasks,
and reports to the Collector. The communications between these three and reports to the Collector. The communications between these three
LMAP functions are structured according to a Control Protocol and a LMAP functions are structured according to a Control Protocol and a
Report Protocol. Report Protocol.
The desirable features for a large-scale Measurement Systems we are The design goals are the following large-scale Measurement System
designing for are: features:
o Standardised - in terms of the Measurement Tasks that they o Standardised - in terms of the Measurement Tasks that they
perform, the components, the data models and protocols for perform, the components, the data models, and the protocols for
transferring information between the components. Amongst other transferring information between the components. Amongst other
things, standardisation enables meaningful comparisons of things, standardisation enables meaningful comparisons of
measurements made of the same metric at different times and measurements made of the same Metric at different times and
places, and provides the operator of a Measurement System with places, and provides the operator of a Measurement System with
criteria for evaluation of the different solutions that can be criteria for evaluation of the different solutions that can be
used for various purposes including buying decisions (such as used for various purposes including buying decisions (such as
buying the various components from different vendors). Today's buying the various components from different vendors). Today's
systems are proprietary in some or all of these aspects. systems are proprietary in some or all of these aspects.
o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement o Large-scale - [RFC7536] envisages Measurement Agents in every home
Agents in every home gateway and edge device such as set-top boxes gateway and edge device such as set-top boxes and tablet
and tablet computers, and located throughout the Internet as well computers, and located throughout the Internet as well [RFC7398].
[RFC7398]. It is expected that a Measurement System could easily It is expected that a Measurement System could easily encompass a
encompass a few hundred thousand or even millions of Measurement few hundred thousand or even millions of Measurement Agents.
Agents. Existing systems have up to a few thousand MAs (without Existing systems have up to a few thousand MAs (without judging
judging how much further they could scale). how much further they could scale).
o Diversity - a Measurement System should handle Measurement Agents o Diversity - a Measurement System should handle Measurement Agents
from different vendors, that are in wired and wireless networks, from different vendors that are in wired and wireless networks,
can execute different sorts of Measurement Task, are on devices can execute different sorts of Measurement Tasks, are on devices
with IPv4 or IPv6 addresses, and so on. with IPv4 or IPv6 addresses, and so on.
o Privacy Respecting - the protocols and procedures should respect o Privacy Respecting - the protocols and procedures should respect
the sensitive information of all those involved in measurements. the sensitive information of all those involved in measurements.
2. Outline of an LMAP-based measurement system 2. Outline of an LMAP-Based Measurement System
In this section we provide an overview of the whole Measurement In this section, we provide an overview of the whole Measurement
System. New LMAP-specific terms are capitalised; Section 3 provides System. New LMAP-specific terms are capitalised; Section 3 provides
a terminology section with a compilation of all the LMAP terms and a terminology section with a compilation of all the LMAP terms and
their definition. Section 4 onwards considers the LMAP components in their definitions. Section 4 onwards considers the LMAP components
more detail. in more detail.
Other LMAP specifications will define an information model, the Other LMAP specifications will define an Information Model, the
associated data models, and select/extend one or more protocols for associated Data Models, and select/extend one or more protocols for
the secure communication: firstly, a Control Protocol, from a the secure communication: firstly, a Control Protocol, for a
Controller to instruct Measurement Agents what performance metrics to Controller to instruct Measurement Agents regarding which performance
measure, when to measure them, how/when to report the measurement Metrics to measure, when to measure them, and how/when to report the
results to a Collector; secondly, a Report Protocol, for a measurement results to a Collector; secondly, a Report Protocol, for
Measurement Agent to report the results to the Collector. a Measurement Agent to report the results to the Collector.
The Figure below shows the main components of a Measurement System, Figure 1 shows the main components of a Measurement System, and the
and the interactions of those components. Some of the components are interactions of those components. Some of the components are outside
outside the scope of initial LMAP work. the scope of initial LMAP work.
The MA performs Measurement Tasks. One possibility is that the MA is The MA performs Measurement Tasks. One possibility is that the MA
observes existing traffic. Another possibility is for the MA to observes existing traffic. Another possibility is for the MA to
generate (or receive) traffic specially created for the purpose and generate (or receive) traffic specially created for the purpose and
measure some metric associated with its transfer. The measure some Metric associated with its transfer. Figure 1 includes
Figure includes both possibilities (in practice, it may be more usual both possibilities (in practice, it may be more usual for an MA to do
for a MA to do one) whilst Section 6.4 shows some examples of one) whilst Section 6.4 shows some examples of possible arrangements
possible arrangements of the components. of the components.
The MAs are pieces of code that can be executed in specialised The MAs are pieces of code that can be executed in specialised
hardware (hardware probe) or on a general-purpose device (like a PC hardware (hardware probe) or on a general-purpose device (like a PC
or mobile phone). A device with a Measurement Agent may have or mobile phone). A device with a Measurement Agent may have
multiple physical interfaces (Wi-Fi, Ethernet, DSL (Digital multiple physical interfaces (Wi-Fi, Ethernet, DSL (Digital
Subscriber Line); and non-physical interfaces such as PPPoE (Point- Subscriber Line); and non-physical interfaces such as PPPoE
to-Point Protocol over Ethernet) or IPsec) and the Measurement Tasks (Point-to-Point Protocol over Ethernet) or IPsec) and the Measurement
may specify any one of these. Tasks may specify any one of these.
The Controller manages a MA through use of the Control Protocol, The Controller manages an MA through use of the Control Protocol,
which transfers the Instruction to the MA. This describes the which transfers the Instruction to the MA. This describes the
Measurement Tasks the MA should perform and when. For example the Measurement Tasks the MA should perform and when. For example the
Controller may instruct a MA at a home gateway: "Count the number of Controller may instruct an MA at a home gateway: "Count the number of
TCP SYN packets observed in a 1 minute interval; repeat every hour at TCP SYN packets observed in a 1 minute interval; repeat every hour at
xx.05 + Unif[0,180] seconds". The Measurement Schedule determines xx.05 + Unif[0,180] seconds". The Measurement Schedule determines
when the Measurement Tasks are executed. The Controller also manages when the Measurement Tasks are executed. The Controller also manages
a MA by instructing it how to report the Measurement Results, for an MA by instructing it on how to report the Measurement Results, for
example: "Report results once a day in a batch at 4am + Unif[0,180] example: "Report results once a day in a batch at 4am + Unif[0,180]
seconds; if the end user is active then delay the report 5 minutes". seconds; if the end user is active then delay the report 5 minutes."
The Report Schedule determines when the Reports are uploaded to the The Report Schedule determines when the Reports are uploaded to the
Collector. The Measurement Schedule and Report Schedule can define Collector. The Measurement Schedule and Report Schedule can define
one-off (non-recurring) actions ("Do measurement now", "Report as one-off (non-recurring) actions (for example, "Do measurement now",
soon as possible"), as well as recurring ones. "Report as soon as possible"), as well as recurring ones.
The Collector accepts a Report from a MA with the Measurement Results The Collector accepts a Report from an MA with the Measurement
from its Measurement Tasks. It then provides the Results to a Results from its Measurement Tasks. It then provides the Results to
repository (see below). a repository.
A Measurement Method defines how to measure a Metric of interest. It A Measurement Method defines how to measure a Metric of interest. It
is very useful to standardise Measurement Methods, so that it is is very useful to standardise Measurement Methods, so that it is
meaningful to compare measurements of the same Metric made at meaningful to compare measurements of the same Metric made at
different times and places. It is also useful to define a registry different times and places. It is also useful to define a registry
for commonly-used Metrics [I-D.ietf-ippm-metric-registry] so that a for commonly used Metrics [IPPM-REG] so that a Metric and its
Metric with its associated Measurement Method can be referred to associated Measurement Method can be referred to simply by its
simply by its identifier in the registry. The registry will identifier in the registry. The registry will hopefully be
hopefully be referenced by other standards organisations. The referenced by other standards organisations. The Measurement Methods
Measurement Methods may be defined by the IETF, locally, or by some may be defined by the IETF, locally, or by some other standards body.
other standards body.
Broadly speaking there are two types of Measurement Method. In both Broadly speaking there are two types of Measurement Methods. In both
types a Measurement Agent measures a particular Observed Traffic types, a Measurement Agent measures a particular Observed Traffic
Flow. It may involve a single MA simply observing existing traffic - Flow. It may involve a single MA simply observing existing traffic
for example, the Measurement Agent could count bytes or calculate the -- for example, the Measurement Agent could count bytes or calculate
average loss for a particular flow. On the other hand, a Measurement the average loss for a particular flow. On the other hand, a
Method may involve multiple network entities, which perform different Measurement Method may observe traffic created specifically for the
roles. For example, a "ping" Measurement Method, to measure the purpose of measurement. This requires multiple network entities,
round trip delay , would consist of an MA sending an ICMP (Internet which perform different roles. For example, to measure the round
Control Message Protocol) ECHO request to a responder in the trip delay one possible Measurement Method would consist of an MA
Internet. In LMAP terms, the responder is termed a Measurement Peer sending an ICMP (Internet Control Message Protocol) ECHO request
(MP), meaning that it helps the MA but is not managed by the ("ping") to a responder in the Internet. In LMAP terms, the
Controller. Other Measurement Methods involve a second MA, with the responder is termed a Measurement Peer (MP), meaning that it helps
Controller instructing the MAs in a coordinated manner. Traffic the MA but is not managed by the Controller. Other Measurement
generated specifically as part of the Measurement Method is termed Methods involve a second MA, with the Controller instructing the MAs
Measurement Traffic; in the ping example, it is the ICMP ECHO in a coordinated manner. Traffic generated specifically as part of
Requests and Replies. The protocols used for the Measurement Traffic the Measurement Method is termed Measurement Traffic; in the ping
are out of the scope of initial LMAP work, and fall within the scope example, it is the ICMP ECHO Requests and Replies. The protocols
of other IETF WGs such as IPPM (IP Performance Metrics). used for the Measurement Traffic are out of the scope of initial LMAP
work and fall within the scope of other IETF WGs such as IPPM (IP
Performance Metrics).
A Measurement Task is the action performed by a particular MA at a A Measurement Task is the action performed by a particular MA at a
particular time, as the specific instance of its role in a particular time, as the specific instance of its role in a
Measurement Method. LMAP is mainly concerned with Measurement Tasks, Measurement Method. LMAP is mainly concerned with Measurement Tasks,
for instance in terms of its Information Model and Protocols. for instance in terms of its Information Model and Protocols.
For Measurement Results to be truly comparable, as might be required For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be by a regulator, not only do the same Measurement Methods need to be
used to assess Metrics, but also the set of Measurement Tasks should used to assess Metrics, but also the set of Measurement Tasks should
follow a similar Measurement Schedule and be of similar number. The follow a similar Measurement Schedule and be of similar number. The
details of such a characterisation plan are beyond the scope of work details of such a characterisation plan are beyond the scope of IETF
in IETF although certainly facilitated by IETF's work. work, although it is certainly facilitated by the IETF's work.
Both control and report messages are transferred over a secure Both control and report messages are transferred over a secure
Channel. A Control Channel is between the Controller and a MA; the Channel. A Control Channel is between the Controller and an MA; the
Control Protocol delivers Instruction Messages to the MA and Control Protocol delivers Instruction Messages to the MA and
Capabilities, Failure and Logging Information in the reverse Capabilities, Failure, and Logging Information in the reverse
direction. A Report Channel is between a MA and Collector, and the direction. A Report Channel is between an MA and Collector, and the
Report Protocol delivers Reports to the Collector. Report Protocol delivers Reports to the Collector.
Finally we introduce several components that are outside the scope of Finally, we introduce several components that are outside the scope
initial LMAP work and will be provided through existing protocols or of initial LMAP work that will be provided through existing protocols
applications. They affect how the Measurement System uses the or applications. They affect how the Measurement System uses the
Measurement Results and how it decides what set of Measurement Tasks Measurement Results and how it decides what set of Measurement Tasks
to perform. As shown in the Figure, these components are: the to perform. As shown in Figure 1, these components are: the
bootstrapper, Subscriber parameter database, data analysis tools, and bootstrapper, Subscriber parameter database, data analysis tools, and
Results repository. Results repository.
The MA needs to be bootstrapped with initial details about its The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP work Controller, including authentication credentials. The LMAP work
considers the bootstrap process, since it affects the Information considers the Bootstrap process, since it affects the Information
Model. However, LMAP does not define a bootstrap protocol, since it Model. However, LMAP does not define a Bootstrap protocol, since it
is likely to be technology specific and could be defined by the is likely to be technology specific and could be defined by the
Broadband Forum, CableLabs or IEEE depending on the device. Possible Broadband Forum, CableLabs, or IEEE depending on the device.
protocols are SNMP (Simple Network Management Protocol), NETCONF Possible protocols are SNMP (Simple Network Management Protocol),
(Network Configuration Protocol) or (for Home Gateways) CPE WAN NETCONF (Network Configuration Protocol), or (for Home Gateways) CPE
Management Protocol (CWMP) from the Auto Configuration Server (ACS) WAN Management Protocol (CWMP) from the Auto Configuration Server
(as specified in TR-069 [TR-069]). (ACS) (as specified in TR-069 [TR-069]).
A Subscriber parameter database contains information about the line, A Subscriber parameter database contains information about the line,
such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), such as the customer's broadband contract (perhaps 2, 40, or 80
the line technology (DSL or fibre), the time zone where the MA is Mb/s), the line technology (DSL or fibre), the time zone in which the
located, and the type of home gateway and MA. These parameters are MA is located, and the type of home gateway and MA. These parameters
already gathered and stored by existing operations systems. They may are already gathered and stored by existing operations systems. They
affect the choice of what Measurement Tasks to run and how to may affect the choice of what Measurement Tasks to run and how to
interpret the Measurement Results. For example, a download test interpret the Measurement Results. For example, a download test
suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s suitable for a line with an 80 Mb/s contract may overwhelm a 2 Mb/s
line. line.
A Results repository records all Measurement Results in an equivalent A Results repository records all Measurement Results in an equivalent
form, for example an SQL (Structured Query Language) database, so form, for example an SQL (Structured Query Language) database, so
that they can easily be accessed by the data analysis tools. that they can easily be accessed by the data analysis tools.
The data analysis tools receive the results from the Collector or via The data analysis tools receive the results from the Collector or via
the Results repository. They might visualise the data or identify the Results repository. They might visualise the data or identify
which component or link is likely to be the cause of a fault or which component or link is likely to be the cause of a fault or
degradation. This information could help the Controller decide what degradation. This information could help the Controller decide what
follow-up Measurement Task to perform in order to diagnose a fault. follow-up Measurement Task to perform in order to diagnose a fault.
The data analysis tools also need to understand the Subscriber's The data analysis tools also need to understand the Subscriber's
service information, for example the broadband contract. service information, for example, the broadband contract.
+--------+ +-----------+ +-----------+ ^ +--------+ +-----------+ +-----------+ ^
|End user| | | Observed | End user | | |End user| | | Observed | End user | |
| |<-----|-----------|---traffic--->| | | | |<-----|-----------|---Traffic--->| | |
| | | | flow | | | | | | | Flow | | |
| | | | | | Non-LMAP | | | | | | Non-LMAP
| | | | Measurement | | Scope | | | | Measurement | | Scope
| | | |<--traffic--->| | | | | | |<--Traffic--->| | |
+--------+ | | +-----------+ | +--------+ | | +-----------+ |
.............|...........|.................................V ................|...........|.................................V
<MP> |Measurement| <MP> ^ <MP> |Measurement| <MP> ^
|Agent: | | |Agent: | |
|LMAP | | |LMAP | |
+----------->|interface | | +----------->|interface | |
| +-----------+ | | +-----------+ |
| ^ | LMAP | ^ | LMAP
| Instruction | | Report Scope | Instruction | | Report Scope
| (over Control | | (over Report Channel) | | (over Control | | (over Report Channel) |
| Channel) | +-----------------------+ | | Channel) | +-----------------------+ |
| | | | | | | |
| | | | | | | |
| | v | | | v |
| +------------+ +------------+ | | +------------+ +------------+ |
| | Controller | | Collector | | | | Controller | | Collector | |
| +------------+ +------------+ v | +------------+ +------------+ v
| ^ ^ | ^ | ^ ^ | ^
| | | | | | | | | |
| | +--------+ | | | | +--------+ | |
| | | v | | | | v |
+------------+ +----------+ +--------+ +----------+ | +------------+ +----------+ +--------+ +----------+ |
|Bootstrapper| |Subscriber|--->| data |<---| Results | Non- |Bootstrapper| |Subscriber|--->| data |<---| Results | Non-
+------------+ |parameter | |analysis| |repository| LMAP +------------+ |parameter | |analysis| |repository| LMAP
|database | | tools | +----------+ Scope |database | | tools | +----------+ Scope
+----------+ +--------+ | +----------+ +--------+ |
| |
v v
Schematic of main elements of an LMAP-based Measurement System MP: Measurement Peer
(showing the elements in and out of the scope of initial LMAP work)
Figure 1: Schematic of main elements of an LMAP-based Measurement
System (showing the elements in and out of the scope of initial LMAP
work)
3. Terminology 3. Terminology
This section defines terminology for LMAP. Please note that defined This section defines terminology for LMAP. Please note that defined
terms are capitalized. terms are capitalised throughout.
Bootstrap: A process that integrates a Measurement Agent into a Bootstrap: A process that integrates a Measurement Agent into a
Measurement System. Measurement System.
Capabilities: Information about the performance measurement Capabilities: Information about the performance measurement
capabilities of the MA, in particular the Measurement Method roles capabilities of the MA, in particular the Measurement Method roles
and measurement protocol roles that it can perform, and the device and measurement protocol roles that it can perform, and the device
hosting the MA, for example its interface type and speed, but not hosting the MA, for example its interface type and speed, but not
dynamic information. dynamic information.
Channel: A bi-directional logical connection that is defined by a Channel: A bidirectional logical connection that is defined by a
specific Controller and MA, or Collector and MA, plus associated specific Controller and MA, or Collector and MA, plus associated
security. security.
Collector: A function that receives a Report from a Measurement Collector: A function that receives a Report from an MA.
Agent.
Configuration: A process for informing the MA about its MA-ID, Configuration: A process for informing the MA about its MA-ID,
(optional) Group-ID and Control Channel. (optional) Group-ID, and Control Channel.
Controller: A function that provides a Measurement Agent with its Controller: A function that provides a Measurement Agent with its
Instruction. Instruction.
Control Channel: A Channel between a Controller and a MA over which Control Channel: A Channel between a Controller and an MA over which
Instruction Messages and Capabilities, Failure and Logging Instruction Messages and Capabilities, Failure, and Logging
Information are sent. Information are sent.
Control Protocol: The protocol delivering Instruction(s) from a Control Protocol: The protocol delivering Instruction(s) from a
Controller to a Measurement Agent. It also delivers Capabilities, Controller to a Measurement Agent. It also delivers Capabilities,
Failure and Logging Information from the Measurement Agent to the Failure, and Logging Information from the Measurement Agent to the
Controller. It can also be used to update the MA's Configuration. Controller. It can also be used to update the MA's Configuration.
It runs over the Control Channel. It runs over the Control Channel.
Cycle-ID: A tag that is sent by the Controller in an Instruction and Cycle-ID: A tag that is sent by the Controller in an Instruction and
echoed by the MA in its Report. The same Cycle-ID is used by several echoed by the MA in its Report. The same Cycle-ID is used by several
MAs that use the same Measurement Method for a Metric with the same MAs that use the same Measurement Method for a Metric with the same
Input Parameters. Hence the Cycle-ID allows the Collector to easily Input Parameters. Hence, the Cycle-ID allows the Collector to easily
identify Measurement Results that should be comparable. identify Measurement Results that should be comparable.
Data Model: The implementation of an Information Model in a Data Model: The implementation of an Information Model in a
particular data modelling language [RFC3444]. particular data modelling language [RFC3444].
Environmental Constraint: A parameter that is measured as part of the Environmental Constraint: A parameter that is measured as part of the
Measurement Task, its value determining whether the rest of the Measurement Task, its value determining whether the rest of the
Measurement Task proceeds. Measurement Task proceeds.
Failure Information: Information about the MA's failure to action or Failure Information: Information about the MA's failure to take
execute an Instruction, whether concerning Measurement Tasks or action or execute an Instruction, whether concerning Measurement
Reporting. Tasks or Reporting.
Group-ID: An identifier of a group of MAs. Group-ID: An identifier of a group of MAs.
Information Model: The protocol-neutral definition of the semantics Information Model: The protocol-neutral definition of the semantics
of the Instructions, the Report, the status of the different elements of the Instructions, the Report, the status of the different elements
of the Measurement System as well of the events in the system of the Measurement System, as well of the events in the system
[RFC3444]. [RFC3444].
Input Parameter: A parameter whose value is left open by the Metric Input Parameter: A parameter whose value is left open by the Metric
and its Measurement Method and is set to a specific value in a and its Measurement Method and is set to a specific value in a
Measurement Task. Altering the value of an Input Parameter does not Measurement Task. Altering the value of an Input Parameter does not
change the fundamental nature of the Measurement Task. change the fundamental nature of the Measurement Task.
Instruction: The description of Measurement Tasks for a MA to perform Instruction: The description of Measurement Tasks for an MA to
and the details of the Report for it to send. It is the collective perform and the details of the Report for it to send. It is the
description of the Measurement Task configurations, the configuration collective description of the Measurement Task configurations, the
of the Measurement Schedules, the configuration of the Report configuration of the Measurement Schedules, the configuration of the
Channel(s), the configuration of Report Schedule(s), and the details Report Channel(s), the configuration of Report Schedule(s), and the
of any suppression. details of any Suppression.
Instruction Message: The message that carries an Instruction from a Instruction Message: The message that carries an Instruction from a
Controller to a Measurement Agent. Controller to a Measurement Agent.
Logging Information: Information about the operation of the Logging Information: Information about the operation of the
Measurement Agent, which may be useful for debugging. Measurement Agent, which may be useful for debugging.
Measurement Agent (MA): The function that receives Instruction Measurement Agent (MA): The function that receives Instruction
Messages from a Controller and operates the Instruction by executing Messages from a Controller and operates the Instruction by executing
Measurement Tasks (using protocols outside the initial LMAP work Measurement Tasks (using protocols outside the scope of the initial
scope and perhaps in concert with one or more other Measurement LMAP work and perhaps in concert with one or more other Measurement
Agents or Measurement Peers) and (if part of the Instruction) by Agents or Measurement Peers) and (if part of the Instruction) by
reporting Measurement Results to a Collector or Collectors. reporting Measurement Results to a Collector or Collectors.
Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that Measurement Agent Identifier (MA-ID): a Universally Unique IDentifier
identifies a particular MA and is configured as part of the [RFC4122] that identifies a particular MA and is configured as part
Bootstrapping process. of the Bootstrapping process.
Measurement Method: The process for assessing the value of a Metric; Measurement Method: The process for assessing the value of a Metric;
the process of measuring some performance or reliability parameter the process of measuring some performance or reliability Metric
associated with the transfer of traffic. associated with the transfer of traffic.
Measurement Peer (MP): The function that assists a Measurement Agent Measurement Peer (MP): The function that assists a Measurement Agent
with Measurement Tasks and does not have an interface to the with Measurement Tasks and does not have an interface to the
Controller or Collector. Controller or Collector.
Measurement Result: The output of a single Measurement Task (the Measurement Result: The output of a single Measurement Task (the
value obtained for the parameter of interest or Metric). value obtained for the Metric).
Measurement Schedule: The schedule for performing Measurement Tasks. Measurement Schedule: The schedule for performing Measurement Tasks.
Measurement System: The set of LMAP-defined and related components Measurement System: The set of LMAP-defined and related components
that are operated by a single organisation, for the purpose of that are operated by a single organisation, for the purpose of
measuring performance aspects of the network. measuring performance aspects of the network.
Measurement Task: The action performed by a particular Measurement Measurement Task: The action performed by a particular Measurement
Agent that consists of the single assessment of a Metric through Agent that consists of the single assessment of a Metric through
operation of a Measurement Method role at a particular time, with all operation of a Measurement Method role at a particular time, with all
of the role's Input Parameters set to specific values. of the role's Input Parameters set to specific values.
Measurement Traffic: the packet(s) generated by some types of Measurement Traffic: the packet(s) generated by some types of
Measurement Method that involve measuring some parameter associated Measurement Method that involve measuring some parameter associated
with the transfer of the packet(s). with the transfer of the packet(s).
Metric: The quantity related to the performance and reliability of Metric: The quantity related to the performance and reliability of
the network that we'd like to know the value of. the network that we'd like to know the value of.
Observed Traffic Flow: In RFC 7011, a Traffic Flow (or Flow) is Observed Traffic Flow: In RFC 7011 [RFC7011], a Traffic Flow (or
defined as a set of packets or frames passing an Observation Point in Flow) is defined as "a set of packets or frames passing an
the network during a certain time interval. All packets belonging to Observation Point in the network during a certain time interval. All
a particular Flow have a set of common properties, such as packet packets belonging to a particular Flow have a set of common
header fields, characteristics, and treatments. A Flow measured by properties," such as packet header fields, characteristics, and
the LMAP system is termed an Observed Traffic Flow. Its properties treatments. A Flow measured by the LMAP system is termed an Observed
are summarized and tabulated in Measurement Results (as opposed to Traffic Flow. Its properties are summarised and tabulated in
raw capture and export). Measurement Results (as opposed to raw capture and export).
Report: The set of Measurement Results and other associated Report: The set of Measurement Results and other associated
information (as defined by the Instruction). The Report is sent by a information (as defined by the Instruction). The Report is sent by a
Measurement Agent to a Collector. Measurement Agent to a Collector.
Report Channel: A Channel between a Collector and a MA over which Report Channel: A Channel between a Collector and an MA over which
Report messages are sent. Report messages are sent.
Report Protocol: The protocol delivering Report(s) from a Measurement Report Protocol: The protocol delivering Report(s) from a Measurement
Agent to a Collector. It runs over the Report Channel. Agent to a Collector. It runs over the Report Channel.
Report Schedule: the schedule for sending Reports to a Collector. Report Schedule: The schedule for sending Reports to a Collector.
Subscriber: An entity (associated with one or more users) that is Subscriber: An entity (associated with one or more users) that is
engaged in a subscription with a service provider. engaged in a subscription with a service provider.
Suppression: the temporary cessation of Measurement Tasks. Suppression: The temporary cessation of Measurement Tasks.
4. Constraints 4. Constraints
The LMAP framework makes some important assumptions, which constrain The LMAP framework makes some important assumptions, which constrain
the scope of the initial LMAP work. the scope of the initial LMAP work.
4.1. The measurement system is under the direction of a single 4.1. The Measurement System Is Under the Direction of a Single
organisation Organisation
In the LMAP framework, the Measurement System is under the direction In the LMAP framework, the Measurement System is under the direction
of a single organisation that is responsible for any impact that its of a single organisation that is responsible for any impact that its
measurements have on a user's quality of experience and privacy. measurements have on a user's quality of experience and privacy.
Clear responsibility is critical given that a misbehaving large-scale Clear responsibility is critical given that a misbehaving large-scale
Measurement System could potentially harm user experience, user Measurement System could potentially harm user experience, user
privacy and network security. privacy, and network security.
However, the components of an LMAP Measurement System can be deployed However, the components of an LMAP Measurement System can be deployed
in administrative domains that are not owned by the measuring in administrative domains that are not owned by the measuring
organisation. Thus, the system of functions deployed by a single organisation. Thus, the system of functions deployed by a single
organisation constitutes a single LMAP domain which may span organisation constitutes a single LMAP domain, which may span
ownership or other administrative boundaries. ownership or other administrative boundaries.
4.2. Each MA may only have a single Controller at any point in time 4.2. Each MA May Only Have a Single Controller at Any Point in Time
A MA is instructed by one Controller and is in one Measurement An MA is instructed by one Controller and is in one Measurement
System. The constraint avoids different Controllers giving a MA System. The constraint avoids different Controllers giving an MA
conflicting instructions and so means that the MA does not have to conflicting instructions and so means that the MA does not have to
manage contention between multiple Measurement (or Report) Schedules. manage contention between multiple Measurement (or Report) Schedules.
This simplifies the design of MAs (critical for a large-scale This simplifies the design of MAs (critical for a large-scale
infrastructure) and allows a Measurement Schedule to be tested on infrastructure) and allows a Measurement Schedule to be tested on
specific types of MA before deployment to ensure that the end user specific types of MAs before deployment to ensure that the end-user
experience is not impacted (due to CPU, memory or broadband-product experience is not impacted (due to CPU, memory, or broadband-product
constraints). However, a Measurement System may have several constraints). However, a Measurement System may have several
Controllers. Controllers.
5. Protocol Model 5. Protocol Model
A protocol model [RFC4101] presents an architectural model for how A protocol model [RFC4101] presents an architectural model for how
the protocol operates and needs to answer three basic questions: the protocol operates and needs to answer three basic questions:
1. What problem is the protocol trying to address? 1. What problem is the protocol trying to address?
2. What messages are being transmitted and what do they mean? 2. What messages are being transmitted and what do they mean?
3. What are the important, but unobvious, features of the protocol? 3. What are the important, but not obvious [sic], features of the
protocol?
An LMAP system goes through the following phases: An LMAP system goes through the following phases:
o a Bootstrapping process before the MA can take part in the other o a Bootstrapping process before the MA can take part in the other
three phases. three phases.
o a Control Protocol, which delivers Instruction Messages from a o a Control Protocol, which delivers Instruction Messages from a
Controller to a MA (amongst other things). Controller to an MA (amongst other things).
o the actual Measurement Tasks, which measure some performance or o the actual Measurement Tasks, which measure some performance or
reliability parameter(s) associated with the transfer of packets. reliability Metric(s) associated with the transfer of packets.
o a Report Protocol, which delivers Reports containing the o a Report Protocol, which delivers Reports containing the
Measurement Results from a MA to a Collector. Measurement Results from an MA to a Collector.
The diagrams show the various LMAP messages and uses the following The figures show the various LMAP messages and use the following
convention: conventions:
o (optional): indicated by round brackets o (optional): indicated by round brackets
o [potentially repeated]: indicated by square brackets o [potentially repeated]: indicated by square brackets
The protocol model is closely related to the Information Model The protocol model is closely related to the Information Model
[I-D.ietf-lmap-information-model], which is the abstract definition [LMAP-INFO], which is the abstract definition of the information
of the information carried by the protocol. (If there is any carried by the protocol. (If there is any difference between this
difference between this document and the Information Model, the document and the Information Model, the latter is definitive.) The
latter is definitive, since it is on the standards track.) The purpose of both is to provide a protocol and device-independent view,
purpose of both is to provide a protocol and device independent view,
which can be implemented via specific protocols. LMAP defines a which can be implemented via specific protocols. LMAP defines a
specific Control Protocol and Report Protocol, but others could be specific Control Protocol and Report Protocol, but others could be
defined by other standards bodies or be proprietary. However it is defined by other standards bodies or be proprietary. However, it is
important that they all implement the same Information Model and important that they all implement the same Information Model and
protocol model, in order to ease the definition, operation and protocol model, in order to ease the definition, operation, and
interoperability of large-scale Measurement Systems. interoperability of large-scale Measurement Systems.
5.1. Bootstrapping process 5.1. Bootstrapping Process
The primary purpose of bootstrapping is to enable a MA to be The primary purpose of Bootstrapping is to enable an MA to be
integrated into a Measurement System. The MA retrieves information integrated into a Measurement System. The MA retrieves information
about itself (like its identity in the Measurement System) and about about itself (like its identity in the Measurement System) and about
the Controller, the Controller learns information about the MA, and the Controller, the Controller learns information about the MA, and
they learn about security information to communicate (such as they learn about security information to communicate (such as
certificates and credentials). certificates and credentials).
Whilst this memo considers the bootstrapping process, it is beyond Whilst this memo considers the Bootstrapping process, it is beyond
the scope of initial LMAP work to define a bootstrap mechanism, as it the scope of initial LMAP work to define a Bootstrap mechanism, as it
depends on the type of device and access. depends on the type of device and access.
As a result of the bootstrapping process the MA learns information As a result of the Bootstrapping process, the MA learns the following
with the following aims ([I-D.ietf-lmap-information-model] defines information ([LMAP-INFO] defines the consequent list of information
the consequent list of information elements): elements):
o its identifier, either its MA-ID or a device identifier such as o its identifier, either its MA-ID or a device identifier such as
one of its MAC or both. one of its Media Access Control (MAC) addresses or both.
o (optionally) a Group-ID. A Group-ID would be shared by several o (optionally) a Group-ID, shared by several MAs and could be useful
MAs and could be useful for privacy reasons. For instance, for privacy reasons. For instance, reporting the Group-ID and not
reporting the Group-ID and not the MA-ID could hinder tracking of the MA-ID could hinder tracking of a mobile device.
a mobile device
o the Control Channel, which is defined by: o the Control Channel, which is defined by:
* the address which identifies the Control Channel, such as the * the address that identifies the Control Channel, such as the
Controller's FQDN (Fully Qualified Domain Name) [RFC1035]) Controller's FQDN (Fully Qualified Domain Name) [RFC1035]).
* security information (for example to enable the MA to decrypt * security information (for example, to enable the MA to decrypt
the Instruction Message and encrypt messages sent to the the Instruction Message and encrypt messages sent to the
Controller) Controller).
The details of the bootstrapping process are device /access specific. The details of the Bootstrapping process are device/access specific.
For example, the information could be in the firmware, manually For example, the information could be in the firmware, manually
configured or transferred via a protocol like TR-069 [TR-069]. There configured, or transferred via a protocol like that described in
may be a multi-stage process where the MA contacts a 'hard-coded' TR-069 [TR-069]. There may be a multi-stage process where the MA
address, which replies with the bootstrapping information. contacts a 'hard-coded' address, which replies with the Bootstrapping
information.
The MA must learn its MA-ID before getting an Instruction, either The MA must learn its MA-ID before getting an Instruction, either
during Bootstrapping or via Configuration (Section 5.2.1). during Bootstrapping or via Configuration (Section 5.2.1).
5.2. Control Protocol 5.2. Control Protocol
The primary purpose of the Control Protocol is to allow the The primary purpose of the Control Protocol is to allow the
Controller to configure a Measurement Agent with an Instruction about Controller to configure a Measurement Agent with an Instruction about
what Measurement Tasks to do, when to do them, and how to report the what Measurement Tasks to do, when to do them, and how to report the
Measurement Results (Section 5.2.2). The Measurement Agent then acts Measurement Results (Section 5.2.2). The Measurement Agent then acts
on the Instruction autonomously. The Control Protocol also enables on the Instruction autonomously. The Control Protocol also enables
the MA to inform the Controller about its Capabilities and any the MA to inform the Controller about its Capabilities and any
Failure and Logging Information (Section 5.2.2). Finally, the Failure and Logging Information (Section 5.2.3). Finally, the
Control Protocol allows the Controller to update the MA's Control Protocol allows the Controller to update the MA's
Configuration. Configuration.
5.2.1. Configuration 5.2.1. Configuration
Configuration allows the Controller to update the MA about some or Configuration allows the Controller to update the MA about some or
all of the information that it obtained during the bootstrapping all of the information that it obtained during the Bootstrapping
process: the MA-ID, the (optional) Group-ID and the Control Channel. process: the MA-ID, the (optional) Group-ID, and the Control Channel.
The Measurement System might use Configuration for several reasons. Figure 2 outlines the Configuration process. The Measurement System
For example, the bootstrapping process could 'hard code' the MA with might use Configuration for several reasons. For example, the
details of an initial Controller, and then the initial Controller Bootstrapping process could 'hard code' the MA with details of an
could configure the MA with details about the Controller that sends initial Controller, and then the initial Controller could configure
Instruction Messages. (Note that a MA only has one Control Channel, the MA with details about the Controller that sends Instruction
and so is associated with only one Controller, at any moment.) Messages. (Note that an MA only has one Control Channel, so it is
associated with only one Controller, at any moment.)
Note that an implementation may choose to combine Configuration Note that an implementation may choose to combine Configuration
information and an Instruction Message into a single message. information and an Instruction Message into a single message.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |===================================| Agent | | Controller |===================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
Configuration information: -> Configuration information: ->
(MA-ID), (MA-ID),
(Group-ID), (Group-ID),
(Control Channel) (Control Channel)
<- Response(details) <- Response(details)
MA: Measurement Agent
Figure 2: Outline of Configuration
5.2.2. Instruction 5.2.2. Instruction
The Instruction is the description of the Measurement Tasks for a The Instruction is the description of the Measurement Tasks for a
Measurement Agent to do and the details of the Measurement Reports Measurement Agent to do and the details of the Measurement Reports
for it to send. In order to update the Instruction the Controller for it to send. Figure 3 outlines the Instruction process. In order
uses the Control Protocol to send an Instruction Message over the to update the Instruction, the Controller uses the Control Protocol
Control Channel. to send an Instruction Message over the Control Channel.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |===================================| Agent | | Controller |===================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
Instruction: -> Instruction: ->
[(Measurement Task configuration [(Measurement Task configuration
URI of Metric( URI of Metric(
[Input Parameter], [Input Parameter],
(Role) (role)
(interface), (interface),
(Cycle-ID) (Cycle-ID)
(measurement point)), (measurement point)),
(Report Channel), (Report Channel),
(Schedule), (Schedule),
(Suppression information)] (Suppression information)]
<- Response(details) <- Response(details)
The Instruction defines information with the following aims Figure 3: Outline of Instruction
([I-D.ietf-lmap-information-model] defines the consequent list of
information elements): The Instruction defines the following information ([LMAP-INFO]
defines the consequent list of information elements):
o the Measurement Task configurations, each of which needs: o the Measurement Task configurations, each of which needs:
* the Metric, specified as a URI to a registry entry; it includes * the Metric, specified as a URI to a registry entry; it includes
the specification of a Measurement Method. The registry could the specification of a Measurement Method. The registry could
be defined by a standards organisation or locally by the be defined by a standards organisation or locally by the
operator of the Measurement System. Note that, at the time of operator of the Measurement System. Note that, at the time of
writing, the IETF works on such a registry specification writing, the IETF is working on such a registry specification
[I-D.ietf-ippm-metric-registry]. [IPPM-REG].
* the Measurement Method role. For some Measurement Methods, * the Measurement Method role. For some Measurement Methods,
different parties play different roles; for example (see different parties play different roles; for example, an iperf
Section 6.4) an iperf sender and receiver. Each Metric and its sender and receiver (see Section 6.4). Each Metric and its
associated Measurement Method will describe all measurement associated Measurement Method will describe all measurement
roles involved in the process. roles involved in the process.
* a boolean flag (suppress or do-not-suppress) indicating if such * a boolean flag (suppress or do-not-suppress) indicating if such
a Measurement Task is impacted by a Suppression message (see a Measurement Task is impacted by a Suppression message (see
Section 5.2.2.1). Thus, the flag is an Input Parameter. Section 5.2.2.1). Thus, the flag is an Input Parameter.
* any Input Parameters that need to be set for the Metric and the * any Input Parameters that need to be set for the Metric and the
Measurement Method. For example, the address of a Measurement Measurement Method. For example, the address of a Measurement
Peer (or other Measurement Agent) that may be involved in a Peer (or other Measurement Agent) that may be involved in a
Measurement Task , or traffic filters associated with the Measurement Task, or traffic filters associated with the
Observed Traffic Flow. Observed Traffic Flow.
* if the device with the MA has multiple interfaces, then the * the interface to use (if not defined, then the default
interface to use (if not defined, then the default interface is interface is used), if the device with the MA has multiple
used). interfaces.
* optionally, a Cycle-ID. * optionally, a Cycle-ID.
* optionally, the measurement point designation [RFC7398] of the * optionally, the measurement point designation [RFC7398] of the
MA and, if applicable, of the MP or other MA. This can be MA and, if applicable, of the MP or other MA. This can be
useful for reporting. useful for reporting.
o configuration of the Schedules, each of which needs: o configuration of the Schedules, each of which needs:
* the timing of when the Measurement Tasks are to be performed, * the timing of when the Measurement Tasks are to be performed or
or the Measurement Reports are to be sent. Possible types of the Measurement Reports are to be sent. Possible types of
timing are periodic, calendar-based periodic, one-off immediate timing are periodic, calendar-based periodic, one-off
and one-off at a future time immediate, and one-off at a future time.
o configuration of the Report Channel(s), each of which needs: o configuration of the Report Channel(s), each of which needs:
* the address of the Collector, for instance its URL * the address of the Collector, for instance its URL.
* security for this Report Channel, for example the X.509 * security for this Report Channel, for example, the X.509
certificate certificate.
o Suppression information, if any (see Section 5.2.2.1).
o Suppression information, if any (see Section 5.2.1.1)
A single Instruction Message may contain some or all of the above A single Instruction Message may contain some or all of the above
parts. The finest level of granularity possible in an Instruction parts. The finest level of granularity possible in an Instruction
Message is determined by the implementation and operation of the Message is determined by the implementation and operation of the
Control Protocol. For example, a single Instruction Message may add Control Protocol. For example, a single Instruction Message may add
or update an individual Measurement Schedule - or it may only update or update an individual Measurement Schedule -- or it may only update
the complete set of Measurement Schedules; a single Instruction the complete set of Measurement Schedules; a single Instruction
Message may update both Measurement Schedules and Measurement Task Message may update both Measurement Schedules and Measurement Task
configurations - or only one at a time; and so on. However, configurations -- or only one at a time; and so on. However,
Suppression information always replaces (rather than adds to) any Suppression information always replaces (rather than adds to) any
previous Suppression information. previous Suppression information.
The MA informs the Controller that it has successfully understood the The MA informs the Controller that it has successfully understood the
Instruction Message, or that it cannot action the Instruction - for Instruction Message, or that it cannot take action on the Instruction
example, if it doesn't include a parameter that is mandatory for the -- for example, if it doesn't include a parameter that is mandatory
requested Metric and Measurement Method, or it is missing details of for the requested Metric and Measurement Method, or if it is missing
the target Collector. details of the target Collector.
The Instruction Message instructs the MA; the Control Protocol does The Instruction Message instructs the MA; the Control Protocol does
not allow the MA to negotiate, as this would add complexity to the not allow the MA to negotiate, as this would add complexity to the
MA, Controller and Control Protocol for little benefit. MA, Controller, and Control Protocol for little benefit.
5.2.2.1. Suppression 5.2.2.1. Suppression
The Instruction may include Suppression information. The main The Instruction may include Suppression information. The main
motivation for Suppression is to enable the Measurement System to motivation for Suppression is to enable the Measurement System to
eliminate Measurement Traffic, because there is some unexpected eliminate Measurement Traffic, because there is some unexpected
network issue for example. There may be other circumstances when network issue, for example. There may be other circumstances when
Suppression is useful, for example to eliminate inessential Reporting Suppression is useful, for example, to eliminate inessential
traffic (even if there is no Measurement Traffic). Reporting traffic (even if there is no Measurement Traffic).
Figure 4 outlines the Suppression process.
The Suppression information may include any of the following optional The Suppression information may include any of the following optional
fields: fields:
o a set of Measurement Tasks to suppress; the others are not o a set of Measurement Tasks to suppress; the others are not
suppressed. For example, this could be useful if a particular suppressed. For example, this could be useful if a particular
Measurement Task is overloading a Measurement Peer with Measurement Task is overloading a Measurement Peer with
Measurement Traffic. Measurement Traffic.
o a set of Measurement Schedules to suppress; the others are not o a set of Measurement Schedules to suppress; the others are not
suppressed. For example, suppose the Measurement System has suppressed. For example, suppose the Measurement System has
defined two Schedules, one with the most critical Measurement defined two Schedules, one with the most critical Measurement
Tasks and the other with less critical ones that create a lot of Tasks and the other with less critical ones that create a lot of
Measurement Traffic, then it may only want to suppress the second. Measurement Traffic, in which case it may only want to suppress
the second.
o a set of Reporting Schedules to suppress; the others are not o a set of Reporting Schedules to suppress; the others are not
suppressed. This can be particularly useful in the case of a suppressed. This can be particularly useful in the case of a
Measurement Method that doesn't generate Measurement Traffic; it Measurement Method that doesn't generate Measurement Traffic; it
may need to continue observing traffic flows but temporarily may need to continue observing traffic flows but temporarily
suppress Reports due to the network footprint of the Reports. suppress Reports due to the network footprint of the Reports.
o if all the previous fields are included then the MA suppresses the o if all the previous fields are included then the MA suppresses the
union - in other words, it suppresses the set of Measurement union -- in other words, it suppresses the set of Measurement
Tasks, the set of Measurement Schedules, and the set of Reporting Tasks, the set of Measurement Schedules, and the set of Reporting
Schedules. Schedules.
o if the Suppression information includes neither a set of o if the Suppression information includes neither a set of
Measurement Tasks nor a set of Measurement Schedules, then the MA Measurement Tasks nor a set of Measurement Schedules, then the MA
does not begin new Measurement Tasks that have the boolean flag does not begin new Measurement Tasks that have the boolean flag
set to "suppress"; however, the MA does begin new Measurement set to suppress; however, the MA does begin new Measurement Tasks
Tasks that have the flag set to "do-not-suppress". that have the flag set to do-not-suppress.
o a start time, at which suppression begins. If absent, then o a start time, at which Suppression begins. If absent, then
Suppression begins immediately. Suppression begins immediately.
o an end time, at which suppression ends. If absent, then o an end time, at which Suppression ends. If absent, then
Suppression continues until the MA receives an un-Suppress Suppression continues until the MA receives an Un-suppress
message. message.
o a demand that the MA immediately ends on-going Measurement Task(s) o a demand that the MA immediately end on-going Measurement Task(s)
that are tagged for suppression. (Most likely it is appropriate that are tagged for Suppression. (Most likely it is appropriate
to delete the associated partial Measurement Result(s).) This to delete the associated partial Measurement Result(s).) This
could be useful in the case of a network emergency so that the could be useful in the case of a network emergency so that the
operator can eliminate all inessential traffic as rapidly as operator can eliminate all inessential traffic as rapidly as
possible. If absent, the MA completes on-going Measurement Tasks. possible. If absent, the MA completes on-going Measurement Tasks.
An un-Suppress message instructs the MA no longer to suppress, An Un-suppress message instructs the MA to no longer suppress,
meaning that the MA once again begins new Measurement Tasks, meaning that the MA once again begins new Measurement Tasks,
according to its Measurement Schedule. according to its Measurement Schedule.
Note that Suppression is not intended to permanently stop a Note that Suppression is not intended to permanently stop a
Measurement Task (instead, the Controller should send a new Measurement Task (instead, the Controller should send a new
Measurement Schedule), nor to permanently disable a MA (instead, some Measurement Schedule), nor to permanently disable an MA (instead,
kind of management action is suggested). some kind of management action is suggested).
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |==============================| Agent | | Controller |==============================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
Suppress: Suppress:
[(Measurement Task), -> [(Measurement Task), ->
(Measurement Schedule), (Measurement Schedule),
[start time], (start time),
[end time], (end time),
[on-going suppressed?]] (on-going suppressed?)]
Un-suppress -> Un-suppress ->
5.2.3. Capabilities, Failure and Logging Information Figure 4: Outline of Suppression
5.2.3. Capabilities, Failure, and Logging Information
The Control Protocol also enables the MA to inform the Controller The Control Protocol also enables the MA to inform the Controller
about various information, such as its Capabilities and any Failures. about various information, such as its Capabilities and any Failures.
It is also possible to use a device-specific mechanism which is Figure 5 outlines the process for Capabilities, Failure, and Logging
beyond the scope of the initial LMAP work. Information. It is also possible to use a device-specific mechanism,
which is beyond the scope of the initial LMAP work.
Capabilities are information about the MA that the Controller needs Capabilities are information about the MA that the Controller needs
to know in order to correctly instruct the MA, such as: to know in order to correctly instruct the MA, such as:
o the Measurement Method (roles) that the MA supports o the Measurement Method (roles) that the MA supports.
o the measurement protocol types and roles that the MA supports o the measurement protocol types and roles that the MA supports.
o the interfaces that the MA has o the interfaces that the MA has.
o the version of the MA o the version of the MA.
o the version of the hardware, firmware or software of the device o the version of the hardware, firmware, or software of the device
with the MA with the MA.
o its Instruction (this could be useful if the Controller thinks o its Instruction (this could be useful if the Controller thinks
something has gone wrong, and wants to check what Instruction the something has gone wrong and wants to check what Instruction the
MA is using) MA is using).
o but not dynamic information like the currently unused CPU, memory o but not dynamic information like the currently unused CPU, memory,
or battery life of the device with the MA. or battery life of the device with the MA.
Failure Information concerns why the MA has been unable to execute a Failure Information concerns why the MA has been unable to execute a
Measurement Task or deliver a Report, for example: Measurement Task or deliver a Report, for example:
o the Measurement Task failed to run properly because the MA o the Measurement Task failed to run properly because the MA
(unexpectedly) has no spare CPU cycles (unexpectedly) has no spare CPU cycles.
o the MA failed to record the Measurement Results because it o the MA failed to record the Measurement Results because it
(unexpectedly) is out of spare memory (unexpectedly) is out of spare memory.
o a Report failed to deliver Measurement Results because the o a Report failed to deliver Measurement Results because the
Collector (unexpectedly) is not responding Collector (unexpectedly) is not responding.
o but not if a Measurement Task correctly doesn't start. For o but not if a Measurement Task correctly doesn't start. For
example, the first step of some Measurement Methods is for the MA example, the first step of some Measurement Methods is for the MA
to check there is no cross-traffic. to check that there is no cross-traffic.
Logging Information concerns how the MA is operating and may help Logging Information concerns how the MA is operating and may help
debugging, for example: debugging, for example:
o the last time the MA ran a Measurement Task o the last time the MA ran a Measurement Task.
o the last time the MA sent a Measurement Report o the last time the MA sent a Measurement Report.
o the last time the MA received an Instruction Message o the last time the MA received an Instruction Message.
o whether the MA is currently Suppressing Measurement Tasks o whether the MA is currently suppressing Measurement Tasks.
Capabilities, Failure and Logging Information are sent by the MA, Capabilities, Failure, and Logging Information are sent by the MA,
either in response to a request from the Controller (for example, if either in response to a request from the Controller (for example, if
the Controller forgets what the MA can do or otherwise wants to the Controller forgets what the MA can do or otherwise wants to
resynchronize what it knows about the MA), or on its own initiative resynchronise what it knows about the MA), or on its own initiative
(for example when the MA first communicates with a Controller or if (for example, when the MA first communicates with a Controller or if
it becomes capable of a new Measurement Method). Another example of it becomes capable of a new Measurement Method). Another example of
the latter case is if the device with the MA re-boots, then the MA the latter case is if the device with the MA re-boots, then the MA
should notify its Controller in case its Instruction needs to be should notify its Controller in case its Instruction needs to be
updated; to avoid a "mass calling event" after a widespread power updated; to avoid a "mass calling event" after a widespread power
restoration affecting many MAs, it is sensible for an MA to pause for restoration affecting many MAs, it is sensible for an MA to pause for
a random delay, perhaps in the range of one minute or so. a random delay, perhaps in the range of one minute or so.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Controller |==================================| Agent | | Controller |==================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
(Instruction: (Request Capabilities),
[(Request Capabilities),
(Request Failure Information), (Request Failure Information),
(Request Logging Information), (Request Logging Information),
(Request Instruction)]) -> (Request Instruction) ->
<- (Capabilities), <- (Capabilities),
(Failure Information), (Failure Information),
(Logging Information), (Logging Information),
(Instruction) (Instruction)
Figure 5: Outline of Capabilities, Failure, and Logging Information
5.3. Operation of Measurement Tasks 5.3. Operation of Measurement Tasks
This LMAP framework is neutral to what the actual Measurement Task This LMAP framework is neutral to what the actual Measurement Task
is. It does not define Metrics and Measurement Methods, these are is. It does not define Metrics and Measurement Methods; these are
defined elsewhere. defined elsewhere.
The MA carries out the Measurement Tasks as instructed, unless it The MA carries out the Measurement Tasks as instructed, unless it
gets an updated Instruction. The MA acts autonomously, in terms of gets an updated Instruction. The MA acts autonomously, in terms of
operation of the Measurement Tasks and reporting of the Results; it operation of the Measurement Tasks and reporting of the Results; it
doesn't do a 'safety check' with the Controller to ask whether it doesn't do a 'safety check' with the Controller to ask whether it
should still continue with the requested Measurement Tasks. should still continue with the requested Measurement Tasks.
The MA may operate Measurement Tasks sequentially or in parallel (see The MA may operate Measurement Tasks sequentially or in parallel (see
Section 5.3.2). Section 5.3.2).
5.3.1. Starting and Stopping Measurement Tasks 5.3.1. Starting and Stopping Measurement Tasks
This LMAP framework does not define a generic start and stop process, This LMAP framework does not define a generic start and stop process,
since the correct approach depends on the particular Measurement since the correct approach depends on the particular Measurement
Task; the details are defined as part of each Measurement Method. Task; the details are defined as part of each Measurement Method.
This section provides some general hints. The MA does not inform the This section provides some general hints. The MA does not inform the
Controller about Measurement Tasks starting and stopping. Controller about Measurement Tasks starting and stopping.
Before beginning a Measurement Task the MA may want to run a pre- Before beginning a Measurement Task, the MA may want to run a
check. (The pre-check could be defined as a separate, preceding Task pre-check. (The pre-check could be defined as a separate, preceding
or as the first part of a larger Task.) Task or as the first part of a larger Task.)
For Measurement Tasks that observe existing traffic, action could For Measurement Tasks that observe existing traffic, action could
include: include:
o checking that there is traffic of interest; o checking that there is traffic of interest.
o checking that the device with the MA has enough resources to o checking that the device with the MA has enough resources to
execute the Measurement Task reliably. Note that the designer of execute the Measurement Task reliably. Note that the designer of
the Measurement System should ensure that the device's the Measurement System should ensure that the device's resources
capabilities are normally sufficient to comfortably operate the are normally sufficient to comfortably operate the Measurement
Measurement Tasks. Tasks.
For Measurement Tasks that generate Measurement Traffic, a pre-check For Measurement Tasks that generate Measurement Traffic, a pre-check
could include: could include:
o the MA checking that there is no cross-traffic. In other words, a o the MA checking that there is no cross-traffic. In other words, a
check that the end-user isn't already sending traffic; check that the end-user isn't already sending traffic.
o the MA checking with the Measurement Peer (or other Measurement o the MA checking with the Measurement Peer (or other Measurement
Agent) involved in the Measurement Task that it can handle a new Agent) involved in the Measurement Task that it can handle a new
Measurement Task. For example, the Measurement Peer may already Measurement Task. For example, the Measurement Peer may already
be handling many Measurement Tasks with other MAs; be handling many Measurement Tasks with other MAs.
o sending traffic that probes the path to check it isn't overloaded; o sending traffic that probes the path to check it isn't overloaded.
o checking that the device with the MA has enough resources to o checking that the device with the MA has enough resources to
execute the Measurement Task reliably. execute the Measurement Task reliably.
It is possible that similar checks continue during the Measurement Similar checks may continue during the Measurement Task, in
Task, especially one that is long-running and/or creates a lot of particular for a Measurement Task that is long-running and/or creates
Measurement Traffic, and might lead to it being abandoned whilst in- a lot of Measurement Traffic. If, for example, the check detects
progress. A Measurement Task could also be abandoned in response to that the end-user has started sending traffic, then the Measurement
a "suppress" message (see Section 5.2.1). Action could include: Task can be abandoned. A Measurement Task could also be abandoned in
response to a "suppress" message (see Section 5.2.2.1). Action could
include:
o For 'upload' tests, the MA not sending traffic o for 'upload' tests, the MA not sending traffic.
o For 'download' tests, the MA closing the TCP connection or sending o for 'download' tests, the MA closing the TCP connection or sending
a TWAMP (Two-Way Active Measurement Protocol) Stop control message a TWAMP (Two-Way Active Measurement Protocol) Stop-Sessions
[RFC5357]. command [RFC5357].
The Controller may want a MA to run the same Measurement Task The Controller may want an MA to run the same Measurement Task
indefinitely (for example, "run the 'upload speed' Measurement Task indefinitely (for example, "run the 'upload speed' Measurement Task
once an hour until further notice"). To avoid the MA generating once an hour until further notice"). To prevent the MA continuously
traffic forever after a Controller has permanently failed (or generating traffic after a Controller has permanently failed (or
communications with the Controller have failed), the MA can be communications with the Controller have failed), the MA can be
configured with a time limit; if the MA doesn't hear from the configured with a time limit; if the MA doesn't hear from the
Controller for this length of time, then it stops operating Controller for this length of time, then it stops operating
Measurement Tasks. Measurement Tasks.
5.3.2. Overlapping Measurement Tasks 5.3.2. Overlapping Measurement Tasks
It is possible that a MA starts a new Measurement Task before another An MA may start a new Measurement Task before another Measurement
Measurement Task has completed. This may be intentional (the way Task has completed. This may be intentional (the way that the
that the Measurement System has designed the Measurement Schedules), Measurement System has designed the Measurement Schedules), but it
but it could also be unintentional - for instance, if a Measurement could also be unintentional -- for instance, if a Measurement Task
Task has a 'wait for X' step which pauses for an unexpectedly long has a 'wait for X' step that pauses for an unexpectedly long time.
time. This document makes no assumptions about the impact of one This document makes no assumptions about the impact of one
Measurement Task on another. Measurement Task on another.
The operator of the Measurement System can handle (or not) The operator of the Measurement System can handle (or not)
overlapping Measurement Tasks in any way they choose - it is a policy overlapping Measurement Tasks in any way they choose -- it is a
or implementation issue and not the concern of LMAP. Some possible policy or implementation issue and not the concern of LMAP. Some
approaches are: to configure the MA not to begin the second possible approaches are: to configure the MA to not begin the second
Measurement Task; to start the second Measurement Task as usual; for Measurement Task; to start the second Measurement Task as usual; for
the action to be an Input Parameter of the Measurement Task; and so the action to be an Input Parameter of the Measurement Task; and so
on. on.
It may be important to include in the Measurement Report the fact It may be important for the Measurement Report to include the fact
that the Measurement Task overlapped with another. that the Measurement Tasks overlapped.
5.4. Report Protocol 5.4. Report Protocol
The primary purpose of the Report Protocol is to allow a Measurement The primary purpose of the Report Protocol is to allow a Measurement
Agent to report its Measurement Results to a Collector, along with Agent to report its Measurement Results to a Collector, along with
the context in which they were obtained. the context in which they were obtained. Figure 6 outlines the
Report process.
+-----------------+ +-------------+ +-----------------+ +-------------+
| | | Measurement | | | | Measurement |
| Collector |==================================| Agent | | Collector |==================================| Agent |
+-----------------+ +-------------+ +-----------------+ +-------------+
<- Report: <- Report:
[MA-ID &/or Group-ID], [MA-ID &/or Group-ID],
[Measurement Result], [Measurement Result],
[details of Measurement Task], [details of Measurement Task],
[Cycle-ID] (Cycle-ID)
ACK -> ACK ->
MA: Measurement Agent
Figure 6: Outline of the Report
The Report contains: The Report contains:
o the MA-ID or a Group-ID (to anonymise results) o the MA-ID or a Group-ID (to anonymise results).
o the actual Measurement Results, including the time they were o the actual Measurement Results, including the time they were
measured. In general the time is simply the MA's best estimate measured. In general, the time is simply the MA's best estimate
and there is no guarantee on the accuracy or granularity of the and there is no guarantee on the accuracy or granularity of the
information. It is possible that some specific analysis of a information. It is possible that some specific analysis of a
particular Measurement Method's Results will impose timing particular Measurement Method's Results will impose timing
requirements. requirements.
o the details of the Measurement Task (to avoid the Collector having o the details of the Measurement Task (to avoid the Collector having
to ask the Controller for this information later). For example, to ask the Controller for this information later), for example,
the interface used for the measurements. the interface used for the measurements.
o the Cycle-ID, if one was included in the Instruction. o the Cycle-ID, if one was included in the Instruction.
o perhaps the Subscriber's service parameters (see Section 5.4.1). o perhaps the Subscriber's service parameters (see Section 5.4.1).
o the measurement point designation of the MA and, if applicable, o the measurement point designation of the MA and, if applicable,
the MP or other MA, if the information was included in the the MP or other MA, if the information was included in the
Instruction. This numbering system is defined in [RFC7398] and Instruction. This numbering system is defined in [RFC7398] and
allows a Measurement Report to describe abstractly the path allows a Measurement Report to describe the path measured
measured (for example, "from a MA at a home gateway to a MA at a abstractly (for example, "from a measurement agent at a home
DSLAM"). Also, the MA can anonymise results by including gateway to a measurement peer at a DSLAM"). Also, the MA can
measurement point designations instead of IP addresses anonymise results by including measurement point designations
(Section 8.6.2). instead of IP addresses (Section 8.6.2).
The MA sends Reports as defined by the Instruction. It is possible The MA sends Reports as defined by the Instruction. The Instruction
that the Instruction tells the MA to report the same Results to more may tell the MA to report the same Results to more than one
than one Collector, or to report a different subset of Results to Collector, or to report a different subset of Results to different
different Collectors. It is also possible that a Measurement Task Collectors. Also, a Measurement Task may create two (or more)
may create two (or more) Measurement Results, which could be reported Measurement Results, which could be reported differently (for
differently (for example, one Result could be reported periodically, example, one Result could be reported periodically, whilst the second
whilst the second Result could be an alarm that is created as soon as Result could be an alarm that is created as soon as the measured
the measured value of the Metric crosses a threshold and that is value of the Metric crosses a threshold and that is reported
reported immediately). immediately).
Optionally, a Report is not sent when there are no Measurement Optionally, a Report is not sent when there are no Measurement
Results. Results.
In the initial LMAP Information Model and Report Protocol, for In the initial LMAP Information Model and Report Protocol, for
simplicity we assume that all Measurement Results are reported as-is, simplicity we assume that all Measurement Results are reported as-is,
but allow extensibility so that a Measurement System (or perhaps a but allow extensibility so that a Measurement System (or perhaps a
second phase of LMAP) could allow a MA to: second phase of LMAP) could allow an MA to:
o label, or perhaps not include, Measurement Results impacted by, o label, or perhaps not include, Measurement Results impacted by,
for instance, cross-traffic or a Measurement Peer (or other for instance, cross-traffic or a Measurement Peer (or other
Measurement Agent) being busy Measurement Agent) being busy.
o label Measurement Results obtained by a Measurement Task that o label Measurement Results obtained by a Measurement Task that
overlapped with another overlapped with another.
o not report the Measurement Results if the MA believes that they o not report the Measurement Results if the MA believes that they
are invalid are invalid.
o detail when Suppression started and ended o detail when Suppression started and ended.
As discussed in Section 6.1, data analysis of the results should As discussed in Section 6.1, data analysis of the Results should
carefully consider potential bias from any Measurement Results that carefully consider potential bias from any Measurement Results that
are not reported, or from Measurement Results that are reported but are not reported, or from Measurement Results that are reported but
may be invalid. may be invalid.
5.4.1. Reporting of Subscriber's service parameters 5.4.1. Reporting of the Subscriber's Service Parameters
The Subscriber's service parameters are information about his/her The Subscriber's service parameters are information about his/her
broadband contract, line rate and so on. Such information is likely broadband contract, line rate and so on. Such information is likely
to be needed to help analyse the Measurement Results, for example to to be needed to help analyse the Measurement Results, for example to
help decide whether the measured download speed is reasonable. help decide whether the measured download speed is reasonable.
The information could be transferred directly from the Subscriber The information could be transferred directly from the Subscriber
parameter database to the data analysis tools. If the subscriber's parameter database to the data analysis tools. If the Subscriber's
service parameters are available to the MAs, they could be reported service parameters are available to the MAs, they could be reported
with the Measurement Results in the Report Protocol. How (and if) with the Measurement Results in the Report Protocol. How (and if)
the MA knows such information is likely to depend on the device type. the MA knows such information is likely to depend on the device type.
The MA could either include the information in a Measurement Report The MA could either include the information in a Measurement Report
or separately. or separately.
5.5. Operation of LMAP over the underlying packet transfer mechanism 5.5. Operation of LMAP over the Underlying Packet Transfer Mechanism
The above sections have described LMAP's protocol model. Other The above sections have described LMAP's protocol model. Other
specifications will define the actual Control and Report Protocols, specifications will define the actual Control and Report Protocols,
possibly operating over an existing protocol, such as REST-style possibly operating over an existing protocol, such as REST-style
HTTP(S). It is also possible that a different choice is made for the [REST] HTTP(S). It is also possible that a different choice is made
Control and Report Protocols, for example NETCONF-YANG [RFC6241] and for the Control and Report Protocols, for example NETCONF-YANG
IPFIX (Internet Protocol Flow Information Export) [RFC7011] [RFC6241] and IPFIX (Internet Protocol Flow Information Export)
respectively. [RFC7011], respectively.
From an LMAP perspective, the Controller needs to know that the MA From an LMAP perspective, the Controller needs to know that the MA
has received the Instruction Message, or at least that it needs to be has received the Instruction Message, or at least that it needs to be
re-sent as it may have failed to be delivered. Similarly the MA re-sent as it may have failed to be delivered. Similarly the MA
needs to know about the delivery of Capabilities and Failure needs to know about the delivery of Capabilities, Failure, and
information to the Controller and Reports to the Collector. How this Logging Information to the Controller and Reports to the Collector.
is done depends on the design of the Control and Report Protocols and How this is done depends on the design of the Control and Report
the underlying packet transfer mechanism. Protocols and the underlying packet transfer mechanism.
For the Control Protocol, the underlying packet transfer mechanism For the Control Protocol, the underlying packet transfer mechanism
could be: could be:
o a 'push' protocol (that is, from the Controller to the MA) o a 'push' protocol (that is, from the Controller to the MA).
o a multicast protocol (from the Controller to a group of MAs) o a multicast protocol (from the Controller to a group of MAs).
o a 'pull' protocol. The MA periodically checks with Controller if o a 'pull' protocol. The MA periodically checks with Controller if
the Instruction has changed and pulls a new Instruction if the Instruction has changed and pulls a new Instruction if
necessary. A pull protocol seems attractive for a MA behind a NAT necessary. A pull protocol seems attractive for an MA behind a
or firewall (as is typical for a MA on an end-user's device), so NAT or firewall (as is typical for an MA on an end-user's device)
that it can initiate the communications. It also seems attractive so that it can initiate the communications. It also seems
for a MA on a mobile device, where the Controller might not know attractive for an MA on a mobile device, where the Controller
how to reach the MA. A pull mechanism is likely to require the MA might not know how to reach the MA. A pull mechanism is likely to
to be configured with how frequently it should check in with the require that the MA be configured with how frequently it should
Controller, and perhaps what it should do if the Controller is check in with the Controller, and perhaps what it should do if the
unreachable after a certain number of attempts. Controller is unreachable after a certain number of attempts.
o a hybrid protocol. In addition to a pull protocol, the Controller o a hybrid protocol. In addition to a pull protocol, the Controller
can also push an alert to the MA that it should immediately pull a can also push an alert to the MA that it should immediately pull a
new Instruction. new Instruction.
For the Report Protocol, the underlying packet transfer mechanism For the Report Protocol, the underlying packet transfer mechanism
could be: could be:
o a 'push' protocol (that is, from the MA to the Collector) o a 'push' protocol (that is, from the MA to the Collector)
o perhaps supplemented by the ability for the Collector to 'pull' o perhaps supplemented by the ability for the Collector to 'pull'
Measurement Results from a MA. Measurement Results from an MA.
5.6. Items beyond the scope of the initial LMAP work 5.6. Items beyond the Scope of the Initial LMAP Work
There are several potential interactions between LMAP elements that There are several potential interactions between LMAP elements that
are beyond the scope of the initial LMAP work: are beyond the scope of the initial LMAP work, which are as follows:
1. It does not define a coordination process between MAs. Whilst a 1. It does not define a coordination process between MAs. Whilst a
Measurement System may define coordinated Measurement Schedules Measurement System may define coordinated Measurement Schedules
across its various MAs, there is no direct coordination between across its various MAs, there is no direct coordination between
MAs. MAs.
2. It does not define interactions between the Collector and 2. It does not define interactions between the Collector and
Controller. It is quite likely that there will be such Controller. It is quite likely that there will be such
interactions, optionally intermediated by the data analysis interactions, optionally intermediated by the data analysis
tools. For example, if there is an "interesting" Measurement tools. For example, if there is an "interesting" Measurement
Result then the Measurement System may want to trigger extra Result, then the Measurement System may want to trigger extra
Measurement Tasks that explore the potential cause in more Measurement Tasks that explore the potential cause in more
detail; or if the Collector unexpectedly does not hear from a MA, detail; or if the Collector unexpectedly does not hear from an
then the Measurement System may want to trigger the Controller to MA, then the Measurement System may want to trigger the
send a fresh Instruction Message to the MA. Controller to send a fresh Instruction Message to the MA.
3. It does not define coordination between different Measurement 3. It does not define coordination between different Measurement
Systems. For example, it does not define the interaction of a MA Systems. For example, it does not define the interaction of an
in one Measurement System with a Controller or Collector in a MA in one Measurement System with a Controller or Collector in a
different Measurement System. Whilst it is likely that the different Measurement System. Whilst it is likely that the
Control and Report Protocols could be re-used or adapted for this Control and Report Protocols could be re-used or adapted for this
scenario, any form of coordination between different scenario, any form of coordination between different
organisations involves difficult commercial and technical issues organisations involves difficult commercial and technical issues
and so, given the novelty of large-scale measurement efforts, any and so, given the novelty of large-scale measurement efforts, any
form of inter-organisation coordination is outside the scope of form of inter-organisation coordination is outside the scope of
the initial LMAP work. Note that a single MA is instructed by a the initial LMAP work. Note that a single MA is instructed by a
single Controller and is only in one Measurement System. single Controller and is only in one Measurement System.
* An interesting scenario is where a home contains two * An interesting scenario is where a home contains two
independent MAs, for example one controlled by a regulator and independent MAs, for example one controlled by a regulator and
one controlled by an ISP. Then the Measurement Traffic of one one controlled by an ISP. Then the Measurement Traffic of one
MA is treated by the other MA just like any other end-user MA is treated by the other MA just like any other end-user
traffic. traffic.
4. It does not consider how to prevent a malicious party "gaming the 4. It does not consider how to prevent a malicious party "gaming the
system". For example, where a regulator is running a Measurement system". For example, where a regulator is running a Measurement
System in order to benchmark operators, a malicious operator System in order to benchmark operators, a malicious operator
could try to identify the broadband lines that the regulator was could try to identify the broadband lines that the regulator was
measuring and prioritise that traffic. It is assumed this is a measuring and prioritise that traffic. It is assumed that this
policy issue and would be dealt with through a code of conduct is a policy issue and would be dealt with through a code of
for instance. conduct for instance.
5. It does not define how to analyse Measurement Results, including 5. It does not define how to analyse Measurement Results, including
how to interpret missing Results. how to interpret missing Results.
6. It does not specifically define a end-user-controlled Measurement 6. It does not specifically define a end-user-controlled Measurement
System, see sub-section 5.6.1. System, see Section 5.6.1.
5.6.1. End-user-controlled measurement system 5.6.1. End-User-Controlled Measurement System
This framework concentrates on the cases where an ISP or a regulator This framework concentrates on the cases where an ISP or a regulator
runs the Measurement System. However, we expect that LMAP runs the Measurement System. However, we expect that LMAP
functionality will also be used in the context of an end-user- functionality will also be used in the context of an end-user-
controlled Measurement System. There are at least two ways this controlled Measurement System. There are at least two ways this
could happen (they have various pros and cons): could happen (they have various pros and cons):
1. an end-user could somehow request the ISP- (or regulator-) run 1. an end-user could somehow request the ISP-run (or regulator-run)
Measurement System to test his/her line. The ISP (or regulator) Measurement System to test his/her line. The ISP (or regulator)
Controller would then send an Instruction to the MA in the usual Controller would then send an Instruction to the MA in the usual
LMAP way. LMAP way.
2. an end-user could deploy their own Measurement System, with their 2. an end-user could deploy their own Measurement System, with their
own MA, Controller and Collector. For example, the user could own MA, Controller, and Collector. For example, the user could
implement all three functions onto the same end-user-owned end implement all three functions onto the same end-user-owned end
device, perhaps by downloading the functions from the ISP or device, perhaps by downloading the functions from the ISP or
regulator. Then the LMAP Control and Report Protocols do not regulator. Then the LMAP Control and Report Protocols do not
need to be used, but using LMAP's Information Model would still need to be used, but using LMAP's Information Model would still
be beneficial. A Measurement Peer (or other MA involved in a be beneficial. A Measurement Peer (or other MA involved in a
Measurement Task) could be in the home gateway or outside the Measurement Task) could be in the home gateway or outside the
home network; in the latter case the Measurement Peer is highly home network; in the latter case, the Measurement Peer is highly
likely to be run by a different organisation, which raises extra likely to be run by a different organisation, which raises extra
privacy considerations. privacy considerations.
In both cases there will be some way for the end-user to initiate the In both cases, there will be some way for the end-user to initiate
Measurement Task(s). The mechanism is outside the scope of the the Measurement Task(s). The mechanism is outside the scope of the
initial LMAP work, but could include the user clicking a button on a initial LMAP work, but could include the user clicking a button on a
GUI or sending a text message. Presumably the user will also be able GUI or sending a text message. Presumably the user will also be able
to see the Measurement Results, perhaps summarised on a webpage. It to see the Measurement Results, perhaps summarised on a webpage. It
is suggested that these interfaces conform to the LMAP guidance on is suggested that these interfaces conform to the LMAP guidance on
privacy in Section 8. privacy in Section 8.
6. Deployment considerations 6. Deployment Considerations
6.1. Controller and the measurement system 6.1. Controller and the Measurement System
The Controller should understand both the MA's LMAP Capabilities (for The Controller should understand both the MA's LMAP Capabilities (for
instance what Metrics and Measurement Methods it can perform) and example, what Metrics and Measurement Methods it can perform) and the
about the MA's other capabilities like processing power and memory. MA's other capabilities like processing power and memory. This
This allows the Controller to make sure that the Measurement Schedule allows the Controller to ensure that the Measurement Schedule of
of Measurement Tasks and the Reporting Schedule are sensible for each Measurement Tasks and the Reporting Schedule are sensible for each MA
MA that it instructs. that it instructs.
An Instruction is likely to include several Measurement Tasks. An Instruction is likely to include several Measurement Tasks.
Typically these run at different times, but it is also possible for Typically these run at different times, but it is also possible for
them to run at the same time. Some Tasks may be compatible, in that them to run at the same time. Some Tasks may be compatible in that
they do not affect each other's Results, whilst with others great they do not affect each other's Results, whilst with others great
care would need to be taken. Some Tasks may be complementary. For care would need to be taken. Some Tasks may be complementary. For
example, one Task may be followed by a traceroute Task to the same example, one Task may be followed by a traceroute Task to the same
destination address, in order to learn the network path that was destination address, in order to learn the network path that was
measured. measured.
The Controller should ensure that the Measurement Tasks do not have The Controller should ensure that the Measurement Tasks do not have
an adverse effect on the end user. Tasks, especially those that an adverse effect on the end user. Tasks, especially those that
generate a substantial amount of Measurement Traffic, will often generate a substantial amount of Measurement Traffic, will often
include a pre-check that the user isn't already sending traffic include a pre-check that the user isn't already sending traffic
(Section 5.3). Another consideration is whether Measurement Traffic (Section 5.3.1). Another consideration is whether Measurement
will impact a Subscriber's bill or traffic cap. Traffic will impact a Subscriber's bill or traffic cap.
A Measurement System may have multiple Controllers (but note the A Measurement System may have multiple Controllers (but note the
overriding principle that a single MA is instructed by a single overriding principle that a single MA be instructed by a single
Controller at any point in time (Section 4.2)). For example, there Controller at any point in time (Section 4.2)). For example, there
could be different Controllers for different types of MA (home could be different Controllers for different types of MA (for
gateways, tablets) or locations (Ipswich, Edinburgh, Paris), for load example, home gateways, tablets) or locations (for example, Ipswich,
balancing or to cope with failure of one Controller. Edinburgh, Paris), for load balancing or to cope with failure of one
Controller.
The measurement system also needs to consider carefully how to The measurement system also needs to consider carefully how to
interpret missing Results. The correct interpretation depends on why interpret missing Results. The correct interpretation depends on why
the Results are missing (perhaps related to measurement suppression the Results are missing (perhaps related to measurement Suppression
or delayed Report submission), and potentially on the specifics of or delayed Report submission) and potentially on the specifics of the
the Measurement Task and Measurement Schedule. For example, the set Measurement Task and Measurement Schedule. For example, an Observed
of packets represented by a Flow may be empty; that is, an Observed Traffic Flow may be empty, but the Measurement Report may still be
Traffic Flow may represent zero or more packets. The Flow would sent according to the Report Schedule.
still be reported according to schedule.
6.2. Measurement Agent 6.2. Measurement Agent
The MA should be cautious about resuming Measurement Tasks if it re- The MA should be cautious about resuming Measurement Tasks if it
boots or has been off-line for some time, as its Instruction may be reboots or has been offline for some time, as its Instruction may be
stale. In the former case it also needs to ensure that its clock has stale. In the former case, it also needs to ensure that its clock
re-set correctly, so that it interprets the Schedule correctly. has reset correctly, so that it interprets the Schedule correctly.
If the MA runs out of storage space for Measurement Results or can't If the MA runs out of storage space for Measurement Results or can't
contact the Controller, then the appropriate action is specific to contact the Controller, then the appropriate action is specific to
the device and Measurement System. the device and Measurement System.
The Measurement Agent could take a number of forms: a dedicated The Measurement Agent could take a number of forms. For example, an
probe, software on a PC, embedded into an appliance, or even embedded MA could be a dedicated probe or software on a PC; it could also be
into a gateway. A single site (home, branch office etc.) that is embedded into an appliance or even embedded into a gateway. A single
participating in a measurement could make use of one or multiple site (for example, home, branch office, etc.) that is participating
Measurement Agents or Measurement Peers in a single measurement. in a measurement could make use of one or multiple Measurement Agents
or Measurement Peers in a single measurement.
The Measurement Agent could be deployed in a variety of locations. The Measurement Agent could be deployed in a variety of locations.
Not all deployment locations are available to every kind of Not all deployment locations are available to every kind of
Measurement Agent. There are also a variety of limitations and Measurement Agent. There are also a variety of limitations and
trade-offs depending on the final placement. The next sections trade-offs depending on the final placement. The next sections
outline some of the locations a Measurement Agent may be deployed. outline some of the locations a Measurement Agent may be deployed.
This is not an exhaustive list and combinations may also apply. This is not an exhaustive list and combinations may also apply.
6.2.1. Measurement Agent on a networked device 6.2.1. Measurement Agent on a Networked Device
A MA may be embedded on a device that is directly connected to the An MA may be embedded on a device that is directly connected to the
network, such as a MA on a smartphone. Other examples include a MA network, such as an MA on a smartphone. Other examples include an MA
downloaded and installed on a subscriber's laptop computer or tablet downloaded and installed on a subscriber's laptop computer or tablet
when the network service is provided on wired or other wireless radio when the network service is provided on wired or other wireless radio
technologies, such as Wi-Fi. technologies, such as Wi-Fi.
6.2.2. Measurement Agent embedded in site gateway 6.2.2. Measurement Agent Embedded in a Site Gateway
A Measurement Agent embedded with the site gateway, for example a One of the better places the Measurement Agent could be deployed is
home router or the edge router of a branch office in a managed embedded within the site gateway (for example, a home router or the
service environment, is one of better places the Measurement Agent edge router of a branch office in a managed service environment).
could be deployed. All site-to-ISP traffic would traverse through All site-to-ISP traffic would traverse through the gateway. So,
the gateway. So, Measurement Methods that measure user traffic could Measurement Methods that measure user traffic could easily be
easily be performed. Similarly, due to this user traffic visibility, performed. Similarly, due to this user traffic visibility, a
a Measurement Method that generates Measurement Traffic could ensure Measurement Method that generates Measurement Traffic could ensure it
it does not compete with user traffic. Generally NAT and firewall does not compete with user traffic. Generally NAT and firewall
services are built into the gateway, allowing the Measurement Agent services are built into the gateway, allowing the Measurement Agent
the option to offer its Controller-facing management interface the option to offer its Controller-facing management interface
outside of the NAT/firewall. This placement of the management outside of the NAT/firewall. This placement of the management
interface allows the Controller to unilaterally contact the interface allows the Controller to unilaterally contact the
Measurement Agent for instructions. However, a Measurement Agent on Measurement Agent with Instructions. However, a Measurement Agent on
a site gateway (whether end-user service-provider owned) will a site gateway (whether end-user or service-provider owned) will
generally not be directly available for over the top providers, the generally not be directly available for over-the-top providers, the
regulator, end users or enterprises. regulator, end users, or enterprises.
6.2.3. Measurement Agent embedded behind site NAT /firewall 6.2.3. Measurement Agent Embedded behind a Site NAT or Firewall
The Measurement Agent could also be embedded behind a NAT, a The Measurement Agent could also be embedded behind a NAT, a
firewall, or both. In this case the Controller may not be able to firewall, or both. In this case, the Controller may not be able to
unilaterally contact the Measurement Agent unless either static port unilaterally contact the Measurement Agent unless either static port
forwarding or firewall pin holing is configured. Configuring port forwarding or firewall pin holing is configured. Configuring port
forwarding could use protocols such as PCP [RFC6887], TR-069 [TR-069] forwarding could use protocols such as the Port Control Protocol
or UPnP [UPnP]. To open a pin hole in the firewall, the Measurement [RFC6887], the CPE WAN Management Protocol [TR-069], or Universal
Agent could send keepalives towards the Controller (and perhaps use Plug and Play [UPnP]. To open a pin hole in the firewall, the
these also as a network reachability test). Measurement Agent could send keepalives towards the Controller (and
perhaps use these also as a network reachability test).
6.2.4. Multi-homed Measurement Agent 6.2.4. Multihomed Measurement Agent
If the device with the Measurement Agent is single homed then there If the device with the Measurement Agent is single homed, then there
is no confusion about what interface to measure. Similarly, if the is no confusion about what interface to measure. Similarly, if the
MA is at the gateway and the gateway only has a single WAN-side and a MA is at the gateway and the gateway only has a single WAN-side and a
single LAN-side interface, there is little confusion - for single LAN-side interface, there is little confusion -- for
Measurement Methods that generate Measurement Traffic, the location Measurement Methods that generate Measurement Traffic, the location
of the other MA or Measurement Peer determines whether the WAN or LAN of the other MA or Measurement Peer determines whether the WAN or LAN
is measured. is measured.
However, the device with the Measurement Agent may be multi-homed. However, the device with the Measurement Agent may be multihomed.
For example, a home or campus may be connected to multiple broadband For example, a home or campus may be connected to multiple broadband
ISPs, such as a wired and wireless broadband provider, perhaps for ISPs, such as a wired and wireless broadband provider, perhaps for
redundancy or load- sharing. It may also be helpful to think of dual redundancy or load sharing. It may also be helpful to think of dual
stack IPv4 and IPv6 broadband devices as multi-homed. More stack IPv4 and IPv6 broadband devices as multihomed. More generally,
generally, Section 3.2 of [RFC7368] describes dual-stack and multi- Section 3.2 of [RFC7368] describes dual-stack and multihoming
homing topologies that might be encountered in a home network, topologies that might be encountered in a home network, [RFC6419]
[RFC6419] provides the current practices of multi-interfaces hosts, provides the current practices of multi-interfaces hosts, and the
and the Multiple Interfaces (mif) working group covers cases where Multiple Interfaces (mif) working group covers cases where hosts are
hosts are either directly attached to multiple networks (physical or either directly attached (for example, physical or virtual) or
virtual) or indirectly (multiple default routers, etc.). In these indirectly (for example, multiple default routers, etc.) to multiple
cases, there needs to be clarity on which network connectivity option networks. In these cases, there needs to be clarity on which network
is being measured. connectivity option is being measured.
One possibility is to have a Measurement Agent per interface. Then One possibility is to have a Measurement Agent per interface. Then
the Controller's choice of MA determines which interface is measured. the Controller's choice of MA determines which interface is measured.
However, if a MA can measure any of the interfaces, then the However, if an MA can measure any of the interfaces, then the
Controller defines in the Instruction which interface the MA should Controller defines in the Instruction which interface the MA should
use for a Measurement Task; if the choice of interface is not defined use for a Measurement Task. If the choice of interface is not
then the MA uses the default one. Explicit definition is preferred defined, then the MA uses the default one. Explicit definition is
if the Measurement System wants to measure the performance of a preferred if the Measurement System wants to measure the performance
particular network, whereas using the default is better if the of a particular network, whereas using the default is better if the
Measurement System wants to include the impact of the MA's interface Measurement System wants to include the impact of the MA's interface
selection algorithm. In any case, the Measurement Result should selection algorithm. In any case, the Measurement Result should
include the network that was measured. include the network that was measured.
6.2.5. Measurement Agent embedded in ISP network 6.2.5. Measurement Agent Embedded in an ISP Network
A MA may be embedded on a device that is part of an ISP's network, An MA may be embedded on a device that is part of an ISP's network,
such as a router or switch. Usually the network devices with an such as a router or switch. Usually the network devices with an
embedded MA will be strategically located, such as a Carrier Grade embedded MA will be strategically located, such as a Carrier-Grade
NAT or ISP Gateway. [RFC7398] gives many examples where a MA might NAT or ISP Gateway. [RFC7398] gives many examples where an MA might
be located within a network to provide an intermediate measurement be located within a network to provide an intermediate measurement
point on the end-to-end path. Other examples include a network point on the end-to-end path. Other examples include a network
device whose primary role is to host MA functions and the necessary device whose primary role is to host MA functions and the necessary
measurement protocol. measurement protocol.
6.3. Measurement Peer 6.3. Measurement Peer
A Measurement Peer participates in some Measurement Methods. It may A Measurement Peer participates in some Measurement Methods. It may
have specific functionality to enable it to participate in a have specific functionality to enable it to participate in a
particular Measurement Method. On the other hand, other Measurement particular Measurement Method. On the other hand, other Measurement
Methods may require no special functionality. For example if the Methods may require no special functionality. For example, if the
Measurement Agent sends a ping to example.com then the server at Measurement Agent sends a ping to example.com, then the server at
example.com plays the role of a Measurement Peer; or if the MA example.com plays the role of a Measurement Peer; or if the MA
monitors existing traffic, then the existing end points are monitors existing traffic, then the existing end points are
Measurement Peers. Measurement Peers.
A device may participate in some Measurement Methods as a Measurement A device may participate in some Measurement Methods as a Measurement
Agent and in others as a Measurement Peer. Agent and in others as a Measurement Peer.
Measurement Schedules should account for limited resources in a Measurement Schedules should account for limited resources in a
Measurement Peer when instructing a MA to execute measurements with a Measurement Peer when instructing an MA to execute measurements with
Measurement Peer. In some measurement protocols, such as [RFC4656] a Measurement Peer. In some measurement protocols, such as [RFC4656]
and [RFC5357], the Measurement Peer can reject a measurement session and [RFC5357], the Measurement Peer can reject a measurement session
or refuse a control connection prior to setting-up a measurement or refuse a control connection prior to setting up a measurement
session and so protect itself from resource exhaustion. This is a session and so protect itself from resource exhaustion. This is a
valuable capability because the MP may be used by more than one valuable capability because the MP may be used by more than one
organisation. organisation.
6.4. Deployment examples 6.4. Deployment Examples
In this section we describe some deployment scenarios that are In this section, we describe some deployment scenarios that are
feasible within the LMAP framework defined in this document. feasible within the LMAP framework defined in this document.
A very simple example of a Measurement Peer (MP) is a web server that A very simple example of a Measurement Peer (MP) is a web server from
the MA is downloading a web page from (such as www.example.com) in which the MA downloads a web page (such as www.example.com) in order
order to perform a speed test. The web server is a MP and from its to perform a speed test. The web server is an MP and from its
perspective, the MA is just another client; the MP doesn't have a perspective the MA is just another client; the MP doesn't have a
specific function for assisting measurements. This is described in specific function for assisting measurements. This is described in
the figure below. Figure 7.
^ ^
+------------------+ Web Traffic +----------------+ non-LMAP +------------------+ web traffic +----------------+ non-LMAP
| Web Client |<------------>| Web Server | Scope | web client |<------------>| web server | Scope
| | +----------------+ | | | +----------------+ |
...|..................|....................................V... ...|..................|....................................V...
|MA:LMAP interface | <MP:> ^ |MA:LMAP interface | <MP> ^
+------------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ V +------------+ +------------+ V
Schematic of LMAP-based Measurement System, MA: Measurement Agent
with Web server as Measurement Peer MP: Measurement Peer
Another case that is slightly different than this would be the one of Figure 7: LMAP deployment example, with Web server as Measurement
a TWAMP-responder. This is also a MP, with a helper function, the Peer
TWAMP server, which is specially deployed to assist the MAs that
perform TWAMP tests. Another example is with a ping server, as
described in Section 2.
A further example is the case of a traceroute like measurement. In Another example of an MP is a TWAMP Server and TWAMP
Session-Reflector. This form of MP is deployed to assist the MAs
that perform TWAMP tests, where the MA is co-located with the TWAMP
Control-Client and Session-Sender. Another example, which was
described in Section 2, has a ping server as the Measurement Peer.
A further example is the case of a traceroute-like measurement. In
this case, for each packet sent, the router where the TTL expires is this case, for each packet sent, the router where the TTL expires is
performing the MP function. So for a given Measurement Task, there performing the MP function. So for a given Measurement Task, there
is one MA involved and several MPs, one per hop. is one MA involved and several MPs, one per hop.
In the figure below we depict the case of an OWAMP (One-Way Active In Figure 8, we depict the case of an OWAMP (One-Way Active
Measurement Protocol) responder acting as an MP. In this case, the Measurement Protocol) Server and Session-Receiver acting as an MP.
helper function in addition reports results back to the MA. So it In this case, the OWAMP Server conveys results back to the OWAMP
has both a data plane and control interface with the MA. Fetch-Client, thus the MP conducts both control-plane and data-plane
communications with its OWAMP counterparts co-located with the MA.
+------------------+ OWAMP +----------------+ ^ +------------------+ OWAMP +-----------------+ ^
| OWAMP |<--control--->| | | | OWAMP |<--control--->| | |
| control-client |-test-traffic>| OWAMP server & | non-LMAP | control-client |-test-traffic>| OWAMP server & | non-LMAP
| fetch-client & |<----fetch----| session-rec'ver| Scope | fetch-client & |<----fetch----| session-receiver| Scope
| session-sender | | | | | session-sender | | | |
| | +----------------+ | | | +-----------------+ |
...|..................|....................................v... ...|..................|.....................................v...
|MA:LMAP interface | <MP:> ^ |MA:LMAP interface | <MP> ^
+------------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ v +------------+ +------------+ v
Schematic of LMAP-based Measurement System, MA: Measurement Agent
with OWAMP server as Measurement Peer MP: Measurement Peer
Figure 8: LMAP deployment example, with OWAMP server as Measurement
Peer
However, it is also possible to use two Measurement Agents when However, it is also possible to use two Measurement Agents when
performing one way Measurement Tasks, as described in the figure performing one-way Measurement Tasks, as described in Figure 9. Both
below. Both MAs are instructed by the Controller: MA-1 to send the MAs are instructed by the Controller: MA-1 to send the traffic and
traffic and MA-2 to measure the received traffic and send Reports to MA-2 to measure the received traffic and send Reports to the
the Collector. Note that the Measurement Task at MA-2 can listen for Collector. Note that the Measurement Task at MA-2 can listen for
traffic from MA-1 and respond multiple times without having to be traffic from MA-1 and respond multiple times without having to be
rescheduled. rescheduled.
+----------------+ +----------------+ ^ +----------------+ +-------------------+ ^
| | | | non-LMAP | | | | non-LMAP
| iperf -u sender|-UDP traffic->| iperf -u recvr | Scope | iperf -u sender|-UDP traffic->| iperf -u receiver | Scope
| | | | v | | | | v
...|................|..............|................|........ ...|................|..............|...................|........
| MA-1: | | MA-2: | ^ | MA-1: | | MA-2: | ^
| LMAP interface | | LMAP interface | | | LMAP interface | | LMAP interface | |
+----------------+ +----------------+ | +----------------+ +-------------------+ |
^ ^ | | ^ ^ | |
Instruction | Instruction{Report} | | Report | Instruction | Instruction{Report} | | Report |
{task, | +-------------------+ | | {Task, | +-------------------+ | |
schedule} | | | | Schedule} | | | |
| | v LMAP | | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ v +------------+ +------------+ v
MA: Measurement Agent
Figure 9: Schematic of LMAP-based Measurement System, with two
Measurement Agents cooperating to measure UDP traffic
Schematic of LMAP-based Measurement System, with two
Measurement Agents cooperating to measure UDP traffic
Next, we consider Measurement Methods that meter the Observed Traffic Next, we consider Measurement Methods that meter the Observed Traffic
Flow. Traffic generated in one point in the network flowing towards Flow. Traffic generated in one point in the network is flowing
a given destination and the traffic is observed in some point along towards a given destination and the traffic is observed in some point
the path. One way to implement this is that the endpoints generating along the path. One way to implement this is that the endpoints
and receiving the traffic are not instructed by the Controller; hence generating and receiving the traffic are not instructed by the
they are MPs. The MA is located along the path with a monitor Controller; hence they are MPs. The MA is located along the path
function that measures the traffic. The MA is instructed by the with a monitor function that measures the traffic. The MA is
Controller to monitor that particular traffic and to send the Report instructed by the Controller to monitor that particular traffic and
to the Collector. It is depicted in the figure below. to send the Report to the Collector. It is depicted in Figure 10.
+--------+ +------------------+ +--------+ ^ +--------+ +------------------+ +--------+ ^
|End user| | Monitor | Observed |End user| | |End user| | monitor | Observed |End user| |
| |<--|------------------|--traffic-->| | non-LMAP | |<--|------------------|--Traffic-->| | non-LMAP
| | | | flow | | Scope | | | | Flow | | Scope
+--------+ | | +--------+ | +--------+ | | +--------+ |
...|..................|............................v.. ............|..................|............................v..
|MA:LMAP interface | <MP:> ^ <MP> |MA:LMAP interface | <MP> ^
+------------------+ | +------------------+ |
^ | | ^ | |
Instruction | | Report | Instruction | | Report |
| +-----------------+ | | +-----------------+ |
| | | | | |
| v LMAP | v LMAP
+------------+ +------------+ Scope +------------+ +------------+ Scope
| Controller | | Collector | | | Controller | | Collector | |
+------------+ +------------+ v +------------+ +------------+ v
Schematic of LMAP-based Measurement System, MA: Measurement Agent
with a Measurement Agent monitoring traffic MP: Measurement Peer
7. Security considerations Figure 10: LMAP deployment example, with a Measurement Agent
monitoring traffic
7. Security Considerations
The security of the LMAP framework should protect the interests of The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who the measurement operator(s), the network user(s), and other actors
could be impacted by a compromised measurement deployment. The who could be impacted by a compromised measurement deployment. The
Measurement System must secure the various components of the system Measurement System must secure the various components of the system
from unauthorised access or corruption. Much of the general advice from unauthorised access or corruption. Much of the general advice
contained in section 6 of [RFC4656] is applicable here. contained in Section 6 of [RFC4656] is applicable here.
The process to upgrade the firmware in an MA is outside the scope of The process to upgrade the firmware in an MA is outside the scope of
the initial LMAP work, just as is the protocol to bootstrap the MAs. the initial LMAP work, just as is the protocol to Bootstrap the MAs.
However, systems which provide remote upgrade must secure authorised However, systems that provide remote upgrades must secure authorised
access and integrity of the process. access and integrity of the process.
We assume that each Measurement Agent (MA) will receive its We assume that each Measurement Agent (MA) will receive its
Instructions from a single organisation, which operates the Instructions from a single organisation, which operates the
Controller. These Instructions must be authenticated (to ensure that Controller. These Instructions must be authenticated (to ensure that
they come from the trusted Controller), checked for integrity (to they come from the trusted Controller), checked for integrity (to
ensure no-one has tampered with them) and not vulnerable to replay ensure no one has tampered with them), and not vulnerable to replay
attacks. If a malicious party can gain control of the MA they can attacks. If a malicious party can gain control of the MA, they can
use it to launch DoS attacks at targets, create a platform for use it to launch denial-of-service (DoS) attacks at targets, create a
pervasive monitoring [RFC7258], reduce the end user's quality of platform for pervasive monitoring [RFC7258], reduce the end-user's
experience and corrupt the Measurement Results that are reported to quality of experience, and corrupt the Measurement Results that are
the Collector. By altering the Measurement Tasks and/or the address reported to the Collector. By altering the Measurement Tasks and/or
that Results are reported to, they can also compromise the the address that Results are reported to, they can also compromise
confidentiality of the network user and the MA environment (such as the confidentiality of the network user and the MA environment (such
information about the location of devices or their traffic). The as information about the location of devices or their traffic). The
Instruction Messages also need to be encrypted to maintain Instruction Messages also need to be encrypted to maintain
confidentiality, as the information might be useful to an attacker. confidentiality, as the information might be useful to an attacker.
Reporting by the MA must be encrypted to maintain confidentiality, so Reporting by the MA must be encrypted to maintain confidentiality, so
that only the authorised Collector can decrypt the results, to that only the authorised Collector can decrypt the results to prevent
prevent the leakage of confidential or private information. the leakage of confidential or private information. Reporting must
Reporting must also be authenticated (to ensure that it comes from a also be authenticated (to ensure that it comes from a trusted MA and
trusted MA and that the MA reports to a genuine Collector) and not that the MA reports to a genuine Collector) and not vulnerable to
vulnerable to tampering (which can be ensured through integrity and tampering (which can be ensured through integrity and replay checks).
replay checks). It must not be possible to fool a MA into injecting It must not be possible to fool an MA into injecting falsified data
falsified data and the results must also be held and processed and the results must also be held and processed securely after
securely after collection and analysis. See section 8.5.2 below for collection and analysis. See Section 8.5.2 for additional
additional considerations on stored data compromise, and section 8.6 considerations on stored data compromise, and Section 8.6 on
on potential mitigations for compromise. potential mitigations for compromise.
Since Collectors will be contacted repeatedly by MAs using the Since Collectors will be contacted repeatedly by MAs using the Report
Collection Protocol to convey their recent results, a successful Protocol to convey their recent results, a successful attack to
attack to exhaust the communication resources would prevent a exhaust the communication resources would prevent a critical
critical operation: reporting. Therefore, all LMAP Collectors should operation: reporting. Therefore, all LMAP Collectors should
implement technical mechanisms to: implement technical mechanisms to:
o limit the number of reporting connections from a single MA o limit the number of reporting connections from a single MA
(simultaneous, and connections per unit time). (simultaneous and established in some time period).
o limit the transmission rate from a single MA. o limit the transmission rate from a single MA.
o limit the memory/storage consumed by a single MA's reports. o limit the memory/storage consumed by a single MA's reports.
o efficiently reject reporting connections from unknown sources. o efficiently reject reporting connections from unknown sources.
o separate resources if multiple authentication strengths are used, o separate resources if multiple authentication strengths are used,
where the resources should be separated according to each class of where the resources should be separated according to each class of
strength. strength.
A corrupted MA could report falsified information to the Collector. A corrupted MA could report falsified information to the Collector.
Whether this can be effectively mitigated depends on the platform on Whether this can be effectively mitigated depends on the platform on
which the MA is deployed, but where the MA is deployed on a customer- which the MA is deployed. However, where the MA is deployed on a
controlled device then the reported data is to some degree inherently customer-controlled device, then the reported data is to some degree
untrustworthy. Further, a sophisticated party could distort some inherently untrustworthy. Further, a sophisticated party could
Measurement Methods, perhaps by dropping or delaying packets for distort some Measurement Methods, perhaps by dropping or delaying
example. This suggests that the network operator should be cautious packets for example. This suggests that the network operator should
about relying on Measurement Results for action such as refunding be cautious about relying on Measurement Results for action such as
fees if a service level agreement is not met. refunding fees if a service level agreement is not met.
As part of the protocol design, it will be decided how LMAP operates As part of the protocol design, it will be decided how LMAP operates
over the underlying protocol (Section 5.5). The choice raises over the underlying protocol (Section 5.5). The choice raises
various security issues, such as how to operate through a NAT and how various security issues, such as how to operate through a NAT and how
to protect the Controller and Collector from denial of service to protect the Controller and Collector from DoS attacks.
attacks.
The security mechanisms described above may not be strictly necessary The security mechanisms described above may not be strictly necessary
if the network's design ensures the LMAP components and their if the network's design ensures the LMAP components and their
communications are already secured, for example potentially if they communications are already secured, for example potentially if they
are all part of an ISP's dedicated management network. are all part of an ISP's dedicated management network.
Finally, there are three other issues related to security: privacy Finally, there are three other issues related to security: privacy
(considered in Section 8 below), availability and 'gaming the (considered in Section 8), availability, and "gaming the system".
system'. While the loss of some MAs may not be considered critical, While the loss of some MAs may not be considered critical, the
the unavailability of the Collector could mean that valuable business unavailability of the Collector could mean that valuable business
data or data critical to a regulatory process is lost. Similarly, data or data critical to a regulatory process is lost. Similarly,
the unavailability of a Controller could mean that the MAs do not the unavailability of a Controller could mean that the MAs do not
operate a correct Measurement Schedule. operate a correct Measurement Schedule.
A malicious party could "game the system". For example, where a A malicious party could "game the system". For example, where a
regulator is running a Measurement System in order to benchmark regulator is running a Measurement System in order to benchmark
operators, an operator could try to identify the broadband lines that operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. Normally, the regulator was measuring and prioritise that traffic. Normally,
this potential issue is handled by a code of conduct. It is outside this potential issue is handled by a code of conduct. It is outside
the scope of the initial LMAP work to consider the issue. the scope of the initial LMAP work to consider the issue.
8. Privacy considerations 8. Privacy Considerations
The LMAP work considers privacy as a core requirement and will ensure The LMAP work considers privacy a core requirement and will ensure
that by default the Control and Report Protocols operate in a that by default the Control and Report Protocols operate in a
privacy-sensitive manner and that privacy features are well-defined. privacy-sensitive manner and that privacy features are well defined.
This section provides a set of privacy considerations for LMAP. This This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the timely publication of [RFC6973]. section benefits greatly from the publication of [RFC6973]. Privacy
Privacy and security (Section 7) are related. In some jurisdictions and security (Section 7) are related. In some jurisdictions, privacy
privacy is called data protection. is called data protection.
We begin with a set of assumptions related to protecting the We begin with a set of assumptions related to protecting the
sensitive information of individuals and organisations participating sensitive information of individuals and organisations participating
in LMAP-orchestrated measurement and data collection. in LMAP-orchestrated measurement and data collection.
8.1. Categories of entities with information of interest 8.1. Categories of Entities with Information of Interest
LMAP protocols need to protect the sensitive information of the LMAP protocols need to protect the sensitive information of the
following entities, including individuals and organisations who following entities, including individuals and organisations who
participate in measurement and collection of results. participate in measurement and collection of results.
o Individual Internet users: Persons who utilise Internet access o Individual Internet users: Persons who utilise Internet access
services for communications tasks, according to the terms of services for communications tasks, according to the terms of
service of a service agreement. Such persons may be a service service of a service agreement. Such persons may be a service
Subscriber, or have been given permission by the Subscriber to use Subscriber, or have been given permission by the Subscriber to use
the service. the service.
o Internet service providers: Organisations who offer Internet o Internet service providers: Organisations that offer Internet
access service subscriptions, and thus have access to sensitive access service subscriptions, and thus have access to sensitive
information of individuals who choose to use the service. These information of individuals who choose to use the service. These
organisations desire to protect their Subscribers and their own organisations desire to protect their Subscribers and their own
sensitive information which may be stored in the process of sensitive information, which may be stored in the process of
performing Measurement Tasks and collecting Results. performing Measurement Tasks and collecting Results.
o Regulators: Public authorities responsible for exercising o Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive desire to protect the participants and their own sensitive
information. information.
o Other LMAP system operators: Organisations who operate Measurement o Other LMAP system operators: Organisations who operate Measurement
Systems or participate in measurements in some way. Systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we discuss Although privacy is a protection extended to individuals, we discuss
data protection by ISPs and other LMAP system operators in this data protection by ISPs and other LMAP system operators in this
section. These organisations have sensitive information involved in section. These organisations have sensitive information involved in
the LMAP system, and many of the same dangers and mitigations are the LMAP system, and many of the same dangers and mitigations are
applicable. Further, the ISPs store information on their Subscribers applicable. Further, the ISPs store information on their Subscribers
beyond that used in the LMAP system (for instance billing beyond that used in the LMAP system (for example, billing
information), and there should be a benefit in considering all the information), and there should be a benefit in considering all the
needs and potential solutions coherently. needs and potential solutions coherently.
8.2. Examples of sensitive information 8.2. Examples of Sensitive Information
This section gives examples of sensitive information which may be This section gives examples of sensitive information that may be
measured or stored in a Measurement System, and which is to be kept measured or stored in a Measurement System, and that is to be kept
private by default in the LMAP core protocols. private by default in the LMAP core protocols.
Examples of Subscriber or authorised Internet user sensitive Examples of Subscriber or authorised Internet user sensitive
information: information:
o Sub-IP layer addresses and names (MAC address, base station ID, o Sub-IP-layer addresses and names (MAC address, base station ID,
SSID) SSID)
o IP address in use o IP address in use
o Personal Identification (real name) o Personal Identification (real name)
o Location (street address, city) o Location (street address, city)
o Subscribed service parameters o Subscribed service parameters
o Contents of traffic (activity, DNS queries, destinations, o Contents of traffic (activity, DNS queries, destinations,
equipment types, account info for other services, etc.) equipment types, account info for other services, etc.)
o Status as a study volunteer and Schedule of Measurement Tasks o Status as a study volunteer and Schedule of Measurement Tasks
Examples of Internet Service Provider sensitive information: Examples of Internet Service Provider sensitive information:
o Measurement device identification (equipment ID and IP address) o Measurement device identification (equipment ID and IP address)
o Measurement Instructions (choice of measurements) o Measurement Instructions (choice of measurements)
skipping to change at page 39, line 40 skipping to change at page 40, line 28
o Network topology (locations, connectivity, redundancy) o Network topology (locations, connectivity, redundancy)
o Subscriber billing information, and any of the above Subscriber o Subscriber billing information, and any of the above Subscriber
information known to the provider. information known to the provider.
o Authentication credentials (such as certificates) o Authentication credentials (such as certificates)
Other organisations will have some combination of the lists above. Other organisations will have some combination of the lists above.
The LMAP system would not typically expose all of the information The LMAP system would not typically expose all of the information
above, but could expose a combination of items which could be above, but could expose a combination of items that could be
correlated with other pieces collected by an attacker (as discussed correlated with other pieces collected by an attacker (as discussed
in the section on Threats below). in Section 8.5 on Threats).
8.3. Different privacy issues raised by different sorts of Measurement 8.3. Different Privacy Issues Raised by Different Sorts of Measurement
Methods Methods
Measurement Methods raise different privacy issues depending on Measurement Methods raise different privacy issues depending on
whether they measure traffic created specifically for that purpose, whether they measure traffic created specifically for that purpose or
or whether they measure user traffic. whether they measure user traffic.
Measurement Tasks conducted on user traffic store sensitive Measurement Tasks conducted on user traffic store sensitive
information, however briefly this storage may be. We note that some information, however briefly this storage may be. We note that some
authorities make a distinction on time of storage, and information authorities make a distinction on time of storage, and information
that is kept only temporarily to perform a communications function is that is kept only temporarily to perform a communications function is
not subject to regulation (for example, active queue management, deep not subject to regulation (for example, active queue management, deep
packet inspection). Such Measurement Tasks could reveal all the packet inspection). Such Measurement Tasks could reveal all the
websites a Subscriber visits and the applications and/or services websites a Subscriber visits and the applications and/or services
they use. This issue is not specific to LMAP. For instance, IPFIX they use. This issue is not specific to LMAP. For instance, IPFIX
has discussed similar issues (see section 11.8 of [RFC7011]), but has discussed similar issues (see Section 11.8 of [RFC7011]), but
mitigations described in the sections below were considered beyond mitigations described in the sections below were considered beyond
their scope. their scope.
Other types of Measurement Task are conducted on traffic which is In contrast to Measurement Tasks conducted on user traffic, other
created specifically for the purpose. Even if a user host generates Measurement Tasks use traffic which is created specifically for the
Measurement Traffic, there is limited sensitive information about the purpose of measurement. Even if a user host generates Measurement
Subscriber present and stored in the Measurement System: Traffic, there is limited sensitive information about the Subscriber
present and stored in the Measurement System:
o IP address in use (and possibly sub-IP addresses and names) o IP address in use (and possibly sub-IP addresses and names)
o Status as a study volunteer and Schedule of Measurement Tasks o Status as a study volunteer and Schedule of Measurement Tasks
On the other hand, for a service provider the sensitive information On the other hand, for a service provider, the sensitive information
like Measurement Results is the same for all Measurement Tasks. like Measurement Results is the same for all Measurement Tasks.
From the Subscriber perspective, both types of Measurement Task From the Subscriber perspective, both types of Measurement Tasks
potentially expose the description of Internet access service and potentially expose the description of Internet access service and
specific service parameters, such as subscribed rate and type of specific service parameters, such as the Subscriber rate and type of
access. access.
8.4. Privacy analysis of the communication models 8.4. Privacy Analysis of the Communication Models
This section examines each of the protocol exchanges described at a This section examines each of the protocol exchanges described at a
high level in Section 5 and some example Measurement Tasks, and high level in Section 5 and some example Measurement Tasks, and it
identifies specific sensitive information which must be secured identifies specific sensitive information that must be secured during
during communication for each case. With the protocol-related communication for each case. With the protocol-related sensitive
sensitive information identified, we can better consider the threats information identified, we can better consider the threats described
described in the following section. in the following section.
From the privacy perspective, all entities participating in LMAP From the privacy perspective, all entities participating in LMAP
protocols can be considered "observers" according to the definition protocols can be considered "observers" according to the definition
in [RFC6973]. Their stored information potentially poses a threat to in [RFC6973]. Their stored information potentially poses a threat to
privacy, especially if one or more of these functional entities has privacy, especially if one or more of these functional entities has
been compromised. Likewise, all devices on the paths used for been compromised. Likewise, all devices on the paths used for
control, reporting, and measurement are also observers. control, reporting, and measurement are also observers.
8.4.1. MA Bootstrapping 8.4.1. MA Bootstrapping
Section 5.1 provides the communication model for the Bootstrapping Section 5.1 provides the communication model for the Bootstrapping
process. process.
Although the specification of mechanisms for Bootstrapping the MA are Although the specification of mechanisms for Bootstrapping the MA are
beyond the initial LMAP work scope, designers should recognize that beyond the scope of the initial LMAP work, designers should recognise
the Bootstrapping process is extremely powerful and could cause an MA that the Bootstrapping process is extremely powerful and could cause
to join a new or different LMAP system with a different Controller an MA to join a new or different LMAP system with a different
and Collector, or simply install new Metrics with associated Controller and Collector, or simply install new Metrics with
Measurement Methods (for example to record DNS queries). A Bootstrap associated Measurement Methods (for example, to record DNS queries).
attack could result in a breach of the LMAP system with significant A Bootstrap attack could result in a breach of the LMAP system with
sensitive information exposure depending on the capabilities of the significant sensitive information exposure depending on the
MA, so sufficient security protections are warranted. capabilities of the MA, so sufficient security protections are
warranted.
The Bootstrapping process provides sensitive information about the The Bootstrapping process provides sensitive information about the
LMAP system and the organisation that operates it, such as LMAP system and the organisation that operates it, such as
o the MA's identifier (MA-ID) o the MA's identifier (MA-ID)
o the address that identifies the Control Channel, such as the o the address that identifies the Control Channel, such as the
Controller's FQDN Controller's FQDN
o Security information for the Control Channel o Security information for the Control Channel
During the Bootstrap process for an MA located at a single During the Bootstrap process for an MA located at a single
subscriber's service demarcation point, the MA receives a MA-ID which Subscriber's service demarcation point, the MA receives an MA-ID,
is a persistent pseudonym for the Subscriber. Thus, the MA-ID is which is a persistent pseudonym for the Subscriber. Thus, the MA-ID
considered sensitive information because it could provide the link is considered sensitive information because it could provide the link
between Subscriber identification and Measurements Results. between Subscriber identification and Measurements Results.
Also, the Bootstrap process could assign a Group-ID to the MA. The Also, the Bootstrap process could assign a Group-ID to the MA. The
specific definition of information represented in a Group-ID is to be specific definition of information represented in a Group-ID is to be
determined, but several examples are envisaged including use as a determined, but several examples are envisaged including use as a
pseudonym for a set of Subscribers, a class of service, an access pseudonym for a set of Subscribers, a class of service, an access
technology, or other important categories. Assignment of a Group-ID technology, or other important categories. Assignment of a Group-ID
enables anonymisation sets to be formed on the basis of service enables anonymisation sets to be formed on the basis of service
type/grade/rates. Thus, the mapping between Group-ID and MA-ID is type/grade/rates. Thus, the mapping between Group-ID and MA-ID is
considered sensitive information. considered sensitive information.
8.4.2. Controller <-> Measurement Agent 8.4.2. Controller <-> Measurement Agent
The high-level communication model for interactions between the LMAP The high-level communication model for interactions between the LMAP
Controller and Measurement Agent is illustrated in Section 5.2. The Controller and Measurement Agent is illustrated in Section 5.2. The
primary purpose of this exchange is to authenticate and task a primary purpose of this exchange is to authenticate and task a
Measurement Agent with Measurement Instructions, which the Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously. Measurement Agent then acts on autonomously.
Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are
with a capability request, then measurement-related information of exchanged with a capability request, then measurement-related
interest such as the parameters, schedule, metrics, and IP addresses information of interest such as the parameters, schedule, metrics,
of measurement devices. Thus, the measurement Instruction contains and IP addresses of measurement devices. Thus, the measurement
sensitive information which must be secured. For example, the fact Instruction contains sensitive information that must be secured. For
that an ISP is running additional measurements beyond the set example, the fact that an ISP is running additional measurements
reported externally is sensitive information, as are the additional beyond the set reported externally is sensitive information, as are
Measurements Tasks themselves. The Measurement Schedule is also the additional Measurements Tasks themselves. The Measurement
sensitive, because an attacker intending to bias the results without Schedule is also sensitive, because an attacker intending to bias the
being detected can use this information to great advantage. results without being detected can use this information to great
advantage.
An organisation operating the Controller having no service An organisation operating the Controller having no service
relationship with a user who hosts the Measurement Agent *could* gain relationship with a user who hosts the Measurement Agent *could* gain
real-name mapping to a public IP address through user participation real-name mapping to a public IP address through user participation
in an LMAP system (this applies to the Measurement Collection in an LMAP system (this applies to the Measurement Collection
protocol, as well). protocol, as well).
8.4.3. Collector <-> Measurement Agent 8.4.3. Collector <-> Measurement Agent
The high-level communication model for interactions between the The high-level communication model for interactions between the
Measurement Agent and Collector is illustrated in Section 5.4. The Measurement Agent and Collector is illustrated in Section 5.4. The
primary purpose of this exchange is to authenticate and collect primary purpose of this exchange is to authenticate and collect
Measurement Results from a MA, which the MA has measured autonomously Measurement Results from an MA, which the MA has measured
and stored. autonomously and stored.
The Measurement Results are the additional sensitive information The Measurement Results are the additional sensitive information
included in the Collector-MA exchange. Organisations collecting LMAP included in the Collector-MA exchange. Organisations collecting LMAP
measurements have the responsibility for data control. Thus, the measurements have responsibility for data control. Thus, the Results
Results and other information communicated in the Collector protocol and other information communicated in the Collector protocol must be
must be secured. secured.
8.4.4. Measurement Peer <-> Measurement Agent 8.4.4. Measurement Peer <-> Measurement Agent
A Measurement Method involving Measurement Traffic raises potential A Measurement Method involving Measurement Traffic raises potential
privacy issues, although the specification of the mechanisms is privacy issues, although the specification of the mechanisms is
beyond the scope of the initial LMAP work. The high-level beyond the scope of the initial LMAP work. The high-level
communications model below illustrates the various exchanges to communications model below illustrates the various exchanges to
execute such a Measurement Method and store the Results. execute such a Measurement Method and store the Results.
We note the potential for additional observers in the figures below We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation. significance to the protocols and direction of initiation.
The various messages are optional, depending on the nature of the The various messages are optional, depending on the nature of the
Measurement Method. It may involve sending Measurement Traffic from Measurement Method. It may involve sending Measurement Traffic from
the Measurement Peer to MA, MA to Measurement Peer, or both. the Measurement Peer to MA, MA to Measurement Peer, or both.
Similarly, a second (or more) MAs may be involved. (Note: For Similarly, a second (or more) MAs may be involved. (Note: For
simplicity, the Figure and description don't show the non-LMAP simplicity, Figure 11 and the description don't show the non-LMAP
functionality that is associated with the transfer of the Measurement functionality that is associated with the transfer of the Measurement
Traffic and is located at the devices with the MA and MP.) Traffic and is located at the devices with the MA and MP.)
_________________ _________________ _________________ _________________
| | | | | | | |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent| |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________| |_________________| |_________________| |_________________|
<- (Key Negotiation & <- (Key Negotiation &
Encryption Setup) Encryption Setup)
(Encrypted Channel -> (Encrypted Channel ->
Established) Established)
(Announce capabilities -> (Announce capabilities ->
& status) & status)
<- (Select capabilities) <- (Select capabilities)
ACK -> ACK ->
<- (Measurement Request <- (Measurement Request
(MA+MP IPAddrs,set of (MA+MP IPAddrs,set of
Metrics, Schedule)) Metrics, Schedule))
ACK -> ACK ->
Measurement Traffic <> Measurement Traffic Measurement Traffic <> Measurement Traffic
(may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted) (may/may not be encrypted)
<- (Stop Measurement Task) <- (Stop Measurement Task)
Measurement Results -> Measurement Results ->
(if applicable) (if applicable)
<- ACK, Close <- ACK, Close
Figure 11: Interactions between Measurement Peer and Measurement
Agent
This exchange primarily exposes the IP addresses of measurement This exchange primarily exposes the IP addresses of measurement
devices and the inference of measurement participation from such devices and the inference of measurement participation from such
traffic. There may be sensitive information on key points in a traffic. There may be sensitive information on key points in a
service provider's network included. There may also be access to service provider's network included. There may also be access to
measurement-related information of interest such as the Metrics, measurement-related information of interest such as the Metrics,
Schedule, and intermediate results carried in the Measurement Traffic Schedule, and intermediate results carried in the Measurement Traffic
(usually a set of timestamps). (usually a set of timestamps).
The Measurement Peer may be able to use traffic analysis (perhaps The Measurement Peer may be able to use traffic analysis (perhaps
combined with traffic injection) to obtain interesting insights about combined with traffic injection) to obtain interesting insights about
the Subscriber. As a simple example, if the Measurement Task the Subscriber. As a simple example, if the Measurement Task
includes a pre-check that the end-user isn't already sending traffic, includes a pre-check that the end user isn't already sending traffic,
the Measurement Peer may be able to deduce when the Subscriber is the Measurement Peer may be able to deduce when the Subscriber is
away on holiday, for example. away on holiday.
If the Measurement Traffic is unencrypted, as found in many systems If the Measurement Traffic is unencrypted, as found in many systems
today, then both timing and limited results are open to on-path today, then both timing and limited results are open to on-path
observers. observers.
8.4.5. Measurement Agent 8.4.5. Measurement Agent
Some Measurement Methods only involve a single Measurement Agent Some Measurement Methods only involve a single Measurement Agent
observing existing traffic. They raise potential privacy issues, observing existing traffic. They raise potential privacy issues,
although the specification of the mechanisms is beyond the scope of although the specification of the mechanisms is beyond the scope of
the initial LMAP work. the initial LMAP work.
The high-level communications model below illustrates the collection The high-level communications model shown in Figure 12 illustrates
of user information of interest with the Measurement Agent performing the collection of user information of interest with the Measurement
the monitoring and storage of the Results. This particular exchange Agent performing the monitoring and storage of the Results. This
is for measurement of DNS Response Time, which most frequently uses particular exchange is for measurement of DNS Response Time, which
UDP transport. (Note: For simplicity, the Figure and description most frequently uses UDP transport. (Note: For simplicity, Figure 12
don't show the non-LMAP functionality that is associated with the and its description do not show the non-LMAP functionality that is
transfer of the Measurement Traffic and is located at the devices associated with the transfer (export) of the observed Measurement
with the MA.) Traffic beyond the measurement devices located with the MA.)
_________________ ____________ _________________ ____________
| | | | | | | |
| DNS Server |=========== NAT ? ==========*=======| User client| | DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________| |_________________| ^ |____________|
______|_______ ______|_______
| | | |
| Measurement | | Measurement |
| Agent | | Agent |
|______________| |______________|
<- Name Resolution Req <- Name Resolution Required
(MA+MP IPAddrs, (MA+MP IPAddrs,
Desired Domain Name) Desired Domain Name)
Return Record -> Return Record ->
MA: Measurement Agent
MP: Measurement Peer
Figure 12: LMAP deployment example, with Measurement Agent monitoring
DNS response time
In this particular example, the MA monitors DNS messages in order to In this particular example, the MA monitors DNS messages in order to
measure that DNS response time. The Measurement Agent may be measure the DNS response time. The Measurement Agent may be embedded
embedded in the user host, or it may be located in another device in the user host, or it may be located in another device capable of
capable of observing user traffic. The MA learns the IP addresses of observing user traffic. The MA learns the IP addresses of
measurement devices and the intent to communicate with or access the measurement devices and the intent to communicate with or access the
services of a particular domain name, and perhaps also information on services of a particular domain name, and perhaps also information on
key points in a service provider's network, such as the address of key points in a service provider's network, such as the address of
one of its DNS servers. one of its DNS servers.
In principle, any of the user sensitive information of interest In principle, any of the user sensitive information of interest
(listed above) can be collected and stored in the monitoring scenario (listed above) can be collected and stored in the monitoring scenario
and so must be secured. and so must be secured.
It would also be possible for a Measurement Agent to source the DNS It would also be possible for a Measurement Agent to source the DNS
query itself. But then there are few privacy concerns. query itself, and then there are not many privacy concerns.
8.4.6. Storage and reporting of Measurement Results 8.4.6. Storage and Reporting of Measurement Results
Although the mechanisms for communicating results (beyond the initial Although the mechanisms for communicating results (beyond the initial
Collector) are beyond the initial LMAP work scope, there are Collector) are beyond the scope of the initial LMAP work, there are
potential privacy issues related to a single organisation's storage potential privacy issues related to a single organisation's storage
and reporting of Measurement Results. Both storage and reporting and reporting of Measurement Results. Both storage and reporting
functions can help to preserve privacy by implementing the functions can help to preserve privacy by implementing the
mitigations described below. mitigations described below.
8.5. Threats 8.5. Threats
This section indicates how each of the threats described in [RFC6973] This section indicates how each of the threats described in [RFC6973]
apply to the LMAP entities and their communication and storage of apply to the LMAP entities and their communication and storage of
"information of interest". Denial of Service (DOS) and other attacks "information of interest". DoS and other attacks described in the
described in the Security section represent threats as well, and Security section represent threats as well, and these attacks are
these attacks are more effective when sensitive information more effective when sensitive information protections have been
protections have been compromised. compromised.
8.5.1. Surveillance 8.5.1. Surveillance
Section 5.1.1 of [RFC6973] describes Surveillance as the "observation Section 5.1.1 of [RFC6973] describes surveillance as the "observation
or monitoring of and individual's communications or activities." or monitoring of an individual's communications or activities."
Hence all Measurement Methods that measure user traffic are a form of Hence, all Measurement Methods that measure user traffic are a form
surveillance, with inherent risks. of surveillance, with inherent risks.
Measurement Methods which avoid periods of user transmission Measurement Methods that avoid periods of user transmission
indirectly produce a record of times when a subscriber or authorised indirectly produce a record of times when a subscriber or authorised
user has used their network access service. user has used their network access service.
Measurement Methods may also utilise and store a Subscriber's Measurement Methods may also utilise and store a Subscriber's
currently assigned IP address when conducting measurements that are currently assigned IP address when conducting measurements that are
relevant to a specific Subscriber. Since the Measurement Results are relevant to a specific Subscriber. Since the Measurement Results are
time-stamped, they could provide a record of IP address assignments timestamped, they could provide a record of IP address assignments
over time. over time.
Either of the above pieces of information could be useful in Either of the above pieces of information could be useful in
correlation and identification, described below. correlation and identification, as described below.
8.5.2. Stored data compromise 8.5.2. Stored Data Compromise
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
resulting from inadequate measures to secure stored data from resulting from inadequate measures to secure stored data from
unauthorised or inappropriate access. For LMAP systems this includes unauthorised or inappropriate access. For LMAP systems, this
deleting or modifying collected measurement records, as well as data includes deleting or modifying collected measurement records, as well
theft. as data theft.
The primary LMAP entity subject to compromise is the repository, The primary LMAP entity subject to compromise is the repository,
which stores the Measurement Results; extensive security and privacy which stores the Measurement Results; extensive security and privacy
threat mitigations are warranted. The Collector and MA also store threat mitigations are warranted. The Collector and MA also store
sensitive information temporarily, and need protection. The sensitive information temporarily and need protection. The
communications between the local storage of the Collector and the communications between the local storage of the Collector and the
repository is beyond the scope of the initial LMAP work, though this repository is beyond the scope of the initial LMAP work, though this
communications channel will certainly need protection as well as the communications channel will certainly need protection as will the
mass storage itself. mass storage itself.
The LMAP Controller may have direct access to storage of Subscriber The LMAP Controller may have direct access to storage of Subscriber
information (location, billing, service parameters, etc.) and other information (for example, location, billing, service parameters,
information which the controlling organisation considers private, and etc.) and other information that the controlling organisation
again needs protection. considers private and again needs protection.
Note that there is tension between the desire to store all raw Note that there is tension between the desire to store all raw
results in the LMAP Collector (for reproducibility and custom results in the LMAP Collector (for reproduction and custom analysis)
analysis), and the need to protect the privacy of measurement and the need to protect the privacy of measurement participants.
participants. Many of the compromise mitigations described in Many of the mitigations described in Section 8.6 are most efficient
section 8.6 below are most efficient when deployed at the MA, when deployed at the MA, therefore minimising the risks associated
therefore minimising the risks with stored results. with stored results.
8.5.3. Correlation and identification 8.5.3. Correlation and Identification
Sections 5.2.1 and 5.2.2 of [RFC6973] describe Correlation as Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as
combining various pieces of information to obtain desired combining various pieces of information to obtain desired
characteristics of an individual, and Identification as using this characteristics of an individual, and identification as using this
combination to infer identity. combination to infer identity.
The main risk is that the LMAP system could unwittingly provide a key The main risk is that the LMAP system could unwittingly provide a key
piece of the correlation chain, starting with an unknown Subscriber's piece of the correlation chain, starting with an unknown Subscriber's
IP address and another piece of information. For example, a IP address and another piece of information. For example, a
Subscriber utilised Internet access from 2000 to 2310 UTC, because Subscriber utilised Internet access from 2000 to 2310 UTC, because
the Measurement Tasks were deferred, or sent a name resolution for the Measurement Tasks were deferred or sent a name resolution for
www.example.com at 2300 UTC. www.example.com at 2300 UTC.
If a user's access with another system already gave away sensitive If a user's access with another system already gave away sensitive
info, correlation is clearly easier and can result in re- information, correlation is clearly easier and can result in
identification, even when an LMAP conserves sensitive information to re-identification, even when an LMAP system conserves sensitive
great extent. information to great extent.
8.5.4. Secondary use and disclosure 8.5.4. Secondary Use and Disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as
unauthorised utilisation of an individual's information for a purpose unauthorised utilisation of an individual's information for a purpose
the individual did not intend, and Disclosure is when such the individual did not intend, and disclosure as when such
information is revealed causing other's notions of the individual to information is revealed causing another's notions of the individual
change, or confidentiality to be violated. to change or confidentiality to be violated.
Measurement Methods that measure user traffic are a form of Secondary
Use, and the Subscribers' permission should be obtained beforehand.
Measurement Methods that measure user traffic are a form of secondary
use, and the Subscribers' permission should be obtained beforehand.
It may be necessary to obtain the measured ISP's permission to It may be necessary to obtain the measured ISP's permission to
conduct measurements, for example when required by the terms and conduct measurements (for example, when required by the terms and
conditions of the service agreement, and notification is considered conditions of the service agreement) and notification is considered
good measurement practice. good measurement practice.
For Measurement Methods that measure Measurement Traffic the For Measurement Methods that measure Measurement Traffic the
Measurement Results provide some limited information about the Measurement Results provide some limited information about the
Subscriber or ISP and could result in Secondary Uses. For example, Subscriber or ISP and could result in secondary uses. For example,
the use of the Results in unauthorised marketing campaigns would the use of the Results in unauthorised marketing campaigns would
qualify as Secondary Use. Secondary use may break national laws and qualify as secondary use. Secondary use may break national laws and
regulations, and may violate individual's expectations or desires. regulations, and may violate an individual's expectations or desires.
8.6. Mitigations 8.6. Mitigations
This section examines the mitigations listed in section 6 of This section examines the mitigations listed in Section 6 of
[RFC6973] and their applicability to LMAP systems. Note that each [RFC6973] and their applicability to LMAP systems. Note that each
section in [RFC6973] identifies the threat categories that each section in [RFC6973] identifies the threat categories that each
technique mitigates. technique mitigates.
8.6.1. Data minimisation 8.6.1. Data Minimisation
Section 6.1 of [RFC6973] encourages collecting and storing the Section 6.1 of [RFC6973] encourages collecting and storing the
minimal information needed to perform a task. minimal information needed to perform a task.
LMAP results can be useful for general reporting about performance LMAP Results can be useful for general reporting about performance
and for specific troubleshooting. They need different levels of and for specific troubleshooting. They need different levels of
information detail, as explained in the paragraphs below. information detail, as explained in the paragraphs below.
For general results, the results can be aggregated into large For general reporting, the results can be aggregated into large
categories (the month of March, all subscribers West of the categories (for example, the month of March, all US subscribers West
Mississippi River). In this case, all individual identifications of the Mississippi River). In this case, all individual
(including IP address of the MA) can be excluded, and only relevant identifications (including IP address of the MA) can be excluded, and
results are provided. However, this implies a filtering process to only relevant results are provided. However, this implies a
reduce the information fields, because greater detail was needed to filtering process to reduce the information fields, because greater
conduct the Measurement Tasks in the first place. detail was needed to conduct the Measurement Tasks in the first
place.
For troubleshooting, so that a network operator or end user can For troubleshooting, so that a network operator or end user can
identify a performance issue or failure, potentially all the network identify a performance issue or failure, potentially all the network
information (IP addresses, equipment IDs, location), Measurement information (for example, IP addresses, equipment IDs, location),
Schedule, service configuration, Measurement Results, and other Measurement Schedules, service configurations, Measurement Results,
information may assist in the process. This includes the information and other information may assist in the process. This includes the
needed to conduct the Measurements Tasks, and represents a need where information needed to conduct the Measurements Tasks, and represents
the maximum relevant information is desirable, therefore the greatest a need where the maximum relevant information is desirable;
protections should be applied. This level of detail is greater than therefore, the greatest protections should be applied. This level of
needed for general performance monitoring. detail is greater than needed for general performance monitoring.
As regards Measurement Methods that measure user traffic, we note As regards Measurement Methods that measure user traffic, we note
that a user may give temporary permission (to enable detailed that a user may give temporary permission (to enable detailed
troubleshooting), but withhold permission for them in general. Here troubleshooting), but withhold permission for them in general. Here
the greatest breadth of sensitive information is potentially exposed, the greatest breadth of sensitive information is potentially exposed,
and the maximum privacy protection must be provided. The Collector and the maximum privacy protection must be provided. The Collector
may perform pre-storage minimisation and other mitigations (below) to may perform pre-storage minimisation and other mitigations
help preserve privacy. (Section 8.6.4) to help preserve privacy.
For MAs with access to the sensitive information of users (e.g., For MAs with access to the sensitive information of users (for
within a home or a personal host/handset), it is desirable for the example, within a home or a personal host/handset), it is desirable
results collection to minimise the data reported, but also to balance for the Results collection to minimise the data reported, but also to
this desire with the needs of troubleshooting when a service balance this desire with the needs of troubleshooting when a service
subscription exists between the user and organisation operating the subscription exists between the user and organisation operating the
measurements. measurements.
8.6.2. Anonymity 8.6.2. Anonymity
Section 6.1.1 of [RFC6973] describes a way in which anonymity is Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in
achieved: "there must exist a set of individuals that appear to have which anonymity is achieved: "there must exist a set of individuals
the same attributes as the individual", defined as an "anonymity that appear to have the same attribute(s) as the individual."
set".
Experimental methods for anonymisation of user identifiable data (and Experimental methods for anonymisation of user-identifiable data (and
so particularly applicable to Measurement Methods that measure user so particularly applicable to Measurement Methods that measure user
traffic) have been identified in [RFC6235]. However, the findings of traffic) have been identified in [RFC6235]. However, the findings of
several of the same authors is that "there is increasing evidence several of the same authors is that "there is increasing evidence
that anonymisation applied to network trace or flow data on its own that anonymization applied to network trace or flow data on its own
is insufficient for many data protection applications as in [Bur10]." is insufficient for many data protection applications as in [Bur10]."
Essentially, the details of such Measurement Methods can only be Essentially, the details of such Measurement Methods can only be
accessed by closed organisations, and unknown injection attacks are accessed by closed organisations, and unknown injection attacks are
always less expensive than the protections from them. However, some always less expensive than the protections from them. However, some
forms of summary may protect the user's sensitive information forms of summary may protect the user's sensitive information
sufficiently well, and so each Metric must be evaluated in the light sufficiently well, and so each Metric must be evaluated in the light
of privacy. of privacy.
The techniques in [RFC6235] could be applied more successfully in The techniques in [RFC6235] could be applied more successfully in
Measurement Methods that generate Measurement Traffic, where there Measurement Methods that generate Measurement Traffic, where there
are protections from injection attack. The successful attack would are protections from injection attack. The successful attack would
require breaking the integrity protection of the LMAP Reporting require breaking the integrity protection of the LMAP Reporting
Protocol and injecting Measurement Results (known fingerprint, see Protocol and injecting Measurement Results (known fingerprint, see
section 3.2 of [RFC6973]) for inclusion with the shared and Section 3.2 of [RFC6973]) for inclusion with the shared and
anonymised results, then fingerprinting those records to ascertain anonymised results, then fingerprinting those records to ascertain
the anonymisation process. the anonymisation process.
Beside anonymisation of measured Results for a specific user or Beside anonymisation of measured Results for a specific user or
provider, the value of sensitive information can be further diluted provider, the value of sensitive information can be further diluted
by summarising the results over many individuals or areas served by by summarising the Results over many individuals or areas served by
the provider. There is an opportunity enabled by forming anonymity the provider. There is an opportunity enabled by forming anonymity
sets [RFC6973] based on the reference path measurement points in sets [RFC6973] based on the reference path measurement points in
[RFC7398]. For example, all measurements from the Subscriber device [RFC7398]. For example, all measurements from a Subscriber device
can be identified as "mp000", instead of using the IP address or can be identified as "mp000", instead of using the IP address or
other device information. The same anonymisation applies to the other device information. The same anonymisation applies to the
Internet Service Provider, where their Internet gateway would be Internet Service Provider, where their Internet gateway would be
referred to as "mp190". referred to as "mp190".
Another anonymisation technique is for the MA to include its Group-ID Another anonymisation technique is for the MA to include its Group-ID
instead of its MA-ID in its Measurement Reports, with several MAs instead of its MA-ID in its Measurement Reports, with several MAs
sharing the same Group-ID. sharing the same Group-ID.
8.6.3. Pseudonymity 8.6.3. Pseudonymity
Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
are a possible mitigation to revealing one's true identity, since are a possible mitigation to revealing one's true identity, since
there is no requirement to use real names in almost all protocols. there is no requirement to use real names in almost all protocols.
A pseudonym for a measurement device's IP address could be an LMAP- A pseudonym for a measurement device's IP address could be an
unique equipment ID. However, this would likely be a permanent LMAP-unique equipment ID. However, this would likely be a permanent
handle for the device, and long-term use weakens a pseudonym's power handle for the device, and long-term use weakens a pseudonym's power
to obscure identity. to obscure identity.
8.6.4. Other mitigations 8.6.4. Other Mitigations
Data can be de-personalised by blurring it, for example by adding Data can be depersonalised by blurring it, for example by adding
synthetic data, data-swapping, or perturbing the values in ways that synthetic data, data-swapping, or perturbing the values in ways that
can be reversed or corrected. can be reversed or corrected.
Sections 6.2 and 6.3 of [RFC6973] describe User Participation and Sections 6.2 and 6.3 of [RFC6973] describe user participation and
Security, respectively. security, respectively.
Where LMAP measurements involve devices on the Subscriber's premises Where LMAP measurements involve devices on the subscriber's premises
or Subscriber-owned equipment, it is essential to secure the or Subscriber-owned equipment, it is essential to secure the
Subscriber's permission with regard to the specific information that Subscriber's permission with regard to the specific information that
will be collected. The informed consent of the Subscriber (and, if will be collected. The informed consent of the Subscriber (and, if
different, the end user) may be needed, including the specific different, the end user) may be needed, including the specific
purpose of the measurements. The approval process could involve purpose of the measurements. The approval process could involve
showing the Subscriber their measured information and results before showing the Subscriber their measured information and results before
instituting periodic collection, or before all instances of instituting periodic collection, or before all instances of
collection, with the option to cancel collection temporarily or collection, with the option to cancel collection temporarily or
permanently. permanently.
It should also be clear who is legally responsible for data It should also be clear who is legally responsible for data
protection (privacy); in some jurisdictions this role is called the protection (privacy); in some jurisdictions, this role is called the
'data controller'. It is always good practice to limit the time of 'data controller'. It is always good practice to limit the time that
personal information storage. personal information is stored.
Although the details of verification would be impenetrable to most Although the details of verification would be impenetrable to most
subscribers, the MA could be architected as an "app" with open subscribers, the MA could be architected as an "app" with open source
source-code, pre-download and embedded terms of use and agreement on code, pre-download and embedded terms of use and agreement on
measurements, and protection from code modifications usually provided measurements, and protection from code modifications usually provided
by the app-stores. Further, the app itself could provide data by the app stores. Further, the app itself could provide data
reduction and temporary storage mitigations as appropriate and reduction and temporary storage mitigations as appropriate and
certified through code review. certified through code review.
LMAP protocols, devices, and the information they store clearly need LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorised access. This is the hand-off between to be secure from unauthorised access. This is the hand-off between
privacy and security considerations (Section 7). The Data Controller privacy and security considerations (Section 7). The data controller
has the (legal) responsibility to maintain data protections described is responsible (legally) for maintaining data protections described
in the Subscriber's agreement and agreements with other in the Subscriber's agreement and agreements with other
organisations. organisations.
Finally, it is recommended that each entity in section 8.1, Finally, it is recommended that each entity described in Section 8.1,
(individuals, ISPs, Regulators, others) assess the risks of LMAP data (for example, individuals, ISPs, regulators, others) assess the risks
collection by conducting audits of their data protection methods. of LMAP data collection by conducting audits of their data protection
methods.
9. IANA considerations
There are no IANA considerations in this memo.
10. Acknowledgments
This document originated as a merger of three individual drafts:
draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00,
and draft-eardley-lmap-framework-02.
Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. Thanks to Charles Cook for a very detailed review of
-02. Thanks to Barbara Stark and Ken Ko for many helpful comments
about later versions.
Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen,
Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay,
Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner,
Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael
Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter,
Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey,
Vaibhav Bajpai, Vero Zheng, William Lupton.
Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
the Leone research project, which receives funding from the European
Union Seventh Framework Programme [FP7/2007-2013] under grant
agreement number 317647.
11. History
First WG version, copy of draft-folks-lmap-framework-00.
11.1. From -00 to -01
o new sub-section of possible use of Group-IDs for privacy
o tweak to definition of Control protocol
o fix typo in figure in S5.4
11.2. From -01 to -02
o change to INFORMATIONAL track (previous version had typo'd
Standards track)
o new definitions for Capabilities Information and Failure
Information
o clarify that diagrams show LMAP-level information flows.
Underlying protocol could do other interactions, eg to get through
NAT or for Collector to pull a Report
o add hint that after a re-boot should pause random time before re-
register (to avoid mass calling event)
o delete the open issue "what happens if a Controller fails" (normal
methods can handle)
o add some extra words about multiple Tasks in one Schedule
o clarify that new Schedule replaces (rather than adds to) and old
one. Similarly for new configuration of Measurement Tasks or
Report Channels.
o clarify suppression is temporary stop; send a new Schedule to
permanently stop Tasks
o alter suppression so it is ACKed
o add un-suppress message
o expand the text on error reporting, to mention Reporting failures
(as well as failures to action or execute Measurement Task &
Schedule)
o add some text about how to have Tasks running indefinitely
o add that optionally a Report is not sent when there are no
Measurement Results
o add that a Measurement Task may create more than one Measurement
Result
o clarify /amend /expand that Reports include the "raw" Measurement
Results - any pre-processing is left for lmap2.0
o add some cautionary words about what if the Collector unexpectedly
doesn't hear from a MA
o add some extra words about the potential impact of Measurement
Tasks
o clarified various aspects of the privacy section
o updated references
o minor tweaks
11.3. From -02 to -03
o alignment with the Information Model [burbridge-lmap-information-
model] as this is agreed as a WG document
o One-off and periodic Measurement Schedules are kept separate, so
that they can be updated independently
o Measurement Suppression in a separate sub-section. Can now
optionally include particular Measurement Tasks &/or Schedules to
suppress, and start/stop time
o for clarity, concept of Channel split into Control, Report and MA-
to-Controller Channels
o numerous editorial changes, mainly arising from a very detailed
review by Charles Cook
o
11.4. From -03 to -04
o updates following the WG Last Call, with the proposed consensus on
the various issues as detailed in
http://tools.ietf.org/agenda/89/slides/slides-89-lmap-2.pdf. In
particular:
o tweaked definitions, especially of Measurement Agent and
Measurement Peer
o Instruction - left to each implementation & deployment of LMAP to
decide on the granularity at which an Instruction Message works
o words added about overlapping Measurement Tasks (Measurement
System can handle any way they choose; Report should mention if
the Task overlapped with another)
o Suppression: no defined impact on Passive Measurement Task; extra
option to suppress on-going Active Measurement Tasks; suppression
doesn't go to Measurement Peer, since they don't understand
Instructions
o new concept of Data Transfer Task (and therefore adjustment of the
Channel concept)
o enhancement of Results with Subscriber's service parameters -
could be useful, don't define how but can be included in Report to
various other sections
o various other smaller improvements, arising from the WGLC
o Appendix added with examples of Measurement Agents and Peers in
various deployment scenarios. To help clarify what these terms
mean.
11.5. From -04 to -05
o clarified various scoping comments by using the phrase "scope of
initial LMAP work" (avoiding "scope of LMAP WG" since this may
change in the future)
o added a Configuration Protocol - allows the Controller to update
the MA about information that it obtained during the bootstrapping
process (for consistency with Information Model)
o Removed over-detailed information about the relationship between
the different items in Instruction, as this seems more appropriate
for the information model. Clarified that the lists given are
about the aims and not a list of information elements (these will
be defined in draft-ietf-information-model).
o the Measurement Method, specified as a URI to a registry entry -
rather than a URN
o MA configured with time limit after which, if it hasn't heard from
Controller, then it stops running Measurement Tasks (rather than
this being part of a Schedule)
o clarified there is no distinction between how capabilities,
failure and logging information are transferred (all can be when
requested by Controller or by MA on its own initiative).
o removed mention of Data Transfer Tasks. This abstraction is left
to the information model i-d
o added Deployment sub-section about Measurement Agent embedded in
ISP Network
o various other smaller improvements, arising from the 2nd WGLC
11.6. From -05 to -06
o clarified terminlogy around Measurement Methods and Tasks. Since
within a Method there may be several different roles (requester
and responder, for instance)
o Suppression: there is now the concept of a flag (boolean) which
indicates whether a Task is by default gets suppressed or not.
The optional suppression message (with list of specific tasks
/schedules to suppress) over-rides this flag.
o The previous bullet also means there is no need to make a
distinction between active and passive Measurement Tasks, so this
distinction is removed.
o removed Configuration Protocol - Configuration is part of the
Instruction and so uses the Control Protocol.
11.7. From -06 to -07
o Clarifications and nits
11.8. From -07 to -08
o Clarifications resulting from WG 3rd LC, as discussed in
https://tools.ietf.org/agenda/90/slides/slides-90-lmap-0.pdf, plus
comments made in the IETF-90 meeting.
o added mention of "measurement point designations" in Measurement
Task configuration and Report Protocol.
11.9. From -08 to -09
o Clarifications and changes from the AD review (Benoit Claise) and
security directorate review (Radia Perlman).
11.10. From -09 to -10
o More changes from the AD review (Benoit Claise).
11.11. From -10 to -11
o More changes from the AD review (Benoit Claise).
11.12. From -11 to -12
o Fixing nits from IETF Last call and authors.
11.13. From -12 to -13
o IESG changes.
11.14. From -13 to -14
o Fixing Figure 1.
12. Informative References 9. Informative References
[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, [Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
"The Role of Network Trace anonymisation Under Attack", "The Role of Network Trace anonymisation Under Attack",
January 2010. January 2010.
[TR-069] TR-069, , "CPE WAN Management Protocol", [IPPM-REG] Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A.
http://www.broadband-forum.org/technical/trlist.php, Akhter, "Registry for Performance Metrics", Work in
November 2013. Progress, draft-ietf-ippm-metric-registry-04, July 2015.
[UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP [LMAP-INFO]
Device Control Protocols specifications", Burbridge, T., Eardley, P., Bagnulo, M., and J.
http://upnp.org/sdcps-and-certification/standards/, 2011. Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", Work in Progress,
draft-ietf-lmap-information-model-06, July 2015.
[REST] Wikipedia, "Representational state transfer", July 2015,
<https://en.wikipedia.org/w/index.php?
title=Representational_state_transfer&oldid=673799183>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444,
DOI 10.17487/RFC3444, January 2003,
<http://www.rfc-editor.org/info/rfc3444>.
[RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
June 2005. DOI 10.17487/RFC4101, June 2005,
<http://www.rfc-editor.org/info/rfc4101>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, July Unique IDentifier (UUID) URN Namespace", RFC 4122,
2005. DOI 10.17487/RFC4122, July 2005,
<http://www.rfc-editor.org/info/rfc4122>.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)", RFC
6241, June 2011.
[RFC7011] Claise, B., Trammell, B., and P. Aitken, "Specification of
the IP Flow Information Export (IPFIX) Protocol for the
Exchange of Flow Information", STD 77, RFC 7011, September
2013.
[RFC7368] Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil, [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
"IPv6 Home Networking Architecture Principles", RFC 7368, Zekauskas, "A One-way Active Measurement Protocol
October 2014. (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
<http://www.rfc-editor.org/info/rfc4656>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Attack", BCP 188, RFC 7258, May 2014. Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, DOI 10.17487/RFC5357, October 2008,
<http://www.rfc-editor.org/info/rfc5357>.
[I-D.ietf-lmap-use-cases] [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
"Large-Scale Broadband Measurement Use Cases", draft-ietf- <http://www.rfc-editor.org/info/rfc6235>.
lmap-use-cases-06 (work in progress), February 2015.
[I-D.ietf-ippm-metric-registry] [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A. and A. Bierman, Ed., "Network Configuration Protocol
Akhter, "Registry for Performance Metrics", draft-ietf- (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
ippm-metric-registry-02 (work in progress), February 2015. <http://www.rfc-editor.org/info/rfc6241>.
[RFC6419] Wasserman, M. and P. Seite, "Current Practices for [RFC6419] Wasserman, M. and P. Seite, "Current Practices for
Multiple-Interface Hosts", RFC 6419, November 2011. Multiple-Interface Hosts", RFC 6419, DOI 10.17487/RFC6419,
November 2011, <http://www.rfc-editor.org/info/rfc6419>.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
[I-D.ietf-lmap-information-model]
Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", draft-ietf-lmap-
information-model-05 (work in progress), April 2015.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
Support", RFC 6235, May 2011. P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
DOI 10.17487/RFC6887, April 2013,
<http://www.rfc-editor.org/info/rfc6887>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July Considerations for Internet Protocols", RFC 6973,
2013. DOI 10.17487/RFC6973, July 2013,
<http://www.rfc-editor.org/info/rfc6973>.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
Zekauskas, "A One-way Active Measurement Protocol "Specification of the IP Flow Information Export (IPFIX)
(OWAMP)", RFC 4656, September 2006. Protocol for the Exchange of Flow Information", STD 77,
RFC 7011, DOI 10.17487/RFC7011, September 2013,
<http://www.rfc-editor.org/info/rfc7011>.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258,
RFC 5357, October 2008. May 2014, <http://www.rfc-editor.org/info/rfc7258>.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
Information Models and Data Models", RFC 3444, January Weil, "IPv6 Home Networking Architecture Principles",
2003. RFC 7368, DOI 10.17487/RFC7368, October 2014,
<http://www.rfc-editor.org/info/rfc7368>.
[RFC7398] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and [RFC7398] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
A. Morton, "A Reference Path and Measurement Points for A. Morton, "A Reference Path and Measurement Points for
Large-Scale Measurement of Broadband Performance", RFC Large-Scale Measurement of Broadband Performance",
7398, February 2015. RFC 7398, DOI 10.17487/RFC7398, February 2015,
<http://www.rfc-editor.org/info/rfc7398>.
[RFC7536] Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
"Large-Scale Broadband Measurement Use Cases", RFC 7536,
DOI 10.17487/RFC7536, May 2015,
<http://www.rfc-editor.org/info/rfc7536>.
[TR-069] The Broadband Forum, "CPE WAN Management Protocol", TR-069
Amendment 5, November 2013,
<https://www.broadband-forum.org/technical/download/
TR-069_Amendment-5.pdf>.
[UPnP] UPnP Forum, "UPnP Device Architecture 2.0", February 2015,
<http://www.iso.org/iso/home/store/catalogue_ics/
catalogue_detail_ics.htm?csnumber=57195>.
Acknowledgments
This document originated as a merger of three individual drafts:
"Terminology for Large MeAsurement Platforms (LMAP)" (July 2013), "A
Framework and Inventory for a Large Scale Measurement System" (July
2013), and "A framework for large-scale measurements" (July 2013).
Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. Thanks to Charles Cook for a very detailed review of an
early draft of this document. Thanks to Barbara Stark and Ken Ko for
many helpful comments about later draft versions.
Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen,
Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay,
Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner,
Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael
Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter,
Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey,
Vaibhav Bajpai, Vero Zheng, and William Lupton.
Philip Eardley, Trevor Burbridge and Marcelo Bagnulo worked in part
on the Leone research project, which received funding from the
European Union Seventh Framework Programme under grant agreement
number 317647.
Authors' Addresses Authors' Addresses
Philip Eardley Philip Eardley
BT BT
Adastral Park, Martlesham Heath Adastral Park, Martlesham Heath
Ipswich Ipswich
ENGLAND England
Email: philip.eardley@bt.com Email: philip.eardley@bt.com
Al Morton Al Morton
AT&T Labs AT&T Labs
200 Laurel Avenue South 200 Laurel Avenue South
Middletown, NJ Middletown, NJ
USA United States
Email: acmorton@att.com Email: acmorton@att.com
Marcelo Bagnulo Marcelo Bagnulo
Universidad Carlos III de Madrid Universidad Carlos III de Madrid
Av. Universidad 30 Av. Universidad 30
Leganes, Madrid 28911 Leganes, Madrid 28911
SPAIN Spain
Phone: 34 91 6249500 Phone: 34 91 6249500
Email: marcelo@it.uc3m.es Email: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es URI: http://www.it.uc3m.es
Trevor Burbridge Trevor Burbridge
BT BT
Adastral Park, Martlesham Heath Adastral Park, Martlesham Heath
Ipswich Ipswich
ENGLAND England
Email: trevor.burbridge@bt.com Email: trevor.burbridge@bt.com
Paul Aitken Paul Aitken
Brocade Brocade Communications Systems, Inc.
Edinburgh, Scotland 19a Canning Street, Level 3
UK Edinburgh, Scotland EH3 8EG
United Kingdom
Email: paitken@brocade.com Email: paitken@brocade.com
Aamer Akhter Aamer Akhter
Consultant Consultant
118 Timber Hitch 118 Timber Hitch
Cary, NC Cary, NC
USA United States
Email: aakhter@gmail.com Email: aakhter@gmail.com
 End of changes. 379 change blocks. 
1179 lines changed or deleted 1012 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/