Network Working Group P. Eardley
Internet-Draft BT
Intended status: Informational A. Morton
Expires: November 14, 2014 AT&T Labs
M. Bagnulo
UC3M
T. Burbridge
BT
P. Aitken
A. Akhter
Cisco Systems
May 13, 2014
A framework for large-scale measurement platforms (LMAP)
draft-ietf-lmap-framework-05
Abstract
Measuring broadband service on a large scale requires a description
of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document
presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (large-scale measurement platforms).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 14, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Eardley, et al. Expires November 14, 2014 [Page 1]
Internet-Draft LMAP Framework May 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Outline of an LMAP-based measurement system . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Constraints . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1. Measurement system is under the direction of a single
organisation . . . . . . . . . . . . . . . . . . . . . . 12
4.2. Each MA may only have a single Controller at any point in
time . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5. LMAP Protocol Model . . . . . . . . . . . . . . . . . . . . . 12
5.1. Bootstrapping process . . . . . . . . . . . . . . . . . . 13
5.2. Configuration Protocol . . . . . . . . . . . . . . . . . 14
5.3. Control Protocol . . . . . . . . . . . . . . . . . . . . 15
5.3.1. Instruction . . . . . . . . . . . . . . . . . . . . . 15
5.3.2. Capabilities and Failure information . . . . . . . . 18
5.4. Operation of Measurement Tasks . . . . . . . . . . . . . 20
5.4.1. Starting and Stopping Measurement Tasks . . . . . . . 20
5.4.2. Overlapping Measurement Tasks . . . . . . . . . . . . 21
5.5. Report Protocol . . . . . . . . . . . . . . . . . . . . . 21
5.5.1. Reporting of Subscriber's service parameters . . . . 22
5.6. Operation of LMAP over the underlying packet transfer
mechanism . . . . . . . . . . . . . . . . . . . . . . . . 23
5.7. Items beyond the scope of the initial LMAP work . . . . . 24
5.7.1. End-user-controlled measurement system . . . . . . . 25
6. Deployment considerations . . . . . . . . . . . . . . . . . . 25
6.1. Controller and the measurement system . . . . . . . . . . 26
6.2. Measurement Agent . . . . . . . . . . . . . . . . . . . . 27
6.2.1. Measurement Agent on a networked device . . . . . . . 27
6.2.2. Measurement Agent embedded in site gateway . . . . . 27
6.2.3. Measurement Agent embedded behind site NAT /Firewall 27
6.2.4. Multi-homed Measurement Agent . . . . . . . . . . . . 28
6.2.5. Measurement Agent embedded in ISP Network . . . . . . 28
6.3. Measurement Peer . . . . . . . . . . . . . . . . . . . . 29
7. Security considerations . . . . . . . . . . . . . . . . . . . 29
8. Privacy Considerations for LMAP . . . . . . . . . . . . . . . 31
8.1. Categories of Entities with Information of Interest . . . 31
8.2. Examples of Sensitive Information . . . . . . . . . . . . 32
Eardley, et al. Expires November 14, 2014 [Page 2]
Internet-Draft LMAP Framework May 2014
8.3. Key Distinction Between Active and Passive Measurement
Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . 33
8.4. Privacy analysis of the Communications Models . . . . . . 34
8.4.1. MA Bootstrapping . . . . . . . . . . . . . . . . . . 34
8.4.2. Controller <-> Measurement Agent . . . . . . . . . . 35
8.4.3. Collector <-> Measurement Agent . . . . . . . . . . . 36
8.4.4. Measurement Peer <-> Measurement Agent . . . . . . . 36
8.4.5. Passive Measurement Agent . . . . . . . . . . . . . . 37
8.4.6. Storage and Reporting of Measurement Results . . . . 38
8.5. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 38
8.5.1. Surveillance . . . . . . . . . . . . . . . . . . . . 39
8.5.2. Stored Data Compromise . . . . . . . . . . . . . . . 39
8.5.3. Correlation and Identification . . . . . . . . . . . 40
8.5.4. Secondary Use and Disclosure . . . . . . . . . . . . 40
8.6. Mitigations . . . . . . . . . . . . . . . . . . . . . . . 40
8.6.1. Data Minimisation . . . . . . . . . . . . . . . . . . 41
8.6.2. Anonymity . . . . . . . . . . . . . . . . . . . . . . 42
8.6.3. Pseudonymity . . . . . . . . . . . . . . . . . . . . 42
8.6.4. Other Mitigations . . . . . . . . . . . . . . . . . . 43
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
10. Appendix: Deployment examples . . . . . . . . . . . . . . . . 44
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 47
12. History . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
12.1. From -00 to -01 . . . . . . . . . . . . . . . . . . . . 48
12.2. From -01 to -02 . . . . . . . . . . . . . . . . . . . . 48
12.3. From -02 to -03 . . . . . . . . . . . . . . . . . . . . 49
12.4. From -03 to -04 . . . . . . . . . . . . . . . . . . . . 50
12.5. From -04 to -05 . . . . . . . . . . . . . . . . . . . . 50
13. Informative References . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction
There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large
scale set of diverse devices. These devices could be software based
agents on PCs, embedded agents in consumer devices (e.g. blu-ray
players), service provider controlled devices such as set-top players
and home gateways, or simply dedicated probes. It is expected that
such a system could easily comprise 100,000 devices. Measurement
devices may also be embedded on a device that is part of an ISP's
network, such as a DSLAM, router, Carrier Grade NAT or ISP Gateway.
Such a scale presents unique problems in coordination, execution and
measurement result collection. Several use cases have been proposed
for large-scale measurements including:
o Operators: to help plan their network and identify faults
Eardley, et al. Expires November 14, 2014 [Page 3]
Internet-Draft LMAP Framework May 2014
o Regulators: to benchmark several network operators and support
public policy development
Further details of the use cases can be found in
[I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for
these, as well as other use cases, such as to help end users run
diagnostic checks like a network speed test.
The LMAP Framework has three basic elements: Measurement Agents,
Controllers and Collectors.
Measurement Agents (MAs) initiate the actual measurements, which are
called Measurement Tasks in the LMAP terminology. In principle,
there are no restrictions on the type of device in which the MA
function resides.
The Controller instructs one or more MAs and communicates the set of
Measurement Tasks an MA should perform and when. For example it may
instruct a MA at a home gateway: "Measure the 'UDP latency' with
www.example.org; repeat every hour at xx.05". The Controller also
manages a MA by instructing it how to report the Measurement Results,
for example: "Report results once a day in a batch at 4am". We refer
to these as the Measurement Schedule and Report Schedule.
The Collector accepts Reports from the MAs with the Results from
their Measurement Tasks. Therefore the MA is a device that gets
Instructions from the Controller, initiates the Measurement Tasks,
and reports to the Collector. The communications between these three
LMAP functions are structured according to a Control Protocol and a
Report Protocol.
The desirable features for a large-scale measurement systems we are
designing for are:
o Standardised - in terms of the Measurement Tasks that they
perform, the components, the data models and protocols for
transferring information between the components. Amongst other
things, standardisation enables meaningful comparisons of
measurements made of the same metric at different times and
places, and provides the operator of a measurement system with a
criteria for evaluation of the different solutions that can be
used for various purposes including buying decisions (such as
buying the various components from different vendors). Today's
systems are proprietary in some or all of these aspects.
o Large-scale - [I-D.ietf-lmap-use-cases] envisages Measurement
Agents in every home gateway and edge device such as set-top-boxes
and tablet computers, and located throughout the Internet as well
Eardley, et al. Expires November 14, 2014 [Page 4]
Internet-Draft LMAP Framework May 2014
[I-D.ietf-ippm-lmap-path]. It is expected that a measurement
system could easily encompass a few hundred thousand or even
millions of Measurement Agents. Existing systems have up to a few
thousand MAs (without judging how much further they could scale).
o Diversity - a measurement system should handle different types of
Measurement Agents - for example Measurement Agents may come from
different vendors, be in wired and wireless networks, have
different Measurement Task capabilities and be on devices with
IPv4 or IPv6 addresses.
2. Outline of an LMAP-based measurement system
Figure 1 shows the main components of a measurement system, and the
interactions of those components. Some of the components are outside
the scope of initial LMAP work. In this section we provide an
overview of the whole measurement system and we introduce the main
terms needed for the LMAP framework. The new terms are capitalised.
In the next section we provide a terminology section with a
compilation of all the LMAP terms and their definition. Section 4
onwards considers the LMAP components in more detail.
Other LMAP specifications will define an information model, the
associated data models, and select/extend one or more protocols for
the secure communication: firstly, a Control Protocol, from a
Controller to instruct Measurement Agents what performance metrics to
measure, when to measure them, how/when to report the measurement
results to a Collector; secondly, a Report Protocol, for a
Measurement Agent to report the results to the Collector.
The MA performs Measurement Tasks. The MAs are pieces of code that
can be executed in specialised hardware (hardware probe) or on a
general-purpose device (like a PC or mobile phone). A device with a
Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL,
fibre; and non-physical interfaces such as PPPoE or IPsec) and the
Measurement Tasks may specify any one of these. Measurement Tasks
may be Active (the MA generates Measurement Traffic and measures some
metric associated with its transfer), Passive (the MA observes
traffic), or some hybrid form of the two.
The Controller manages a MA through use of the Control Protocol,
which transfer the Instruction to the MA. This describes the
Measurement Tasks the MA should perform and when. For example the
Controller may instruct a MA at a home gateway: "Count the number of
TCP SYN packets observed in a 1 minute interval; repeat every hour at
xx.05 + Unif[0,180] seconds". The Measurement Schedule determines
when the Measurement Tasks are executed. The Controller also manages
a MA by instructing it how to report the Measurement Results, for
Eardley, et al. Expires November 14, 2014 [Page 5]
Internet-Draft LMAP Framework May 2014
example: "Report results once a day in a batch at 4am + Unif[0,180]
seconds; if the end user is active then delay the report 5 minutes".
The Report Schedule determines when the Reports are uploaded to the
Collector. The Measurement Schedule and Report Schedule can define
one-off (non-recurring) actions ("Do measurement now", "Report as
soon as possible"), as well as recurring ones.
The Collector accepts a Report from a MA with the Measurement Results
from its Measurement Tasks. It then provides the Results to a
repository (see below).
Some Measurement Tasks involve several MAs acting in a coordinated
fashion. This coordination is achieved by the Controller instructing
the multiple MAs in a coherent manner. In some Measurement Tasks the
MA(s) is assisted by one or more network entities that are not
managed by the Controller. The entities that help the MA in the
Measurement Tasks but are not managed by the Controller are called
Measurement Peers (MPs). For example consider the case of a "ping"
Measurement Task, to measure the round trip delay between the MA and
a given ICMP ECHO responder in the Internet. In this case, the
responder is the Measurement Peer. The ICMP ECHO request and ICMP
ECHO Requests and Replies flowing between the MA and the MP is called
Active Measurement Traffic. The Appendix has some other examples of
possible arrangements of Measurement Agents and Peers.
A Measurement Method defines how to measure a Metric of interest. It
is very useful to standardise Measurement Methods, so that it is
meaningful to compare measurements of the same Metric made at
different times and places. It is also useful to define a registry
for commonly-used Metrics [I-D.manyfolks-ippm-metric-registry] so
that a Measurement Method can be referred to simply by its identifier
in the registry. The Measurement Methods and registry will hopefully
be referenced by other standards organisations.
A Measurement Task is a specific instantiation of a Measurement
Method. It generates a Measurement Result. An Active Measurement
Task involves either a Measurement Agent (MA) injecting Active
Measurement Traffic into the network destined for a Measurement Peer
or for another Measurement Agent, and/or another Measurement Agent
(or a Measurement Peer, in response to a packet from a MA) sending
Active Measurement Traffic to a MA; one of them measures some
parameter associated with the transfer of the packet(s). A Passive
Measurement Task involves a MA simply observing traffic - for
example, it could count bytes or it might calculate the average loss
for a particular flow.
In order for a Measurement Agent and a Measurement Peer (or another
Measurement Agent) to execute an Active Measurement Task, they
Eardley, et al. Expires November 14, 2014 [Page 6]
Internet-Draft LMAP Framework May 2014
exchange Active Measurement Traffic. The protocols used for the
Active Measurement Traffic are out of the scope of initial LMAP work;
they fall within the scope of other IETF WGs such as IPPM.
For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be
used but also the set of Measurement Tasks should follow a similar
Measurement Schedule and be of similar number. The details of such a
characterisation plan are beyond the scope of work in IETF although
certainly facilitated by IETF's work.
Messages are transferred over a secure Channel. A Control Channel is
between the Controller and a MA; the Control Protocol delivers
Instruction Messages to the MA and Capabilities, Failure and logging
Information in the reverse direction. A Report Channel is between a
MA and Collector, and the Report Protocol delivers Reports to the
Collector.
Finally we introduce several components that are outside the scope of
initial LMAP work and will be provided through existing protocols or
applications. They affect how the measurement system uses the
Measurement Results and how it decides what set of Measurement Tasks
to perform.
The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP work
considers the bootstrap process, since it affects the Information
Model. However, LMAP does not define a bootstrap protocol, since it
is likely to be technology specific and could be defined by the
Broadband Forum, CableLabs or IEEE depending on the device. Possible
protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management
Protocol (CWMP) from the Auto Configuration Server (ACS) (as
specified in TR-069 [TR-069]).
A Subscriber parameter database contains information about the line,
such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s),
the line technology (DSL or fibre), the time zone where the MA is
located, and the type of home gateway and MA. These parameters are
already gathered and stored by existing operations systems. They may
affect the choice of what Measurement Tasks to run and how to
interpret the Measurement Results. For example, a download test
suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s
line.
A results repository records all Measurement Results in an equivalent
form, for example an SQL database, so that they can easily be
accessed by the data analysis tools.
Eardley, et al. Expires November 14, 2014 [Page 7]
Internet-Draft LMAP Framework May 2014
The data analysis tools receive the results from the Collector or via
the Results repository. They might visualise the data or identify
which component or link is likely to be the cause of a fault or
degradation. This information could help the Controller decide what
follow-up Measurement Task to perform in order to diagnose a fault.
The data analysis tools also need to understand the Subscriber's
service information, for example the broadband contract.
^
|
Active +-------------+ IPPM
+---------------+ Measurement | Measurement | Scope
| Measurement |<------------>| Peer | |
| Agent | Traffic +-------------+ v
+------->| | ^
| +---------------+ |
| ^ | |
| Instruction | | Report |
| | +-----------------+ |
| | | |
| | v LMAP
| +------------+ +------------+ Scope
| | Controller | | Collector | |
| +------------+ +------------+ v
| ^ ^ | ^
| | | | |
| | +----------+ | |
| | | v |
+------------+ +----------+ +--------+ +----------+ |
|Bootstrapper| |Subscriber|--->| data |<---|repository| Out
+------------+ |parameter | |analysis| +----------+ of
|database | | tools | Scope
+----------+ +--------+ |
|
v
Figure 1: Schematic of main elements of an LMAP-based
measurement system
(showing the elements in and out of the scope of initial LMAP work)
3. Terminology
This section defines terminology for LMAP. Please note that defined
terms are capitalized.
Active Measurement Method: A generalisation of an Active Measurement
Task.
Eardley, et al. Expires November 14, 2014 [Page 8]
Internet-Draft LMAP Framework May 2014
Active Measurement Task: A Measurement Task in which a Measurement
Agent creates or receives Active Measurement Traffic, by coordinating
with one or more other Measurement Agents or Measurement Peers using
protocols outside the initial LMAP work scope.
Active Measurement Traffic: the packet(s) generated in order to
execute an Active Measurement Task.
Bootstrap: A process that integrates a Measurement Agent into a
measurement system.
Capabilities: Information about the performance measurement
capabilities of the MA, in particular the Measurement Methods that it
can perform, and the device hosting the MA, for example its interface
type and speed, but not dynamic information.
Channel: A bi-directional logical connection that is defined by a
specific Controller and MA, or Collector and MA, plus associated
security.
Collector: A function that receives a Report from a Measurement
Agent.
Configuration Protocol: The protocol delivering information, from a
Controller to a Measurement Agent, that updates the information
obtained during Bootstrapping.
Controller: A function that provides a Measurement Agent with its
Instruction.
Control Channel: a Channel between a Controller and a MA over which
Instruction Messages and Capabilities and Failure information are
sent.
Control Protocol: The protocol delivering Instruction(s) from a
Controller to a Measurement Agent. It also delivers Failure
Information and Capabilities Information from the Measurement Agent
to the Controller.
Cycle-ID: A tag that is sent by the Controller in an Instruction and
echoed by the MA in its Report. The same Cycle-ID is used by several
MAs that use the same Measurement Method with the same Input
Parameters. Hence the Cycle-ID allows the Collector to easily
identify Measurement Results that should be comparable.
Data Model: The implementation of an Information Model in a
particular data modelling language [RFC3444].
Eardley, et al. Expires November 14, 2014 [Page 9]
Internet-Draft LMAP Framework May 2014
Environmental Constraint: A parameter that is measured as part of the
Measurement Task, its value determining whether the rest of the
Measurement Task proceeds.
Failure Information: Information about the MA's failure to action or
execute an Instruction, whether concerning Measurement Tasks or
Reporting.
Group-ID: An identifier of a group of MAs.
Information Model: The protocol-neutral definition of the semantics
of the Instructions, the Report, the status of the different elements
of the measurement system as well of the events in the system
[RFC3444].
Input Parameter: A parameter whose value is left open by the
Measurement Method and is set to a specific value in a Measurement
Task. Altering the value of an Input Parameter does not change the
fundamental nature of the Measurement Method.
Instruction: The description of Measurement Tasks for a MA to perform
and the details of the Report for it to send. It is the collective
description of the Measurement Task configurations, the configuration
of the Measurement Schedules, the configuration of the Report
Channel(s), the configuration of Report Schedule(s), and the details
of any suppression.
Instruction Message: The message that carries an Instruction from a
Controller to a Measurement Agent.
Measurement Agent (MA): The function that receives Instruction
Messages from a Controller and operates the Instruction by executing
Measurement Tasks (using protocols outside the initial LMAP work
scope and perhaps in concert with one or more other Measurement
Agents or Measurement Peers) and (if part of the Instruction) by
reporting Measurement Results to a Collector or Collectors.
Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that
identifies a particular MA and is configured as part of the
Bootstrapping process.
Measurement Method: The process for assessing the value of a Metric;
the process of measuring some performance or reliability parameter
associated with the transfer of traffic; the generalisation of a
Measurement Task.
Eardley, et al. Expires November 14, 2014 [Page 10]
Internet-Draft LMAP Framework May 2014
Measurement Peer (MP): The function that assists a Measurement Agent
with Measurement Tasks and does not have an interface to the
Controller or Collector.
Measurement Result: The output of a single Measurement Task (the
value obtained for the parameter of interest or Metric).
Measurement Schedule: The schedule for performing Measurement Tasks.
Measurement Task: The act that consists of the single operation of
the Measurement Method at a particular time and with all its Input
Parameters set to specific values.
Metric: The quantity related to the performance and reliability of
the network that we'd like to know the value of, and that is
carefully specified.
Passive Measurement Method (Task): A Measurement Method (Task) in
which a Measurement Agent observes existing traffic but does not
inject Active Measurement Traffic.
Report: The set of Measurement Results and other associated
information (as defined by the Instruction). The Report is sent by a
Measurement Agent to a Collector.
Report Channel: a communications channel between a MA and a
Collector, which is defined by a specific MA, Collector, Report
Schedule and associated security, and over which Reports are sent.
Report Protocol: The protocol delivering Report(s) from a Measurement
Agent to a Collector.
Report Schedule: the schedule for sending Reports to a Collector.
Subscriber: An entity (associated with one or more users) that is
engaged in a subscription with a service provider.
Suppression: the temporary cessation of Active Measurement Tasks.
4. Constraints
The LMAP framework makes some important assumptions, which constrain
the scope of the initial LMAP work.
Eardley, et al. Expires November 14, 2014 [Page 11]
Internet-Draft LMAP Framework May 2014
4.1. Measurement system is under the direction of a single organisation
In the LMAP framework, the measurement system is under the direction
of a single organisation that is responsible for any impact that its
measurements have on a user's quality of experience and privacy.
Clear responsibility is critical given that a misbehaving large-scale
measurement system could potentially harm user experience, user
privacy and network security.
However, the components of an LMAP measurement system can be deployed
in administrative domains that are not owned by the measuring
organisation. Thus, the system of functions deployed by a single
organisation constitutes a single LMAP domain which may span
ownership or other administrative boundaries.
4.2. Each MA may only have a single Controller at any point in time
A MA is instructed by one Controller and is in one measurement
system. The constraint avoids different Controllers giving a MA
conflicting instructions and so means that the MA does not have to
manage contention between multiple Measurement (or Report) Schedules.
This simplifies the design of MAs (critical for a large-scale
infrastructure) and allows a Measurement Schedule to be tested on
specific types of MA before deployment to ensure that the end user
experience is not impacted (due to CPU, memory or broadband-product
constraints).
An operator may have several Controllers, perhaps with a Controller
for different types of MA (home gateways, tablets) or location
(Ipswich, Edinburgh).
5. LMAP Protocol Model
A protocol model [RFC4101] presents an architectural model for how
the protocol operates and needs to answer three basic questions:
1. What problem is the protocol trying to achieve?
2. What messages are being transmitted and what do they mean?
3. What are the important, but unobvious, features of the protocol?
An LMAP system goes through the following phases:
o a bootstrapping process before the MA can take part in the other
three phases
Eardley, et al. Expires November 14, 2014 [Page 12]
Internet-Draft LMAP Framework May 2014
o a Control Protocol, which delivers Instruction Messages from a
Controller to a MA, detailing what Measurement Tasks the MA should
perform and when, and how it should report the Measurement
Results. It also delivers Capabilities, Failure and logging
Information from a MA to its Controller.
o the actual Measurement Tasks, which measure some performance or
reliability parameter(s) associated with the transfer of packets.
The LMAP work does not define Measurement Methods, these are
define elsewhere (e.g. IPPM).
o a Report Protocol, which delivers Reports from a MA to a
Collector. The Report contains the Measurement Results.
The diagrams show the various LMAP messages and uses the following
convention:
o (optional): indicated by round brackets
o [potentially repeated]: indicated by square brackets
The protocol model is closely related to the Information Model
[I-D.ietf-lmap-information-model], which is the abstract definition
of the information carried by the protocol model. The purpose of
both is to provide a protocol and device independent view, which can
be implemented via specific protocols. LMAP defines a specific
Control Protocol and Report Protocol, but others could be defined by
other standards bodies or be proprietary. However it is important
that they all implement the same Information Model and protocol
model, in order to ease the definition, operation and
interoperability of large-scale measurement systems.
5.1. Bootstrapping process
The primary purpose of bootstrapping is to enable a MA to be
integrated into a measurement system. The MA retrieves information
about itself (like its identity in the measurement system) and about
the Controller, the Controller learns information about the MA, and
they learn about security information to communicate (such as
certificates and credentials).
Whilst this memo considers the bootstrapping process, it is beyond
the scope of initial LMAP work to define a bootstrap mechanism, as it
depends on the type of device and access.
As a result of the bootstrapping process the MA learns information
with the following aims ([I-D.ietf-lmap-information-model] defines
the consequent list of information elements):
Eardley, et al. Expires November 14, 2014 [Page 13]
Internet-Draft LMAP Framework May 2014
o its identifier, either its MA-ID or a device identifier such as
its MAC
o (optionally) a Group-ID. A Group-ID would be shared by several
MAs and could be useful for privacy reasons. For instance,
reporting the Group-ID and not the MA-ID could hinder tracking of
a mobile device
o the Control Channel, which is defined by:
* the address which identifies the Control Channel, such as the
Controller's FQDN (Fully Qualified Domain Name) [RFC1035])
* security information (for example to enable the MA to decrypt
the Instruction Message and encrypt messages sent to the
Controller)
The details of the bootstrapping process are device /access specific.
For example, the information could be in the firmware, manually
configured or transferred via a protocol like TR-069 [TR-069]. There
may be a multi-stage process where the MA contacts the device at a
'hard-coded' address, which replies with the bootstrapping
information.
The MA must learn its MA-ID before getting an Instruction, either
during Bootstrapping or via the Configuration Protocol.
5.2. Configuration Protocol
The Configuration Protocol allows the Controller to update the MA
about some or all of the information that it obtained during the
bootstrapping process: the MA-ID, the (optional) Group-ID and the
Control Channel. The measurement system might use Configuration for
several reasons. For example, the bootstrapping process could 'hard
code' the MA with details of an initial Controller, and then the
initial Controller could configure the MA with details about the
Controller that sends Instruction Messages. (Note that a MA only has
one Control Channel, and so is associated with only one Controller,
at any moment.)
Note that an implementation may choose to combine Configuration
information and an Instruction Message into a single message.
Eardley, et al. Expires November 14, 2014 [Page 14]
Internet-Draft LMAP Framework May 2014
+-----------------+ +-------------+
| | | Measurement |
| Controller |======================================| Agent |
+-----------------+ +-------------+
Configuration information: ->
(MA-ID),
(Group-ID),
(Control Channel)
<- Response(details)
5.3. Control Protocol
The primary purpose of the Control Protocol is to allow the
Controller to configure a Measurement Agent with an Instruction about
what Measurement Tasks to do, when to do them, and how to report the
Measurement Results (Section 5.2.1). The Measurement Agent then acts
on the Instruction autonomously. The Control Protocol also enables
the MA to inform the Controller about its Capabilities and any
Failure and logging Information (Section 5.3.2).
5.3.1. Instruction
The Instruction is the description of the Measurement Tasks for a
Measurement Agent to do and the details of the Measurement Reports
for it to send. In order to update the Instruction the Controller
uses the Control Protocol to send an Instruction Message over the
Control Channel.
+-----------------+ +-------------+
| | | Measurement |
| Controller |======================================| Agent |
+-----------------+ +-------------+
Instruction: ->
[(Measurement Task configuration(
[Input Parameter],
(interface),
(Cycle-ID))),
(Report Channel),
(Measurement Schedule),
(Report Schedule),
(Suppression information)]
<- Response(details)
Eardley, et al. Expires November 14, 2014 [Page 15]
Internet-Draft LMAP Framework May 2014
The Instruction defines information with the following aims
([I-D.ietf-lmap-information-model] defines the consequent list of
information elements):
o the Measurement Task configurations, each of which needs:
* the Metric, specified as a URI to a registry entry; it includes
the specification of a Measurement Method. The registry could
be defined by the IETF [I-D.manyfolks-ippm-metric-registry],
locally by the operator of the measurement system or perhaps by
another standards organisation.
* any Input Parameters that need to be set for the Measurement
Method, such as the address of the Measurement Peer (or other
Measurement Agent) that are involved in an Active Measurement
Task
* if the device with the MA has multiple interfaces, then the
interface to use (if not defined, then the default interface is
used)
o configuration of the Measurement Schedules, each of which needs:
* the timing of when the Measurement Tasks are to be performed.
Possible types of timing are periodic, calendar-based periodic,
one-off immediate and one-off at a future time
o configuration of the Report Channels, each of which needs:
* the address of the Collector, for instance its URL
* security for this Report Channel, for example the X.509
certificate
o configuration of the Report Schedules, each of which needs:
* the timing of when reporting is to be performed. For instance,
every hour or immediately.
o Suppression information, if any (see Section 5.2.1.1)
A single Instruction Message may contain some or all of the above
parts. The finest level of granularity possible in an Instruction
Message is determined by the implementation and operation of the
Control Protocol. For example, a single Instruction Message may add
or update an individual Measurement Schedule - or it may only update
the complete set of Measurement Schedules; a single Instruction
Eardley, et al. Expires November 14, 2014 [Page 16]
Internet-Draft LMAP Framework May 2014
Message may update both Measurement Schedules and Measurement Task
configurations - or only one at a time; and so on.
The MA informs the Controller that it has successfully understood the
Instruction Message, or that it cannot action the Instruction - for
example, if it doesn't include a parameter that is mandatory for the
requested Measurement Method, or it is missing details of the target
Collector.
The Instruction Message instructs the MA; the Control Protocol does
not allow the MA to negotiate, as this would add complexity to the
MA, Controller and Control Protocol for little benefit.
5.3.1.1. Suppression
The Instruction may include Suppression information. Suppression is
used if the measurement system wants to eliminate inessential
traffic, because there is some unexpected network issue for example.
By default, Suppression means that the MA does not begin any new
Active Measurement Task. The impact on other Measurement Tasks is
not defined by LMAP; since they do not involve the MA creating any
Active Measurement Traffic there is no need to suppress them, however
it may be simpler for an implementation to do so. Also, by default
Suppression starts immediately and continues until an un-suppress
message is received. Optionally the Suppression information may
include:
o a set of Measurement Tasks to suppress; the others are not
suppressed. For example, this could be useful if a particular
Measurement Task is overloading a Measurement Peer.
o a set of Measurement Schedules to suppress; the others are not
suppressed. For example, suppose the measurement system has
defined two Schedules, one with the most critical Measurement
Tasks and the other with less critical ones that create a lot of
Active Measurement Traffic, then it may only want to suppress the
second.
o a start time, at which suppression begins
o an end time, at which suppression ends
o a demand that the MA ends its on-going Active Measurement Task(s)
(and deletes the associated partial Measurement Result(s)).
Note that Suppression is not intended to permanently stop a
Measurement Task (instead, the Controller should send a new
Eardley, et al. Expires November 14, 2014 [Page 17]
Internet-Draft LMAP Framework May 2014
Measurement Schedule), nor to permanently disable a MA (instead, some
kind of management action is suggested).
+-----------------+ +-------------+
| | | Measurement |
| Controller |===================================| Agent |
+-----------------+ +-------------+
Suppress:
[(Measurement Task), ->
(Measurement Schedule),
start time,
end time,
on-going suppressed?]
Un-suppress ->
5.3.2. Capabilities and Failure information
The Control Protocol also enables the MA to inform the Controller
about various information, such as its Capabilities and any Failures.
It is also possible to use a device-specific mechanism which is
beyond the scope of the initial LMAP work.
Capabilities are information about the MA that the Controller needs
to know in order to correctly instruct the MA, such as:
o the Measurement Methods that the MA supports
o the interfaces that the MA has
o the version of the MA
o the version of the hardware, firmware or software of the device
with the MA
o but not dynamic information like the currently unused CPU, memory
or battery life of the device with the MA.
Failure information concerns why the MA has been unable to execute a
Measurement Task or deliver a Report, for example:
o the Measurement Task failed to run properly because the MA
(unexpectedly) has no spare CPU cycles
o the MA failed record the Measurement Results because it
(unexpectedly) is out of spare memory
Eardley, et al. Expires November 14, 2014 [Page 18]
Internet-Draft LMAP Framework May 2014
o a Report failed to deliver Measurement Results because the
Collector (unexpectedly) is not responding
o but not if a Measurement Task correctly doesn't start. For
example, the first step of some Measurement Methods is for the MA
to check there is no cross-traffic.
Logging information concerns how the MA is operating and may help
debugging, for example:
o the last time the MA ran a Measurement Task
o the last time the MA sent a Measurement Report
o the last time the MA received an Instruction Message
o whether the MA is currently Suppressing Measurement Tasks
Capabilities, failure and logging information are sent by the MA,
either in response to a request from the Controller (for example, if
the Controller forgets what the MA can do or otherwise wants to
resynchronize what it knows about the MA), or on its own initiative
(for example when the MA first communicates with a Controller or if
it becomes capable of a new Measurement Method). Another example of
the latter case is if the device with the MA re-boots, then the MA
should notify its Controller in case its Instruction needs to be
updated; to avoid a "mass calling event" after a widespread power
restoration affecting many MAs, it is sensible for an MA to pause for
a random delay, perhaps in the range of one minute or so.
+-----------------+ +-------------+
| | | Measurement |
| Controller |===================================| Agent |
+-----------------+ +-------------+
(Instruction:
[(Request Capabilities),
(Request Failure Information),
(Request Logging Information)]) ->
<- (Capabilities),
(Failure Information),
(Logging Information)
Eardley, et al. Expires November 14, 2014 [Page 19]
Internet-Draft LMAP Framework May 2014
5.4. Operation of Measurement Tasks
This LMAP framework is neutral to what the actual Measurement Task
is. It does not define Measurement Methods, these are defined
elsewhere (e.g. IPPM).
The MA carries out the Measurement Tasks as instructed, unless it
gets an updated Instruction. The MA acts autonomously, in terms of
operation of the Measurement Tasks and reporting of the Results; it
doesn't do a 'safety check' with the Controller to ask whether it
should still continue with the requested Measurement Tasks.
5.4.1. Starting and Stopping Measurement Tasks
This LMAP framework does not define a generic start and stop process,
since the correct approach depends on the particular Measurement
Task; the details are defined as part of each Measurement Method.
This section provides some general hints. The MA does not inform the
Controller about Measurement Tasks starting and stopping.
Before sending Active Measurement Traffic the MA may run a pre-check.
(The pre-check could be defined as a separate, preceding Task or as
the first part of a larger Task.) Action could include:
o the MA checking that there is no cross-traffic. In other words, a
check that the end-user isn't already sending traffic;
o the MA checking with the Measurement Peer (or other Measurement
Agent involved in the Measurement Task) that it can handle a new
Measurement Task (in case, for example, the Measurement Peer is
already handling many Measurement Tasks with other MAs);
o sending traffic that probes the path to check it isn't overloaded;
o checking that the device with the MA has enough resources to
execute the Measurement Task reliably. Note that the designer of
the measurement system should ensure that the device's
capabilities are normally sufficient to comfortably operate the
Measurement Tasks.
It is possible that similar checks continue during the Measurement
Task, especially one that is long-running and/or creates a lot of
Active Measurement Traffic, and might lead to it being abandoned
whilst in-progress. A Measurement Task could also be abandoned in
response to a "suppress" message (see Section 5.2.1). Action could
include:
o For 'upload' tests, the MA not sending traffic
Eardley, et al. Expires November 14, 2014 [Page 20]
Internet-Draft LMAP Framework May 2014
o For 'download' tests, the MA closing the TCP connection or sending
a TWAMP Stop control message [RFC5357].
The Controller may want a MA to run the same Measurement Task
indefinitely (for example, "run the 'upload speed' Measurement Task
once an hour until further notice"). To avoid the MA generating
traffic forever after a Controller has permanently failed (or
communications with the Controller have failed), the MA can be
configured with a time limit; if the MA doesn't hear from the
Controller for this length of time, then it stops operating
Measurement Tasks.
5.4.2. Overlapping Measurement Tasks
It is possible that a MA starts a new Measurement Task before another
Measurement Task has completed. This may be intentional (the way
that the measurement system has designed the Measurement Schedules),
but it could also be unintentional - for instance, if a Measurement
Task has a 'wait for X' step which pauses for an unexpectedly long
time. The operator of the measurement system can handle (or not)
overlapping Measurement Tasks in any way they choose - it is a policy
or implementation issue and not the concern of LMAP. Some possible
approaches are: to configure the MA not to begin the second
Measurement Task; to start the second Measurement Task as usual; for
the action to be an Input Parameter of the Measurement Task; and so
on.
It may be important to include in the Measurement Report the fact
that the Measurement Task overlapped with another.
5.5. Report Protocol
The primary purpose of the Report Protocol is to allow a Measurement
Agent to report its Measurement Results to a Collector, along with
the context in which they were obtained.
+-----------------+ +-------------+
| | | Measurement |
| Collector |===================================| Agent |
+-----------------+ +-------------+
<- Report:
[MA-ID &/or Group-ID],
[Measurement Result
[details of Measurement Task]]
ACK ->
Eardley, et al. Expires November 14, 2014 [Page 21]
Internet-Draft LMAP Framework May 2014
The Report contains:
o the MA-ID or a Group-ID (to anonymise results)
o the actual Measurement Results, including the time they were
measured
o the details of the Measurement Task (to avoid the Collector having
to ask the Controller for this information later)
o perhaps the Subscriber's service parameters (see Section 5.4.1).
The MA sends Reports as defined by the Instruction. It is possible
that the Instruction tells the MA to report the same Results to more
than one Collector, or to report a different subset of Results to
different Collectors. It is also possible that a Measurement Task
may create two (or more) Measurement Results, which could be reported
differently (for example, one Result could be reported periodically,
whilst the second Result could be an alarm that is created as soon as
the measured value of the Metric crosses a threshold and that is
reported immediately).
Optionally, a Report is not sent when there are no Measurement
Results.
In the initial LMAP Information Model and Report Protocol, for
simplicity we assume that all Measurement Results are reported as-is,
but allow extensibility so that a measurement system (or perhaps a
second phase of LMAP) could allow a MA to:
o label, or perhaps not include, Measurement Results impacted by,
for instance, cross-traffic or the Measurement Peer (or other
Measurement Agent) being busy
o label Measurement Results obtained by a Measurement Task that
overlapped with another
o not report the Measurement Results if the MA believes that they
are invalid
o detail when Suppression started and ended
5.5.1. Reporting of Subscriber's service parameters
The Subscriber's service parameters are information about his/her
broadband contract, line rate and so on. Such information is likely
to be needed to help analyse the Measurement Results, for example to
help decide whether the measured download speed is reasonable.
Eardley, et al. Expires November 14, 2014 [Page 22]
Internet-Draft LMAP Framework May 2014
The information could be transferred directly from the Subscriber
parameter database to the data analysis tools. It may also be
possible to transfer the information via the MA. How (and if) the MA
knows such information is likely to depend on the device type. The
MA could either include the information in a Measurement Report or
separately.
5.6. Operation of LMAP over the underlying packet transfer mechanism
The above sections have described LMAP's protocol model. Other
specifications will define the actual Control and Report Protocols,
possibly operating over an existing protocol, to be selected, for
example REST-style HTTP(S). It is also possible that a different
choice is made for the Control and Report Protocols, for example
NETCONF-YANG and IPFIX respectively.
From an LMAP perspective, the Controller needs to know that the MA
has received the Instruction Message, or at least that it needs to be
re-sent as it may have failed to be delivered. Similarly the MA
needs to know about the delivery of Capabilities and Failure
information to the Controller and Reports to the Collector. How this
is done depends on the design of the Control and Report Protocols and
the underlying packet transfer mechanism.
For the Control Protocol, the underlying packet transfer mechanism
could be:
o a 'push' protocol (that is, from the Controller to the MA)
o a multicast protocol (from the Controller to a group of MAs)
o a 'pull' protocol. The MA periodically checks with Controller if
the Instruction has changed and pulls a new Instruction if
necessary. A pull protocol seems attractive for a MA behind a NAT
(as is typical for a MA on an end-user's device), so that it can
initiate the communications. A pull mechanism is likely to
require the MA to be configured with how frequently it should
check in with the Controller, and perhaps what it should do if the
Controller is unreachable after a certain number of attempts.
o a hybrid protocol. In addition to a pull protocol, the Controller
can also push an alert to the MA that it should immediately pull a
new Instruction.
For the Report Protocol, the underlying packet transfer mechanism
could be:
o a 'push' protocol (that is, from the MA to the Collector)
Eardley, et al. Expires November 14, 2014 [Page 23]
Internet-Draft LMAP Framework May 2014
o perhaps supplemented by the ability for the Collector to 'pull'
Measurement Results from a MA.
5.7. Items beyond the scope of the initial LMAP work
There are several potential interactions between LMAP elements that
are beyond the scope of the initial LMAP work:
1. It does not define a coordination process between MAs. Whilst a
measurement system may define coordinated Measurement Schedules
across its various MAs, there is no direct coordination between
MAs.
2. It does not define interactions between the Collector and
Controller. It is quite likely that there will be such
interactions, optionally intermediated by the data analysis
tools. For example, if there is an "interesting" Measurement
Result then the measurement system may want to trigger extra
Measurement Tasks that explore the potential cause in more
detail; or if the Collector unexpectedly does not hear from a MA,
then the measurement system may want to trigger the Controller to
send a fresh Instruction Message to the MA.
3. It does not define coordination between different measurement
systems. For example, it does not define the interaction of a MA
in one measurement system with a Controller or Collector in a
different measurement system. Whilst it is likely that the
Control and Report Protocols could be re-used or adapted for this
scenario, any form of coordination between different
organisations involves difficult commercial and technical issues
and so, given the novelty of large-scale measurement efforts, any
form of inter-organisation coordination is outside the scope of
the initial LMAP work. Note that a single MA is instructed by a
single Controller and is only in one measurement system.
* An interesting scenario is where a home contains two
independent MAs, for example one controlled by a regulator and
one controlled by an ISP. Then the Active Measurement Traffic
of one MA is treated by the other MA just like any other end-
user traffic.
4. It does not consider how to prevent a malicious party "gaming the
system". For example, where a regulator is running a measurement
system in order to benchmark operators, a malicious operator
could try to identify the broadband lines that the regulator was
measuring and prioritise that traffic. It is assumed this is a
policy issue and would be dealt with through a code of conduct
for instance.
Eardley, et al. Expires November 14, 2014 [Page 24]
Internet-Draft LMAP Framework May 2014
5. It does not define how to analyse Measurement Results, including
how to interpret missing Results.
6. It does not specifically define a end-user-controlled measurement
system, see sub-section 5.6.1.
5.7.1. End-user-controlled measurement system
This framework concentrates on the cases where an ISP or a regulator
runs the measurement system. However, we expect that LMAP
functionality will also be used in the context of an end-user-
controlled measurement system. There are at least two ways this
could happen (they have various pros and cons):
1. an end-user could somehow request the ISP- (or regulator-) run
measurement system to test his/her line. The ISP (or regulator)
Controller would then send an Instruction to the MA in the usual
LMAP way. Note that a user can't directly initiate a Measurement
Task on an ISP- (or regulator-) controlled MA.
2. an end-user could deploy their own measurement system, with their
own MA, Controller and Collector. For example, the user could
implement all three functions onto the same end-user-owned end
device, perhaps by downloading the functions from the ISP or
regulator. Then the LMAP Control and Report Protocols do not
need to be used, but using LMAP's Information Model would still
be beneficial. The Measurement Peer (or other MA involved in the
Measurement Task) could be in the home gateway or outside the
home network; in the latter case the Measurement Peer is highly
likely to be run by a different organisation, which raises extra
privacy considerations.
In both cases there will be some way for the end-user to initiate the
Measurement Task(s). The mechanism is outside the scope of the
initial LMAP work, but could include the user clicking a button on a
GUI or sending a text message. Presumably the user will also be able
to see the Measurement Results, perhaps summarised on a webpage. It
is suggested that these interfaces conform to the LMAP guidance on
privacy in Section 8.
6. Deployment considerations
The Appendix has some examples of possible deployment arrangements of
Measurement Agents and Peers.
Eardley, et al. Expires November 14, 2014 [Page 25]
Internet-Draft LMAP Framework May 2014
6.1. Controller and the measurement system
The Controller should understand both the MA's LMAP Capabilities (for
instance what Measurement Methods it can perform) and about the MA's
other capabilities like processing power and memory. This allows the
Controller to make sure that the Measurement Schedule of Measurement
Tasks and the Reporting Schedule are sensible for each MA that it
Instructs.
An Instruction is likely to include several Measurement Tasks.
Typically these run at different times, but it is also possible for
them to run at the same time. Some Tasks may be compatible, in that
they do not affect each other's Results, whilst with others great
care would need to be taken.
The Controller should ensure that the Active Measurement Tasks do not
have an adverse effect on the end user. Tasks, especially those that
generate a substantial amount of traffic, will often include a pre-
check that the user isn't already sending traffic (Section 5.3).
Another consideration is whether Active Measurement Traffic will
impact a Subscriber's bill or traffic cap.
The different elements of the Instruction can be updated
independently. For example, the Measurement Tasks could be
configured with different Input Parameters whilst keeping the same
Measurement Schedule. In general this should not create any issues,
since Measurement Methods should be defined so their fundamental
nature does not change for a new value of Input Parameter. There
could be a problem if, for example, a Measurement Task involving a
1kB file upload could be changed into a 1GB file upload.
A measurement system may have multiple Controllers (but note the
overriding principle that a single MA is instructed by a single
Controller at any point in time (Section 4.2)). For example, there
could be different Controllers for different types of MA (home
gateways, tablets) or locations (Ipswich, Edinburgh), for load
balancing or to cope with failure of one Controller.
The measurement system also needs to consider carefully how to
interpret missing Results; for example, if the missing Results are
ignored and the lack of a Report is caused by its broadband being
broken, then the estimate of overall performance, averaged across all
MAs, would be too optimistic.
Eardley, et al. Expires November 14, 2014 [Page 26]
Internet-Draft LMAP Framework May 2014
6.2. Measurement Agent
The Measurement Agent could take a number of forms: a dedicated
probe, software on a PC, embedded into an appliance, or even embedded
into a gateway. A single site (home, branch office etc.) that is
participating in a measurement could make use of one or multiple
Measurement Agents or Measurement Peers in a single measurement.
The Measurement Agent could be deployed in a variety of locations.
Not all deployment locations are available to every kind of
Measurement Agent. There are also a variety of limitations and
trade-offs depending on the final placement. The next sections
outline some of the locations a Measurement Agent may be deployed.
This is not an exhaustive list and combinations may also apply.
6.2.1. Measurement Agent on a networked device
A MA may be embedded on a device that is directly connected to the
network, such as a MA on a smartphone. Other examples include a MA
downloaded and installed on a subscriber's laptop computer or tablet
when the network service is provided on wired or other wireless radio
technologies, such as Wi-Fi.
6.2.2. Measurement Agent embedded in site gateway
A Measurement Agent embedded with the site gateway, for example a
home router or the edge router of a branch office in a managed
service environment, is one of better places the Measurement Agent
could be deployed. All site-to-ISP traffic would traverse through
the gateway and passive measurements could easily be performed.
Similarly, due to this user traffic visibility, an Active Measurement
Task could be rescheduled so as not to compete with user traffic.
Generally NAT and firewall services are built into the gateway,
allowing the Measurement Agent the option to offer its Controller-
facing management interface outside of the NAT/firewall. This
placement of the management interface allows the Controller to
unilaterally contact the Measurement Agent for instructions.
However, a Measurement Agent on a site gateway (whether end-user
service-provider owned) will generally not be directly available for
over the top providers, the regulator, end users or enterprises.
6.2.3. Measurement Agent embedded behind site NAT /Firewall
The Measurement Agent could also be embedded behind a NAT, a
firewall, or both. In this case the Controller may not be able to
unilaterally contact the Measurement Agent unless either static port
forwarding or firewall pin holing is configured. Configuring port
forwarding could use protocols such as PCP [RFC6887], TR-069
Eardley, et al. Expires November 14, 2014 [Page 27]
Internet-Draft LMAP Framework May 2014
[TR-069]or UPnP [UPnP]. To prop open the firewall, the Measurement
Agent could send keepalives towards the Controller (and perhaps use
these also as a network reachability test).
6.2.4. Multi-homed Measurement Agent
If the device with the Measurement Agent is single homed then there
is no confusion about what interface to measure. Similarly, if the
MA is at the gateway and the gateway only has a single WAN-side and a
single LAN-side interface, there is little confusion - for an Active
Measurement Task, the location of the other MA or Measurement Peer
determines whether the WAN or LAN is measured.
However, the device with the Measurement Agent may be multi-homed.
For example, a home or campus may be connected to multiple broadband
ISPs, such as a wired and wireless broadband provider, perhaps for
redundancy or load- sharing. It may also be helpful to think of dual
stack IPv4 and IPv6 broadband devices as multi-homed. More
generally, Section 3.2 of [I-D.ietf-homenet-arch] describes dual-
stack and multi-homing topologies that might be encountered in a home
network, [RFC6419] provides the current practices of multi-interfaces
hosts, and the Multiple Interfaces (mif) working group covers cases
where hosts are either directly attached to multiple networks
(physical or virtual) or indirectly (multiple default routers, etc.).
In these cases, there needs to be clarity on which network
connectivity option is being measured.
One possibility is to have a Measurement Agent per interface. Then
the Controller's choice of MA determines which interface is measured.
However, if a MA can measure any of the interfaces, then the
Controller defines in the Instruction which interface the MA should
use for a Measurement Task; if the choice of interface is not defined
then the MA uses the default one. Explicit definition is preferred
if the measurement system wants to measure the performance of a
particular network, whereas using the default is better if the
measurement system wants to include the impact of the MA's interface
selection algorithm. In any case, the Measurement Result should
include the network that was measured.
6.2.5. Measurement Agent embedded in ISP Network
A MA may be embedded on a device that is part of an ISP's network,
such as a router or switch. Usually the network devices with an
embedded MA will be strategically located, such as a Carrier Grade
NAT or ISP Gateway. [I-D.ietf-ippm-lmap-path] gives many examples
where a MA might be located within a network to provide an
intermediate measurement point on the end-to-end path. Other
Eardley, et al. Expires November 14, 2014 [Page 28]
Internet-Draft LMAP Framework May 2014
examples include a network device whose primary role is to host MA
functions and the necessary measurement protocol.
6.3. Measurement Peer
A Measurement Peer participates in Active Measurement Tasks. It may
have specific functionality to enable it to participate in a
particular Measurement Method. On the other hand, other Measurement
Methods may require no special functionality, for example if the
Measurement Agent sends a ping to example.com then the server at
example.com plays the role of a Measurement Peer.
A device may participate in some Measurement Tasks as a Measurement
Agent and in others as a Measurement Peer.
Measurement Schedules should account for limited resources in a
Measurement Peer when instructing a MA to execute measurements with a
Measurement Peer. In some measurement protocols, such as [RFC4656]
and [RFC5357], the Measurement Peer can reject a measurement session
or refuse a control connection prior to setting-up a measurement
session and so protect itself from resource exhaustion. This is a
valuable capability because the MP may be used by more than one
organisation.
7. Security considerations
The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who
could be impacted by a compromised measurement deployment. The
measurement system must secure the various components of the system
from unauthorised access or corruption. Much of the general advice
contained in section 6 of [RFC4656] is applicable here.
We assume that each Measurement Agent (MA) will receive its
Instructions from a single organisation, which operates the
Controller. These Instructions must be authenticated (to ensure that
they come from the trusted Controller), checked for integrity (to
ensure no-one has tampered with them) and not vulnerable to replay
attacks. If a malicious party can gain control of the MA they can
use it to launch DoS attacks at targets, reduce the end user's
quality of experience and corrupt the Measurement Results that are
reported to the Collector. By altering the Measurement Tasks and/or
the address that Results are reported to, they can also compromise
the confidentiality of the network user and the MA environment (such
as information about the location of devices or their traffic). The
Instruction messages also need to be encrypted to maintain
confidentiality, as the information might be useful to an attacker.
Eardley, et al. Expires November 14, 2014 [Page 29]
Internet-Draft LMAP Framework May 2014
The process to upgrade the firmware in an MA is outside the scope of
the initial LMAP work, similar to the protocol to bootstrap the MAs
(as specified in the charter). However, systems which provide remote
upgrade must secure authorised access and integrity of the process.
Reporting by the MA must also be secured to maintain confidentiality.
The results must be encrypted such that only the authorised Collector
can decrypt the results to prevent the leakage of confidential or
private information. In addition it must be authenticated that the
results have come from the expected MA and that they have not been
tampered with. It must not be possible to fool a MA into injecting
falsified data into the measurement platform or to corrupt the
results of a real MA. The results must also be held and processed
securely after collection and analysis.
Reporting by the MA must be encrypted to maintain confidentiality, to
prevent the leakage of confidential or private information.
Reporting must also be authenticated (to ensure that it comes from a
trusted MA) and not vulnerable to tampering (which can be ensured
through integrity and replay checks). It must not be possible to
fool a MA into injecting falsified data and the results must also be
held and processed securely after collection and analysis See section
8.5.2 below for additional considerations on stored data compromise,
and section 8.6 on potential mitigations for compromise.
Since Collectors will be contacted repeatedly by MAs using the
Collection Protocol to convey their recent results, a successful
attack to exhaust the communication resources would prevent a
critical operation: reporting. Therefore, all LMAP Collectors should
implement technical mechanisms to:
o limit the number of reporting connections from a single MA
(simultaneous, and connections per unit time).
o limit the transmission rate from a single MA.
o limit the memory/storage consumed by a single MA's reports.
o efficiently reject reporting connections from unknown sources.
o separate resources if multiple authentication strengths are used,
where the resources should be separated according to each class of
strength.
o limit iteration counters to generate keys with both a lower and
upper limit, to prevent an attacking system from requesting the
maximum and causing the Controller to stall on the process (see
section 6 of [RFC5357]).
Eardley, et al. Expires November 14, 2014 [Page 30]
Internet-Draft LMAP Framework May 2014
Many of the above considerations are applicable to a "pull" model,
where the MA must contact the Controller because NAT or other network
aspect prevents Controllers from contacting MAs directly.
Availability should also be considered. While the loss of some MAs
may not be considered critical, the unavailability of the Collector
could mean that valuable business data or data critical to a
regulatory process is lost. Similarly, the unavailability of a
Controller could mean that the MAs do not operate a correct
Measurement Schedule.
The security mechanisms described above may not be strictly necessary
if the network's design ensures the LMAP components and their
communications are already secured, for example potentially if they
are all part of an ISP's dedicated management network.
A malicious party could "game the system". For example, where a
regulator is running a measurement system in order to benchmark
operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. Normally,
this potential issue is handled by a code of conduct. It is outside
the scope of the initial LMAP work to consider the issue.
8. Privacy Considerations for LMAP
The LMAP work considers privacy as a core requirement and will ensure
that by default the Control and Report Protocols operate in a
privacy-sensitive manner and that privacy features are well-defined.
This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the timely publication of [RFC6973].
Privacy and security (Section 7) are related. In some jurisdictions
privacy is called data protection.
We begin with a set of assumptions related to protecting the
sensitive information of individuals and organisations participating
in LMAP-orchestrated measurement and data collection.
8.1. Categories of Entities with Information of Interest
LMAP protocols need to protect the sensitive information of the
following entities, including individuals and organisations who
participate in measurement and collection of results.
o Individual Internet users: Persons who utilise Internet access
services for communications tasks, according to the terms of
service of a service agreement. Such persons may be a service
Eardley, et al. Expires November 14, 2014 [Page 31]
Internet-Draft LMAP Framework May 2014
Subscriber, or have been given permission by the Subscriber to use
the service.
o Internet service providers: Organisations who offer Internet
access service subscriptions, and thus have access to sensitive
information of individuals who choose to use the service. These
organisations desire to protect their Subscribers and their own
sensitive information which may be stored in the process of
performing Measurement Tasks and collecting and Results.
o Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive
information.
o Other LMAP system operators: Organisations who operate measurement
systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we include
discussion of ISPs and other LMAP system operators in this section.
These organisations have sensitive information involved in the LMAP
system, and many of the same dangers and mitigations are applicable.
Further, the ISPs store information on their Subscribers beyond that
used in the LMAP system (for instance billing information), and there
should be a benefit in considering all the needs and potential
solutions coherently.
8.2. Examples of Sensitive Information
This section gives examples of sensitive information which may be
measured or stored in a measurement system, and which is to be kept
private by default in the LMAP core protocols.
Examples of Subscriber or authorised Internet user sensitive
information:
o Sub-IP layer addresses and names (MAC address, base station ID,
SSID)
o IP address in use
o Personal Identification (real name)
o Location (street address, city)
o Subscribed service parameters
Eardley, et al. Expires November 14, 2014 [Page 32]
Internet-Draft LMAP Framework May 2014
o Contents of traffic (activity, DNS queries, destinations,
equipment types, account info for other services, etc.)
o Status as a study volunteer and Schedule of (Active) Measurement
Tasks
Examples of Internet Service Provider sensitive information:
o Measurement device identification (equipment ID and IP address)
o Measurement Instructions (choice of measurements)
o Measurement Results (some may be shared, others may be private)
o Measurement Schedule (exact times)
o Network topology (locations, connectivity, redundancy)
o Subscriber billing information, and any of the above Subscriber
information known to the provider.
o Authentication credentials (such as certificates)
Other organisations will have some combination of the lists above.
The LMAP system would not typically expose all of the information
above, but could expose a combination of items which could be
correlated with other pieces collected by an attacker (as discussed
in the section on Threats below).
8.3. Key Distinction Between Active and Passive Measurement Tasks
Passive and Active Measurement Tasks raise different privacy issues.
Passive Measurement Tasks are conducted on one or more user's
traffic, such that sensitive information is present and stored in the
measurement system (however briefly this storage may be). We note
that some authorities make a distinction on time of storage, and
information that is kept only temporarily to perform a communications
function is not subject to regulation (for example, active queue
management, deep packet inspection). Passive Measurement Tasks could
reveal all the websites a Subscriber visits and the applications and/
or services they use.
Active Measurement Tasks are conducted on traffic which is created
specifically for the purpose. Even if a user host generates Active
Measurement Traffic, there is limited sensitive information about the
Subscriber present and stored in the measurement system compared to
the passive case, as follows:
Eardley, et al. Expires November 14, 2014 [Page 33]
Internet-Draft LMAP Framework May 2014
o IP address in use (and possibly sub-IP addresses and names)
o Status as a study volunteer and Schedule of Active Measurement
Tasks
On the other hand, for a service provider the sensitive information
like Measurement Results is the same for Passive and Active
Measurement Tasks.
From the Subscriber perspective, both Active and Passive Measurement
Tasks potentially expose the description of Internet access service
and specific service parameters, such as subscribed rate and type of
access.
8.4. Privacy analysis of the Communications Models
This section examines each of the protocol exchanges described at a
high level in Section 5 and some example Measurement Tasks, and
identifies specific sensitive information which must be secured
during communication for each case. With the protocol-related
sensitive information identified, we can better consider the threats
described in the following section.
From the privacy perspective, all entities participating in LMAP
protocols can be considered "observers" according to the definition
in [RFC6973]. Their stored information potentially poses a threat to
privacy, especially if one or more of these functional entities has
been compromised. Likewise, all devices on the paths used for
control, reporting, and measurement are also observers.
8.4.1. MA Bootstrapping
Section 5.1 provides the communication model for the Bootstrapping
process.
Although the specification of mechanisms for Bootstrapping the MA are
beyond the initial LMAP work scope, designers should recognize that
the Bootstrapping process is extremely powerful and could cause an MA
to join a new or different LMAP system with a different Controller
and Collector, or simply install new Measurement Methods (for example
to passively record DNS queries). A Bootstrap attack could result in
a breach of the LMAP system with significant sensitive information
exposure depending on the capabilities of the MA, so sufficient
security protections are warranted.
The Bootstrapping process provides sensitive information about the
LMAP system and the organisation that operates it, such as
Eardley, et al. Expires November 14, 2014 [Page 34]
Internet-Draft LMAP Framework May 2014
o Initial Controller IP address or FQDN
o Assigned Controller IP address or FQDN
o Security certificates and credentials
During the Bootstrap process for an MA located at a single
subscriber's service demarcation point, the MA receives a MA-ID which
is a persistent pseudonym for the Subscriber. Thus, the MA-ID is
considered sensitive information because it could provide the link
between Subscriber identification and Measurements Results.
Also, the Bootstrap process could assign a Group-ID to the MA. The
specific definition of information represented in a Group-ID is to be
determined, but several examples are envisaged including use as a
pseudonym for a set of Subscribers, a class of service, an access
technology, or other important categories. Assignment of a Group-ID
enables anonymisation sets to be formed on the basis of service type/
grade/rates. Thus, the mapping between Group-ID and MA-ID is
considered sensitive information.
8.4.2. Controller <-> Measurement Agent
The high-level communication model for interactions between the LMAP
Controller and Measurement Agent is illustrated in Section 5.2. The
primary purpose of this exchange is to authenticate and task a
Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously.
Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged
with a capability request, then measurement-related information of
interest such as the parameters, schedule, metrics, and IP addresses
of measurement devices. Thus, the measurement Instruction contains
sensitive information which must be secured. For example, the fact
that an ISP is running additional measurements beyond the set
reported externally is sensitive information, as are the additional
Measurements Tasks themselves. The Measurement Schedule is also
sensitive, because an attacker intending to bias the results without
being detected can use this information to great advantage.
An organisation operating the Controller having no service
relationship with a user who hosts the Measurement Agent *could* gain
real-name mapping to a public IP address through user participation
in an LMAP system (this applies to the Measurement Collection
protocol, as well).
Eardley, et al. Expires November 14, 2014 [Page 35]
Internet-Draft LMAP Framework May 2014
8.4.3. Collector <-> Measurement Agent
The high-level communication model for interactions between the
Measurement Agent and Collector is illustrated in Section 5.4. The
primary purpose of this exchange is to authenticate and collect
Measurement Results from a MA, which the MA has measured autonomously
and stored.
The Measurement Results are the additional sensitive information
included in the Collector-MA exchange. Organisations collecting LMAP
measurements have the responsibility for data control. Thus, the
Results and other information communicated in the Collector protocol
must be secured.
8.4.4. Measurement Peer <-> Measurement Agent
Although the specification of the mechanisms for an Active
Measurement Task is beyond the scope of the initial LMAP work, it
raises potential privacy issues. The high-level communications model
below illustrates the various exchanges to execute Active Measurement
Tasks and store the Results.
We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation.
The various messages are optional, depending on the nature of the
Active Measurement Task. It may involve sending Active Measurement
Traffic from the Measurement Peer to MA, MA to Measurement Peer, or
both.
Eardley, et al. Expires November 14, 2014 [Page 36]
Internet-Draft LMAP Framework May 2014
_________________ _________________
| | | |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________| |_________________|
<- (Key Negotiation &
Encryption Setup)
(Encrypted Channel ->
Established)
(Announce capabilities ->
& status)
<- (Select capabilities)
ACK ->
<- (Measurement Request
(MA+MP IPAddrs,set of
Metrics, Schedule))
ACK ->
Active Measurement Traffic <> Active Measurement Traffic
(may/may not be encrypted) (may/may not be encrypted)
<- (Stop Measurement Task)
Measurement Results ->
(if applicable)
<- ACK, Close
This exchange primarily exposes the IP addresses of measurement
devices and the inference of measurement participation from such
traffic. There may be sensitive information on key points in a
service provider's network included. There may also be access to
measurement-related information of interest such as the Metrics,
Schedule, and intermediate results carried in the Active Measurement
Traffic (usually a set of timestamps).
If the Active Measurement Traffic is unencrypted, as found in many
systems today, then both timing and limited results are open to on-
path observers.
8.4.5. Passive Measurement Agent
Although the specification of the mechanisms for a Passive
Measurement Task is beyond the scope of the initial LMAP work, it
raises potential privacy issues.
The high-level communications model below illustrates the collection
of user information of interest with the Measurement Agent performing
the monitoring and storage of the Results. This particular exchange
Eardley, et al. Expires November 14, 2014 [Page 37]
Internet-Draft LMAP Framework May 2014
is for passive measurement of DNS Response Time, which most
frequently uses UDP transport.
_________________ ____________
| | | |
| DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________|
______|_______
| |
| Measurement |
| Agent |
|______________|
<- Name Resolution Req
(MA+MP IPAddrs,
Desired Domain Name)
Return Record ->
This exchange primarily exposes the IP addresses of measurement
devices and the intent to communicate with or access the services of
"Domain Name". There may be information on key points in a service
provider's network, such as the address of one of its DNS servers.
The Measurement Agent may be embedded in the user host, or it may be
located in another device capable of observing user traffic.
In principle, any of the user sensitive information of interest
(listed above) can be collected and stored in the passive monitoring
scenario and so must be secured.
It would also be possible for a Measurement Agent to source the DNS
query itself. But then, as with any active measurement task, there
are few privacy concerns.
8.4.6. Storage and Reporting of Measurement Results
Although the mechanisms for communicating results (beyond the initial
Collector) are beyond the initial LMAP work scope, there are
potential privacy issues related to a single organisation's storage
and reporting of Measurement Results. Both storage and reporting
functions can help to preserve privacy by implementing the
mitigations described below.
8.5. Threats
This section indicates how each of the threats described in [RFC6973]
apply to the LMAP entities and their communication and storage of
"information of interest". Denial of Service (DOS) and other attacks
Eardley, et al. Expires November 14, 2014 [Page 38]
Internet-Draft LMAP Framework May 2014
described in the Security section represent threats as well, and
these attacks are more effective when sensitive information
protections have been compromised.
8.5.1. Surveillance
Section 5.1.1 of [RFC6973] describes Surveillance as the "observation
or monitoring of and individual's communications or activities."
Hence all Passive Measurement Tasks are a form of surveillance, with
inherent risks.
Active Measurement Methods which avoid periods of user transmission
indirectly produce a record of times when a subscriber or authorised
user has used their network access service.
Active Measurement Methods may also utilise and store a Subscriber's
currently assigned IP address when conducting measurements that are
relevant to a specific Subscriber. Since the Measurement Results are
time-stamped, they could provide a record of IP address assignments
over time.
Either of the above pieces of information could be useful in
correlation and identification, described below.
8.5.2. Stored Data Compromise
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
resulting from inadequate measures to secure stored data from
unauthorised or inappropriate access. For LMAP systems this includes
deleting or modifying collected measurement records, as well as data
theft.
The primary LMAP entity subject to compromise is the repository,
which stores the Measurement Results; extensive security and privacy
threat mitigations are warranted. The Collector and MA also store
sensitive information temporarily, and need protection. The
communications between the local storage of the Collector and the
repository is beyond the scope of the initial LMAP work, though this
communications channel will certainly need protection as well as the
mass storage itself.
The LMAP Controller may have direct access to storage of Subscriber
information (location, billing, service parameters, etc.) and other
information which the controlling organisation considers private, and
again needs protection.
Note that there is tension between the desire to store all raw
results in the LMAP Collector (for reproducibility and custom
Eardley, et al. Expires November 14, 2014 [Page 39]
Internet-Draft LMAP Framework May 2014
analysis), and the need to protect the privacy of measurement
participants. Many of the compromise mitigations described in
section 8.6 below are most efficient when deployed at the MA,
therefore minimizing the risks with stored results.
8.5.3. Correlation and Identification
Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as
combining various pieces of information to obtain desired
characteristics of an individual, and Identification as using this
process to infer identity.
The main risk is that the LMAP system could unwittingly provide a key
piece of the correlation chain, starting with an unknown Subscriber's
IP address and another piece of information. For example, a
Subscriber utilised Internet access from 2000 to 2310 UTC, because
the Active Measurement Tasks were deferred, or sent a name resolution
for www.example.com at 2300 UTC.
8.5.4. Secondary Use and Disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as
unauthorised utilisation of an individual's information for a purpose
the individual did not intend, and Disclosure is when such
information is revealed causing other's notions of the individual to
change, or confidentiality to be violated.
Passive Measurement Tasks are a form of Secondary Use, and the
Subscribers' permission should be obtained beforehand. It may be
necessary to obtain the measured ISP's permission to conduct
measurements, for example when required by the terms and conditions
of the service agreement, and notification is considered good
measurement practice. Although user traffic is only indirectly
involved, the Measurement Results from Active Measurement Tasks
provide some limited information about the Subscriber or ISP and
could result in Secondary Uses. For example, the use of the Results
in unauthorised marketing campaigns would qualify as Secondary Use.
Secondary use may break national laws and regulations, and may
violate individual's expectations or desires.
8.6. Mitigations
This section examines the mitigations listed in section 6 of
[RFC6973] and their applicability to LMAP systems. Note that each
section in [RFC6973] identifies the threat categories that each
technique mitigates.
Eardley, et al. Expires November 14, 2014 [Page 40]
Internet-Draft LMAP Framework May 2014
8.6.1. Data Minimisation
Section 6.1 of [RFC6973] encourages collecting and storing the
minimal information needed to perform a task.
There are two levels of information detail needed for LMAP results to
be useful for a specific task: troubleshooting and general results
reporting, as explained in the paragraphs below.
For general results, the results can be aggregated into large
categories (the month of March, all subscribers West of the
Mississippi River). In this case, all individual identifications
(including IP address of the MA) can be excluded, and only relevant
results are provided. However, this implies a filtering process to
reduce the information fields, because greater detail was needed to
conduct the Measurement Tasks in the first place.
For troubleshooting, so that a network operator or end user can
identify a performance issue or failure, potentially all the network
information (IP addresses, equipment IDs, location), Measurement
Schedule, service configuration, Measurement Results, and other
information may assist in the process. This includes the information
needed to conduct the Measurements Tasks, and represents a need where
the maximum relevant information is desirable, therefore the greatest
protections should be applied. This level of detail is greater than
needed for general results.
We note that a user may give temporary permission for Passive
Measurement Tasks to enable detailed troubleshooting, but withhold
permission for them in general. Here the greatest breadth of
sensitive information is potentially exposed, and the maximum privacy
protection must be provided.
For MAs with access to the sensitive information of users (e.g.,
within a home or a personal host/handset), it is desirable for the
results collection to minimise the data reported, but also to balance
this desire with the needs of troubleshooting when a service
subscription exists between the user and organisation operating the
measurements.
For passive measurements where the MA reports flow information to the
Collector, the Collector may perform pre-storage minimisation and
other mitigations (below) to help preserve privacy.
Eardley, et al. Expires November 14, 2014 [Page 41]
Internet-Draft LMAP Framework May 2014
8.6.2. Anonymity
Section 6.1.1 of [RFC6973] describes a way in which anonymity is
achieved: "there must exist a set of individuals that appear to have
the same attributes as the individual", defined as an "anonymity
set".
Experimental methods for anonymisation of user identifiable data
applicable to Passive Measurement Methods have been identified in
[RFC6235]. However, the findings of several of the same authors is
that "there is increasing evidence that anonymisation applied to
network trace or flow data on its own is insufficient for many data
protection applications as in [Bur10]."
Essentially, the details of passive measurement tasks can only be
accessed by closed organisations, and unknown injection attacks are
always less expensive than the protections from them. However, some
forms of summary may protect the user's sensitive information
sufficiently well, and so each Metric must be evaluated in the light
of privacy.
The methods in [RFC6235] could be applied more successfully in Active
Measurement Methods, where there are protections from injection
attack. The successful attack would require breaking the integrity
protection of the LMAP Reporting Protocol and injecting Measurement
Results (known fingerprint, see section 3.2 of [RFC6973]) for
inclusion with the shared and anonymised results, then fingerprinting
those records to ascertain the anonymisation process.
Beside anonymisation of measured Results for a specific user or
provider, the value of sensitive information can be further diluted
by summarising the results over many individuals or areas served by
the provider. There is an opportunity enabled by forming anonymity
sets [RFC6973] based on the reference path measurement points in
[I-D.ietf-ippm-lmap-path]. For example, all measurements from the
Subscriber device can be identified as "mp000", instead of using the
IP address or other device information. The same anonymisation
applies to the Internet Service Provider, where their Internet
gateway would be referred to as "mp190".
8.6.3. Pseudonymity
Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
are a possible mitigation to revealing one's true identity, since
there is no requirement to use real names in almost all protocols.
A pseudonym for a measurement device's IP address could be an LMAP-
unique equipment ID. However, this would likely be a permanent
Eardley, et al. Expires November 14, 2014 [Page 42]
Internet-Draft LMAP Framework May 2014
handle for the device, and long-term use weakens a pseudonym's power
to obscure identity.
8.6.4. Other Mitigations
Data can be de-personalised by blurring it, for example by adding
synthetic data, data-swapping, or perturbing the values in ways that
can be reversed or corrected.
Sections 6.2 and 6.3 of [RFC6973] describe User Participation and
Security, respectively.
Where LMAP measurements involve devices on the Subscriber's premises
or Subscriber-owned equipment, it is essential to secure the
Subscriber's permission with regard to the specific information that
will be collected. The informed consent of the Subscriber (and, if
different, the end user) may be needed, including the specific
purpose of the measurements. The approval process could involve
showing the Subscriber their measured information and results before
instituting periodic collection, or before all instances of
collection, with the option to cancel collection temporarily or
permanently.
It should also be clear who is legally responsible for data
protection (privacy); in some jurisdictions this role is called the
'data controller'. It is always good practice to limit the time of
personal information storage.
Although the details of verification would be impenetrable to most
subscribers, the MA could be architected as an "app" with open
source-code, pre-download and embedded terms of use and agreement on
measurements, and protection from code modifications usually provided
by the app-stores. Further, the app itself could provide data
reduction and temporary storage mitigations as appropriate and
certified through code review.
LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorised access. This is the hand-off between
privacy and security considerations (Section 7). The Data Controller
has the (legal) responsibility to maintain data protections described
in the Subscriber's agreement and agreements with other
organisations.
9. IANA Considerations
There are no IANA considerations in this memo.
Eardley, et al. Expires November 14, 2014 [Page 43]
Internet-Draft LMAP Framework May 2014
10. Appendix: Deployment examples
In this section we describe some deployment scenarios that are
feasible within the LMAP framework defined in this document.
The LMAP framework defines two types of components involved in the
actual measurement task, namely the Measurement Agent (MA) and the
Measurement Peer (MP). The fundamental difference conveyed in the
definition of these terms is that the MA has a interface with the
Controller/Collector while the MP does not. The MP is broadly
defined as a function that assists the MA in the Measurement Task but
has no interface with the Controller/Collector. There are many
elements in the network that can fall into this broad definition of
MP. We believe that the MP terminology is useful to allow us to
refer an element of the network that plays a role that is
conceptually important to understand and describe the measurement
task being performed. We next illustrate these concepts by
describing several deployment scenarios.
A very simple example of a Measurement Peer is a web server that the
MA is downloading a web page from (such as www.example.com) in order
to perform a speed test. The web server is a MP and from its
perspective, the MA is just another client; the MP doesn't have a
specific function for assisting measurements. This is described in
the figure A1.
^
+----------------+ Web Traffic +----------------+ IPPM
| Web Client |<------------>| MP: Web Server | Scope
| | +----------------+ |
...|................|....................................V...
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ V
Figure A1: Schematic of LMAP-based measurement system,
with Web server as Measurement Peer
Another case that is slightly different than this would be the one of
a TWAMP-responder. This is also a MP, with a helper function, the
TWAMP server, which is specially deployed to assist the MAs that
Eardley, et al. Expires November 14, 2014 [Page 44]
Internet-Draft LMAP Framework May 2014
perform TWAMP tests. Another example is with a ping server, as
described in Section 2.
A further example is the case of a traceroute like measurement. In
this case, for each packet sent, the router where the TTL expires is
performing the MP function. So for a given Measurement Task, there
is one MA involved and several MPs, one per hop.
In figure A2 we depict the case of an OWAMP responder acting as an
MP. In this case, the helper function in addition reports results
back to the MA. So it has both a data plane and control interface
with the MA.
+----------------+ OWAMP +----------------+ ^
| OWAMP |<--control--->| MP: | |
| control-client |>test-traffic>| OWAMP server & | IPPM
| fetch-client & |<----fetch----| session-rec'ver| Scope
| session-sender | | | |
| | +----------------+ |
...|................|....................................v...
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
IPPM
Figure A2: Schematic of LMAP-based measurement system,
with OWAMP server as Measurement Peer
However, it is also possible to use two Measurement Agents when
performing one way Measurement Tasks, as described in figure A3
below. In this case, MA1 generates the traffic and MA2 receives the
traffic and send the reports to the Collector. Note that both MAs
are instructed by the Controller. MA1 receives an Instruction to
send the traffic and MA2 receives an Instruction to measured the
received traffic and send Reports to the Collector.
Eardley, et al. Expires November 14, 2014 [Page 45]
Internet-Draft LMAP Framework May 2014
+----------------+ +----------------+ ^
| MA1 | | MA2 | IPPM
| iperf -u sender|-UDP traffic->| iperf -u recvr | Scope
| | | | v
...|................|..............|................|....v...
| LMAP interface | | LMAP interface | ^
+----------------+ +----------------+ |
^ ^ | |
Instruction | Instruction{Report} | | Report |
{task, | +-------------------+ | |
schedule} | | | |
| | v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
IPPM
Figure A3: Schematic of LMAP-based measurement system,
with two Measurement Agents cooperating to measure UDP traffic
Next, we consider Passive Measurement Tasks. Traffic generated in
one point in the network flowing towards a given destination and the
traffic is passively observed in some point along the path. One way
to implement this is that the endpoints generating and receiving the
traffic are not instructed by the Controller; hence they are MPs.
The MA is located along the path with a passive monitor function that
measures the traffic. The MA is instructed by the Controller to
monitor that particular traffic and to send the Report to the
Collector. It is depicted in figure A4 below.
Eardley, et al. Expires November 14, 2014 [Page 46]
Internet-Draft LMAP Framework May 2014
+-----+ +----------------+ +------+ ^
| MP | | Passive Monitor| | MP | IPPM
| |<--|----------------|---traffic--->| | Scope
+-----+ | | +------+ |
.......|................|.........................v...........
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
Figure A4: Schematic of LMAP-based measurement system,
with a Measurement Agent passively monitoring traffic
Finally, we should consider the case of a router or a switch along
the measurement path. This certainly performs an important role in
the measurement - if packets are not forwarded, the measurement task
will not work. Whilst it doesn't has an interface with the
Controller or Collector, and so fits into the definition of MP,
usually it is not particularly useful to highlight it as a MP.
11. Acknowledgments
This document is a merger of three individual drafts: draft-eardley-
lmap-terminology-02, draft-akhter-lmap-framework-00, and draft-
eardley-lmap-framework-02.
Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. Thanks to Charles Cook for a very detailed review of
-02.
Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dave Thorne, Frode Soerensen, Greg Mirsky,
Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit,
Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Lingli
Deng, Michael Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi,
Steve Miller, Ted Lemon, Timothy Carey, Vaibhav Bajpai, William
Lupton.
Eardley, et al. Expires November 14, 2014 [Page 47]
Internet-Draft LMAP Framework May 2014
Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
the Leone research project, which receives funding from the European
Union Seventh Framework Programme [FP7/2007-2013] under grant
agreement number 317647.
12. History
First WG version, copy of draft-folks-lmap-framework-00.
12.1. From -00 to -01
o new sub-section of possible use of Group-IDs for privacy
o tweak to definition of Control protocol
o fix typo in figure in S5.4
12.2. From -01 to -02
o change to INFORMATIONAL track (previous version had typo'd
Standards track)
o new definitions for Capabilities Information and Failure
Information
o clarify that diagrams show LMAP-level information flows.
Underlying protocol could do other interactions, eg to get through
NAT or for Collector to pull a Report
o add hint that after a re-boot should pause random time before re-
register (to avoid mass calling event)
o delete the open issue "what happens if a Controller fails" (normal
methods can handle)
o add some extra words about multiple Tasks in one Schedule
o clarify that new Schedule replaces (rather than adds to) and old
one. Similarly for new configuration of Measurement Tasks or
Report Channels.
o clarify suppression is temporary stop; send a new Schedule to
permanently stop Tasks
o alter suppression so it is ACKed
o add un-suppress message
Eardley, et al. Expires November 14, 2014 [Page 48]
Internet-Draft LMAP Framework May 2014
o expand the text on error reporting, to mention Reporting failures
(as well as failures to action or execute Measurement Task &
Schedule)
o add some text about how to have Tasks running indefinitely
o add that optionally a Report is not sent when there are no
Measurement Results
o add that a Measurement Task may create more than one Measurement
Result
o clarify /amend /expand that Reports include the "raw" Measurement
Results - any pre-processing is left for lmap2.0
o add some cautionary words about what if the Collector unexpectedly
doesn't hear from a MA
o add some extra words about the potential impact of Measurement
Tasks
o clarified various aspects of the privacy section
o updated references
o minor tweaks
12.3. From -02 to -03
o alignment with the Information Model [burbridge-lmap-information-
model] as this is agreed as a WG document
o One-off and periodic Measurement Schedules are kept separate, so
that they can be updated independently
o Measurement Suppression in a separate sub-section. Can now
optionally include particular Measurement Tasks &/or Schedules to
suppress, and start/stop time
o for clarity, concept of Channel split into Control, Report and MA-
to-Controller Channels
o numerous editorial changes, mainly arising from a very detailed
review by Charles Cook
o
Eardley, et al. Expires November 14, 2014 [Page 49]
Internet-Draft LMAP Framework May 2014
12.4. From -03 to -04
o updates following the WG Last Call, with the proposed consensus on
the various issues as detailed in http://tools.ietf.org/agenda/89/
slides/slides-89-lmap-2.pdf. In particular:
o tweaked definitions, especially of Measurement Agent and
Measurement Peer
o Instruction - left to each implementation & deployment of LMAP to
decide on the granularity at which an Instruction Message works
o words added about overlapping Measurement Tasks (measurement
system can handle any way they choose; Report should mention if
the Task overlapped with another)
o Suppression: no defined impact on Passive Measurement Task; extra
option to suppress on-going Active Measurement Tasks; suppression
doesn't go to Measurement Peer, since they don't understand
Instructions
o new concept of Data Transfer Task (and therefore adjustment of the
Channel concept)
o enhancement of Results with Subscriber's service parameters -
could be useful, don't define how but can be included in Report to
various other sections
o various other smaller improvements, arising from the WGLC
o Appendix added with examples of Measurement Agents and Peers in
various deployment scenarios. To help clarify what these terms
mean.
12.5. From -04 to -05
o clarified various scoping comments by using the phrase "scope of
initial LMAP work" (avoiding "scope of LMAP WG" since this may
change in the future)
o added a Configuration Protocol - allows the Controller to update
the MA about information that it obtained during the bootstrapping
process (for consistency with Information Model)
o Removed over-detailed information about the relationship between
the different items in Instruction, as this seems more appropriate
for the information model. Clarified that the lists given are
Eardley, et al. Expires November 14, 2014 [Page 50]
Internet-Draft LMAP Framework May 2014
about the aims and not a list of information elements (these will
be defined in draft-ietf-information-model).
o the Measurement Method, specified as a URI to a registry entry -
rather than a URN
o MA configured with time limit after which, if it hasn't heard from
Controller, then it stops running Measurement Tasks (rather than
this being part of a Schedule)
o clarified there is no distinction between how capabilities,
failure and logging information are transferred (all can be when
requested by Controller or by MA on its own initiative).
o removed mention of Data Transfer Tasks. This abstraction is left
to the information model i-d
o added Deployment sub-section about Measurement Agent embedded in
ISP Network
o various other smaller improvements, arising from the 2nd WGLC
13. Informative References
[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
"The Role of Network Trace anonymisation Under Attack",
January 2010.
[Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM-
evolved UMTS core network",
http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011.
[TR-069] TR-069, , "CPE WAN Management Protocol",
http://www.broadband-forum.org/technical/trlist.php,
November 2013.
[UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP
Device Control Protocols specifications",
http://upnp.org/sdcps-and-certification/standards/, 2011.
[RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987.
[RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
June 2005.
Eardley, et al. Expires November 14, 2014 [Page 51]
Internet-Draft LMAP Framework May 2014
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, July
2005.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, October 2008.
[I-D.ietf-lmap-use-cases]
Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
"Large-Scale Broadband Measurement Use Cases", draft-ietf-
lmap-use-cases-03 (work in progress), April 2014.
[I-D.manyfolks-ippm-metric-registry]
Bagnulo, M., Claise, B., Eardley, P., and A. Morton,
"Registry for Performance Metrics", draft-manyfolks-ippm-
metric-registry-00 (work in progress), February 2014.
[I-D.ietf-homenet-arch]
Chown, T., Arkko, J., Brandt, A., Troan, O., and J. Weil,
"IPv6 Home Networking Architecture Principles", draft-
ietf-homenet-arch-13 (work in progress), March 2014.
[RFC6419] Wasserman, M. and P. Seite, "Current Practices for
Multiple-Interface Hosts", RFC 6419, November 2011.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P.
Selkirk, "Port Control Protocol (PCP)", RFC 6887, April
2013.
[I-D.ietf-lmap-information-model]
Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", draft-ietf-lmap-
information-model-00 (work in progress), February 2014.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization
Support", RFC 6235, May 2011.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
Morris, J., Hansen, M., and R. Smith, "Privacy
Considerations for Internet Protocols", RFC 6973, July
2013.
Eardley, et al. Expires November 14, 2014 [Page 52]
Internet-Draft LMAP Framework May 2014
[I-D.ietf-ippm-lmap-path]
Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
A. Morton, "A Reference Path and Measurement Points for
LMAP", draft-ietf-ippm-lmap-path-02 (work in progress),
February 2014.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
Zekauskas, "A One-way Active Measurement Protocol
(OWAMP)", RFC 4656, September 2006.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
RFC 5357, October 2008.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between
Information Models and Data Models", RFC 3444, January
2003.
Authors' Addresses
Philip Eardley
BT
Adastral Park, Martlesham Heath
Ipswich
ENGLAND
Email: philip.eardley@bt.com
Al Morton
AT&T Labs
200 Laurel Avenue South
Middletown, NJ
USA
Email: acmorton@att.com
Marcelo Bagnulo
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
SPAIN
Phone: 34 91 6249500
Email: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es
Eardley, et al. Expires November 14, 2014 [Page 53]
Internet-Draft LMAP Framework May 2014
Trevor Burbridge
BT
Adastral Park, Martlesham Heath
Ipswich
ENGLAND
Email: trevor.burbridge@bt.com
Paul Aitken
Cisco Systems, Inc.
96 Commercial Street
Edinburgh, Scotland EH6 6LX
UK
Email: paitken@cisco.com
Aamer Akhter
Cisco Systems, Inc.
7025 Kit Creek Road
RTP, NC 27709
USA
Email: aakhter@cisco.com
Eardley, et al. Expires November 14, 2014 [Page 54]
