Network Working Group P. Eardley
Internet-Draft BT
Intended status: Informational A. Morton
Expires: October 02, 2014 AT&T Labs
M. Bagnulo
UC3M
T. Burbridge
BT
P. Aitken
A. Akhter
Cisco Systems
March 31, 2014

A framework for large-scale measurement platforms (LMAP)
draft-ietf-lmap-framework-04

Abstract

Measuring broadband service on a large scale requires a description of the logical architecture and standardisation of the key protocols that coordinate interactions between the components. The document presents an overall framework for large-scale measurements. It also defines terminology for LMAP (large-scale measurement platforms).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on October 02, 2014.

Copyright Notice

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

There is a desire to be able to coordinate the execution of broadband measurements and the collection of measurement results across a large scale set of diverse devices. These devices could be software based agents on PCs, embedded agents in consumer devices (e.g. blu-ray players), service provider controlled devices such as set-top players and home gateways, or simply dedicated probes. It is expected that such a system could easily comprise 100,000 devices. Such a scale presents unique problems in coordination, execution and measurement result collection. Several use cases have been proposed for large-scale measurements including:

[I-D.ietf-lmap-use-cases]. The LMAP framework should be useful for these, as well as other use cases, such as to help end users run diagnostic checks like a network speed test.

Further details of the use cases can be found in

The LMAP framework has three basic elements: Measurement Agents, Controllers and Collectors.

Measurement Agents (MAs) perform the actual measurements, which are called Measurement Tasks in the LMAP terminology.

The Controller manages one or more MAs by instructing it which Measurement Tasks it should perform and when. For example it may instruct a MA at a home gateway: “Measure the ‘UDP latency’ with www.example.org; repeat every hour at xx.05”. The Controller also manages a MA by instructing it how to report the Measurement Results, for example: “Report results once a day in a batch at 4am”. We refer to these as the Measurement Schedule and Report Schedule.

The Collector accepts Reports from the MAs with the Results from their Measurement Tasks. Therefore the MA is a device that gets Instructions from the Controller, initiates the Measurement Tasks, and reports to the Collector.

There are additional elements that are part of a measurement system, but these are out of the scope for LMAP. We provide a detailed discussion of all the elements in the rest of the document.

The desirable features for a large-scale measurement systems we are designing for are:

2. Outline of an LMAP-based measurement system

Figure 1 shows the main components of a measurement system, and the interactions of those components. Some of the components are outside the scope of LMAP. In this section we provide an overview of the whole measurement system and we introduce the main terms needed for the LMAP framework. The new terms are capitalised. In the next section we provide a terminology section with a compilation of all the LMAP terms and their definition.

The main work of the LMAP working group is to define the Control Protocol between the Controller and MA, and the Report Protocol between the MA and Collector. Section 4 onwards considers the LMAP components in more detail.

The MA performs Measurement Tasks. The MAs are pieces of code that can be executed in specialised hardware (hardware probe) or on a general-purpose device (like a PC or mobile phone). A device with a Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL, fibre, etc.) and the Measurement Tasks may specify any one of these. Measurement Tasks may be Active (the MA generates Active Measurement Traffic and measures some metric associated with its transfer), Passive (the MA observes user traffic), or some hybrid form of the two.

The MA is managed by a Controller using the Control Protocol. The MA receives Instructions from the Controller about which Measurement Tasks it should perform and when. For example the Controller may instruct a MA at a home gateway: “Count the number of TCP SYN packets observed in a 1 minute interval; repeat every hour at xx.05 + Unif[0,180] seconds”. The Measurement Schedule determines when the Measurement Tasks are executed. The Controller also manages a MA by instructing it how to report the Measurement Results, for example: “Report results once a day in a batch at 4am + Unif[0,180] seconds; if the end user is active then delay the report 5 minutes”. The Report Schedule determines when the Reports are uploaded to the Collector. The Measurement chedule and Report Schedule can define one-off (non-recurring) actions ("Do measurement now", "Report as soon as possible"), as well as recurring ones.

The Collector accepts a Report from a MA with the Measurement Results from its Measurement Tasks. It then provides the Results to a repository (see below).

Some Measurement Tasks involve several MAs acting in a coordinated fashion. This coordination is achieved by the Controller instructing the multiple MAs in a coherent manner. In some Measurement Tasks the MA(s) is assisted by one or more network entities that are not managed by the Controller. The entities that helps the MA in the Measurement Tasks but are not managed by the Controller are called Measurement Peers (MPs). For example consider the case of a "ping" Measurement Task, to measure the round trip delay between the MA and a given ICMP ECHO responder in the Internet. In this case, the responder is the Measurement Peer. The ICMP ECHO request and ICMP ECHO Requests and Replies flowing between the MA and the MP is called Active Measurement Traffic. The Appendix has some other examples of possible arrangements of Measurement Agents and Peers.

A Measurement Method defines how to measure a Metric of interest. It is very useful to standardise Measurement Methods, so that it is meaningful to compare measurements of the same Metric made at different times and places. It is also useful to define a registry for commonly-used Metrics [I-D.manyfolks-ippm-metric-registry] so that a Measurement Method can be referred to simply by its identifier in the registry. The Measurement Methods and registry will hopefully be referenced by other standards organisations.

A Measurement Task is a specific instantiation of a Measurement Method.It generates a Measurement Result. An Active Measurement Task involves either a Measurement Agent (MA) injecting Active Measurement Traffic into the network destined for a Measurement Peer or for another Measurement Agent, and/or a Measurement Peer (or another Measurement Agent) sending Active Measurement Traffic to a MA; one of them measures some parameter associated with the transfer of the packet(s). A Passive Measurement Task involves a MA simply observing existing traffic - for example, it could count bytes or it might calculate the average loss for a particular flow.

In order for a Measurement Agent and a Measurement Peer (or another Measurement Agent) to execute an Active Measurement Task, they exchange Active Measurement Traffic. The protocols used for the Active Measurement Traffic are out of the scope of the LMAP WG; they fall within the scope of other IETF WGs such as IPPM.

For Measurement Results to be truly comparable, as might be required by a regulator, not only do the same Measurement Methods need to be used but also the set of Measurement Tasks should follow a similar Measurement Schedule and be of similar number. The details of such a characterisation plan are beyond the scope of work in IETF although certainly facilitated by IETF's work.

Finally we introduce several components that are out of scope of the LMAP WG and will be provided through existing protocols or applications. They affect how the measurement system uses the Measurement Results and how it decides what set of Measurement Tasks to perform.

The MA needs to be bootstrapped with initial details about its Controller, including authentication credentials. The LMAP WG considers the bootstrap process, since it affects the Information Model. However, it does not define a bootstrap protocol, since it is likely to be technology specific and could be defined by the Broadband Forum, CableLabs or IEEE depending on the device. Possible protocols are SNMP, NETCONF or (for Home Gateways) CPE WAN Management Protocol (CWMP) from the Auto Configuration Server (ACS) (as specified in TR-069 [TR-069]).

A Subscriber parameter database contains information about the line, such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), the line technology (DSL or fibre), the time zone where the MA is located, and the type of home gateway and MA. These parameters are already gathered and stored by existing operations systems. They may affect the choice of what Measurement Tasks to run and how to interpret the Measurement Results. For example, a download test suitable for a line with an 80Mb/s contract may overwhelm a 2Mb/s line.

A results repository records all Measurement Results in an equivalent form, for example an SQL database, so that they can easily be accessed by the data analysis tools.

The data analysis tools receive the results from the Collector or via the Results repository. They might visualise the data or identify which component or link is likely to be the cause of a fault or degradation. This information could help the Controller decide what follow-up Measurement Task to perform in order to diagnose a fault. The data analysis tools also need to understand the Subscriber's service information, for example the broadband contract.

                                                              ^
                                                              |
                                 Active    +-------------+    IPPM
            +---------------+  Measurement | Measurement |    Scope
            | Measurement   |<------------>|     Peer    |    |
            |   Agent       |   Traffic    +-------------+    v
   +------->|               |                                 ^
   |        +---------------+                                 |
   |              ^      |                                    |
   |  Instruction |      |  Report                            |
   |              |      +-----------------+                  |
   |              |                        |                  |
   |              |                        v                  LMAP
   |         +------------+             +------------+        Scope
   |         | Controller |             |  Collector |        |
   |         +------------+             +------------+        v
   |                ^   ^                       |             ^
   |                |   |                       |             |
   |                |   +----------+            |             |
   |                |              |            v             |
+------------+   +----------+    +--------+    +----------+   | 
|Bootstrapper|   |Subscriber|--->|  data  |<---|repository|   Out
+------------+   |parameter |    |analysis|    +----------+   of
                 |database  |    | tools  |                   Scope
                 +----------+    +--------+                   |  
                                                              |
                                                              v

Figure 1: Schematic of main elements of an LMAP-based 
measurement system
(showing the elements in and out of the scope of the LMAP WG)

3. Terminology

This section defines terminology for LMAP. Please note that defined terms are capitalized.

Active Measurement Method (Task): A Measurement Method (Task) in which a Measurement Agent creates or receives Active Measurement Traffic, by coordinating with one or more other Measurement Agents or Measurement Peers using protocols outside LMAP's scope.

Active Measurement Traffic: the packet(s) generated in order to execute an Active Measurement Task.

Bootstrap: A process that integrates a Measurement Agent into a measurement system.

Capabilities: Information about the Measurement Methods that the MA can perform and the device hosting the MA, for example its interface type and speed, but not dynamic information.

Channel: A bi-directional logical connection that is defined by a specific Controller and MA, or Collector and MA, plus associated security.

Collector: A function that receives a Report from a Measurement Agent.

Controller: A function that provides a Measurement Agent with its Instruction.

Control Channel: a Channel between a Controller and a MA over which Instruction Messages and Capabilities and Failure information are sent.

Control Protocol: The protocol delivering Instruction(s) from a Controller to a Measurement Agent. It also delivers Failure Information and Capabilities Information from the Measurement Agent to the Controller.

Cycle-ID: A tag that is sent by the Controller in an Instruction and echoed by the MA in its Report. The same Cycle-ID is used by several MAs that use the same Measurement Method with the same Input Parameters. Hence the Cycle-ID allows the Collector to easily identify Measurement Results that should be comparable.

Data Model: The implementation of an Information Model in a particular data modelling language [RFC3444].

Data Transfer Method: The process whereby: a Controller transfers information over a Control Channel to a MA; or a MA transfers information over a Control Channel to a Controller; or a MA transfers information over a Report Channel to a Collector; the generalisation of a Data Transfer Task.

Data Transfer Task: The act consisting of the (single) operation of a Data Transfer Method at a particular time.

Environmental Constraint: A parameter that is measured as part of the Measurement Task, its value determining whether the rest of the Measurement Task proceeds.

Failure Information: Information about the MA's failure to action or execute an Instruction, whether concerning Measurement Tasks or Reporting.

Group-ID: An identifier of a group of MAs.

Information Model: The protocol-neutral definition of the semantics of the Instructions, the Report, the status of the different elements of the measurement system as well of the events in the system [RFC3444].

Input Parameter: A parameter whose value is left open by the Measurement Method and is set to a specific value in a Measurement Task. Altering the value of an Input Parameter does not change the fundamental nature of the Measurement Method.

Instruction: The description of Measurement Tasks for a MA to perform and the details of the Report for it to send. It is the collective description of the Measurement Task configurations, the configuration of the Report Channel(s), the configuration of Data Transfer Tasks, the configuration of the Measurement Schedules, and the details of any suppression.

Instruction Message: The message that carries an Instruction from a Controller to a Measurement Agent.

Measurement Agent (MA): The function that receives Instruction Messages from a Controller and operates the Instruction by executing Measurement Tasks (using protocols outside LMAP's scope and perhaps in concert with one or more other Measurement Agents or Measurement Peers) and (if part of the Instruction) by reporting Measurement Results to a Collector or Collectors.

Measurement Agent Identifier (MA-ID): a UUID [RFC4122] that identifies a particular MA and is configured as part of the Bootstrapping process.

Measurement Method: The process for assessing the value of a Metric; the process of measuring some performance or reliability parameter associated with the transfer of traffic; the generalisation of a Measurement Task.

Measurement Peer (MP): The function that assists a Measurement Agent with Measurement Tasks and does not have an interface to the Controller or Collector.

Measurement Result: The output of a single Measurement Task (the value obtained for the parameter of interest or Metric).

Measurement Schedule: The schedule for performing Measurement Tasks.

Measurement Task: The act that consistsof the single operation of the Measurement Method at a particular time and with all its Input Parameters set to specific values.

Metric: The quantity related to the performance and reliability of the network that we'd like to know the value of, and that is carefully specified.

Passive Measurement Method (Task): A Measurement Method (Task) in which a Measurement Agent observes existing traffic but does not inject Active Measurement Traffic.

Report: The set of Measurement Results and other associated information (as defined by the Instruction). The Report is sent by a Measurement Agent to a Collector.

Report Channel: a communications channel between a MA and a Collector, which is defined by a specific MA, Collector, Report Schedule and associated security, and over which Reports are sent.

Report Protocol: The protocol delivering Report(s) from a Measurement Agent to a Collector.

Report Schedule: the schedule for sending Reports to a Collector.

Subscriber: An entity (associated with one or more users) that is engaged in a subscription with a service provider. The Subscriber is allowed to subscribe and un-subscribe services, and to register a user or a list of users authorized to enjoy these services. [Q1741]. Both the Subscriber and service provider are allowed to set the limits relative to the use that associated users make of subscribed services.

Suppression: the temporary cessation of Active Measurement Tasks.

4. Constraints

The LMAP framework makes some important assumptions, which constrain the scope of the work to be done.

4.1. Measurement system is under the direction of a single organisation

In the LMAP framework, the measurement system is under the direction of a single organisation that is responsible for any impact that measurements have on a user's quality of experience and privacy. Clear responsibility is critical given that a misbehaving large-scale measurement system could potentially harm user experience, user privacy and network security.

However, the components of an LMAP measurement system can be deployed in administrative domains that are not owned by the measuring organisation. Thus, the system of functions deployed by a single organisation constitutes a single LMAP domain which may span ownership or other administrative boundaries.

4.2. Each MA may only have a single Controller at any point in time

A MA is instructed by one Controller and is in one measurement system. The constraint avoids different Controllers giving a MA conflicting instructions and so means that the MA does not have to manage contention between multiple Measurement (or Report) Schedules. This simplifies the design of MAs (critical for a large-scale infrastructure) and allows a Measurement Schedule to be tested on specific types of MA before deployment to ensure that the end user experience is not impacted (due to CPU, memory or broadband-product constraints).

An operator may have several Controllers, perhaps with a Controller for different types of MA (home gateways, tablets) or location (Ipswich, Edinburgh).

5. LMAP Protocol Model

A protocol model [RFC4101] presents an architectural model for how the protocol operates and needs to answer three basic questions:

  1. What problem is the protocol trying to achieve?
  2. What messages are being transmitted and what do they mean?
  3. What are the important, but unobvious, features of the protocol?

An LMAP system goes through the following phases:

The diagrams show the various LMAP messages and usesthe following convention:

The protocol model is closely related to the Information Model [I-D.burbridge-lmap-information-model], which is the abstract definition of the information carried by the protocol model. The purpose of both is to provide a protocol and device independent view, which can be implemented via specific protocols. The LMAP WG will define a specific Control Protocol and Report Protocol, but others could be defined by other standards bodies or be proprietary. However it is important that they all implement the same Information Model and protocol model, in order to ease the definition, operation and interoperability of large-scale measurement systems.

5.1. Bootstrapping process

The primary purpose of bootstrapping is to enable a MA to be integrated into a measurement system. The MA retrieves information about itself (like its identity in the measurement system) and about the Controller, the Controller learns information about the MA, and they learn about security information to communicate (such as certificates and credentials).

Whilst the LMAP WG considers the bootstrapping process, it is out of scope to define a bootstrap mechanism, as it depends on the type of device and access.

As a result of the bootstrapping process the MA learns the following information:

The details of the bootstrapping process are device /access specific. For example, the information could be in the firmware, manually configured or transferred via a protocol like TR-069. There may be a multi-stage process where the MA contacts the device at a 'hard-coded' address, which replies with the boostrapping information.

5.2. Control Protocol

The primary purpose of the Control Protocol is to allow the Controller to configure a Measurement Agent with an Instruction about what Measurement Tasks to do, when to do them, and how to report the Measurement Results (Section 5.2.1). The Measurement Agent then acts on the Instruction autonomously. The Control Protocol also enables the MA to inform the Controller about its Capabilities and any Failures (Section 5.2.2).

5.2.1. Instruction

The Instruction is the description of the Measurement Tasks for a Measurement Agent to do and the details of the Measurement Reports for it to send. In order to update the Instruction the Controller uses a Data Transfer Task to send an Instruction Message over the Control Channel.

+-----------------+                                      +-------------+
|                 |                                      | Measurement |
|  Controller     |======================================|  Agent      |
+-----------------+                                      +-------------+ 

Instruction:                            ->
[(Measurement Task configuration(
   [Input Parameter], 
   (interface),
   (Cycle-ID))),
 (Report Channel),
 (Data Transfer Task),
 (Measurement Schedule),
 (Suppression information)]
                                         <-          Response(details)    
 

The Instruction defines the following:

A single Instruction Message may contain some or all of the above parts. The finest level of granularity possible in an Instruction Message is determined by the implementation and operation of the Control Protocol. For example, a single Instruction Message may be able to add or update an individual Measurement Schedule - or it may only be able to update the complete set of Measurement Schedules; a single Instruction Message may be able to update both Measurement Schedules and Measurement Task configurations - or only one at a time; and so on.

The MA informs the Controller that it has successfully understood the Instruction Message, or that it cannot action the Instruction - for example, if it doesn't include a parameter that is mandatory for the requested Measurement Method, or it is missing details of the target Collector.

The Instruction Message instructs the MA; the Control Protocol does not allow the MA to negotiate, as this would add complexity to the MA, Controller and Control Protocol for little benefit.

5.2.1.1. Suppression

The Instruction may include Suppression information. Suppression is used if the measurement system wants to eliminate inessential traffic, because there is some unexpected network issue for example. By default, Suppression means that the MA does not begin any new Active Measurement Task. The impact on other Measurement Tasks is not defined by LMAP; since they do not involve the MA creating any Active Measurement Traffic there is no need to suppress them, however it may be simpler for an implementation to do so. Also, by default Suppression starts immediately and continues until an un-suppress message is received. Optionally the Suppression information may include:

Note that Suppression is not intended to permanently stop a Measurement Task (instead, the Controller should send a new Measurement Schedule), nor to permanently disable a MA (instead, some kind of management action is suggested).

+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|  Controller     |===================================|  Agent      |
+-----------------+                                   +-------------+ 

Suppress:
[(Measurement Task),                     ->               
 (Measurement Schedule),
 start time, 
 end time,
 on-going suppressed?]
 
Un-suppress                              ->
                                       

5.2.2. Capabilities and Failure information

The Control Protocol also enables the MA to inform the Controller about various information, such as its Capabilities and any Failures, by the MA operating a Data Transfer Task. It is also possible that a device-specific mechanism beyond the scope of LMAP is used.

Capabilities are information about the MA that the Controller needs to know in order to correctly instruct the MA, such as:

The MA could do this in response to a request from the Controller (for example, if the Controller forgets what the MA can do or otherwise wants to resynchronize what it knows about the MA) or on its own initiative (for example when the MA first communicates with a Controller or if it becomes capable of a new Measurement Method). Another example of the latter case is if the device with the MA re-boots, then the MA should notify its Controller in case its Instruction needs to be updated; to avoid a "mass calling event" after a widespread power restoration affecting many MAs, it is sensible for an MA to pause for a random delay, perhaps in the range of one minute or so.

Failure information is sent on the initiative of the MA and concerns why the MA has been unable to execute a Measurement Task or Data Transfer Task, for example:

Logging information is sent by the MA in response to a request from the Controller; it concerns how the MA is operating and may help debugging, for example:

.

+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|  Controller     |===================================|  Agent      |
+-----------------+                                   +-------------+ 

(Capabilities request)                   ->
                                         <-         Capabilities


                                         <-         Failure Information
                                                    [reason]

Logging request                          ->
                                         <-         Logging Information
                                                    [details]
 

5.3. Operation of Measurement Tasks

The LMAP WG is neutral to what the actual Measurement Task is. It does not define Measurement Methods, however the IPPM WG does.

The MA carries out the Measurement Tasks as instructed, unless it gets an updated Instruction. The MA acts autonomously, in terms of operation of the Measurement Tasks and reporting of the Results; it doesn't do a 'safety check' with the Controller to ask whether it should still continue with the requested Measurement Tasks.

5.3.1. Starting and Stopping Measurement Tasks

The WG does not define a generic start and stop process, since the correct approach depends on the particular Measurement Task; the details are defined as part of each Measurement Method. This section provides some general hints. The MA does not inform the Controller about Measurement Tasks starting and stopping.

Before sending Active Measurement Traffic the MA may run a pre-check. Action could include:

It is possible that similar checks continue during the Measurement Task, especially one that is long-running and/or creates a lot of Active Measurement Traffic, and might lead to it being abandoned whilst in-progress. A Measurement Task could also be abandoned in response to a "suppress" message (see Section 5.2.1). Action could include:

The Controller may want a MA to run the same Measurement Task indefinitely (for example, "run the 'upload speed' Measurement Task once an hour until further notice"). To avoid the MA generating traffic forever after a Controller has permanently failed, it is suggested that the Measurement Schedule includes a time limit ("run the 'upload speed' Measurement Task once an hour for the next 30 days") and that the Measurement Schedule is updated regularly (say, every 10 days).

5.3.2. Overlapping Measurement Tasks

It is possible that a MA starts a new Measurement Task before another Measurement Task has completed. This may be intentional (the way that the measurement system has designed the Measurement Schedules), but it could also be unintentional - for instance, if a Measurement Task has a 'wait for X' step which pauses for an unexpectedly long time. The operator of the measurement system can handle (or not) overlapping Measurement Tasks in any way they choose - it is a policy or implementation issue and not the concern of LMAP. Some possible approaches are: to configure the MA not to begin the second Measurement Task; to start the second Measurement Task as usual; for the action to be an Input Parameter of the Measurement Task; and so on.

It is likely to be important to include in the Measurement Report the fact that the Measurement Task overlapped with another.

5.4. Report Protocol

The primary purpose of the Report Protocol is to allow a Measurement Agent to report its Measurement Results to a Collector, along with the context in which they were obtained.

+-----------------+                                   +-------------+
|                 |                                   | Measurement |
|   Collector     |===================================|  Agent      |
+-----------------+                                   +-------------+ 
                                                       
                                   <-    Report: 
                                                 [MA-ID &/or Group-ID],
                                                   [Measurement Result
                                         [details of Measurement Task]]
ACK                                ->

The Report contains:

The MA sends Reports as defined by the Data Transfer Task in the Controller's Instruction. It is possible that the Instruction tells the MA to report the same Results to more than one Collector, or to report a different subset of Results to different Collectors. It is also possible that a Measurement Task may create two (or more) Measurement Results, which could be reported differently (for example, one Result could be reported periodically, whilst the second Result could be an alarm that is created as soon as the measured value of the Metric crosses a threshold and that is reported immediately).

Optionally, a Report is not sent when there are no Measurement Results.

In the initial LMAP Information Model and Report Protocol, for simplicity we assume that all Measurement Results are reported as-is, but allow extensibility so that a measurement system (or perhaps a second phase of LMAP) could allow a MA to:

5.4.1. Reporting of Subsriber's service parameters

The Subscriber's service parameters are information about his/her broadband contract, line rate and so on. Such information is likely to be needed to help analyse the Measurement Results, for example to help decide whether the measured download speed is reasonable.

The information could be transferred directly from the Subscriber parameter database to the data analysis tools. It may also be possible to transfer the information via the MA. How (and if) the MA knows such information is likely to depend on the device type. The MA could either include the information in a Measurement Report or run a separate Data Transfer Task. All such considerations are out of scope of LMAP.

5.5. Operation of LMAP over the underlying transport protocol

The above sections have described LMAP's protocol model. As part of the design of the Control and Report Protocols, the LMAP working group will specify operation over an existing protocol, to be selected, for example REST-style HTTP(S). It is also possible that a different choice is made for the Control and Report Protocols, for example NETCONF-YANG and IPFIX respectively.

From an LMAP perspective, the Controller needs to know that the MA has received the Instruction Message, or at least that it needs to be re-sent as it may have failed to be delivered. Similarly the MA needs to know about the delivery of Capabilities and Failure information to the Controller and Reports to the Collector. How this is done depends on the design of the Control and Report Protocols and the underlying transport protocol.

For the Control Protocol, the underlying transport protocol could be:

For the Report Protocol, the underlying transport protocol could be:

5.6. Items beyond the scope of the LMAP Protocol Model

There are several potential interactions between LMAP elements that are out of scope of definition by the LMAP WG:

  1. It does not define a coordination process between MAs. Whilst a measurement system may define coordinated Measurement Schedules across its various MAs, there is no direct coordination between MAs.
  2. It does not define interactions between the Collector and Controller. It is quite likely that there will be such interactions, optionally intermediated by the data analysis tools. For example, if there is an "interesting" Measurement Result then the measurement system may want to trigger extra Measurement Tasks that explore the potential cause in more detail; or if the Collector unexpectedly does not hear from a MA, then the measurement system may want to trigger the Controller to send a fresh Instruction Message to the MA.
  3. It does not define coordination between different measurement systems. For example, it does not define the interaction of a MA in one measurement system with a Controller or Collector in a different measurement system. Whilst it is likely that the Control and Report Protocols could be re-used or adapted for this scenario, any form of coordination between different organisations involves difficult commercial and technical issues and so, given the novelty of large-scale measurement efforts, any form of inter-organisation coordination is outside the scope of the LMAP WG. Note that a single MA is instructed by a single Controller and is only in one measurement system.
  4. It does not consider how to prevent a malicious party "gaming the system". For example, where a regulator is running a measurement system in order to benchmark operators, a malicious operator could try to identify the broadband lines that the regulator was measuring and prioritise that traffic. It is assumed this is a policy issue and would be dealt with through a code of conduct for instance.
  5. It does not define how to analyse Measurement Results, including how to interpret missing Results.
  6. It does not specifically define a end-user-controlled measurement system, see sub-section 5.6.1.

5.6.1. End-user-controlled measurement system

The WG concentrates on the cases where an ISP or a regulator runs the measurement system. However, we expect that LMAP functionality will also be used in the context of an end-user-controlled measurement system. There are at least two ways this could happen (they have various pros and cons):

  1. an end-user could somehow request the ISP- (or regulator-) run measurement system to test his/her line. The ISP (or regulator) Controller would then send an Instruction to the MA in the usual LMAP way. Note that a user can’t directly initiate a Measurement Task on an ISP- (or regulator-) controlled MA.
  2. an end-user could deploy their own measurement system, with their own MA, Controller and Collector. For example, the user could implement all three functions onto the same end-user-owned end device, perhaps by downloading the functions from the ISP or regulator. Then the LMAP Control and Report Protocols do not need to be used, but using LMAP's Information Model would still be beneficial. The Measurement Peer (or other MA involved in the Measurement Task) could be in the home gateway or outside the home network; in the latter case the Measurement Peer is highly likely to be run by a different organisation, which raises extra privacy considerations.

In both cases there will be some way for the end-user to initiate the Measurement Task(s). The mechanism is out-of-scope of the LMAP WG, but could include the user clicking a button on a GUI or sending a text message. Presumably the user will also be able to see the Measurement Results, perhaps summarised on a webpage. It is suggested that these interfaces conform to the LMAP guidance on privacy in Section 8.

6. Deployment considerations

The Appendix has some examples of possible deployment arrangements of Measurement Agents and Peers.

6.1. Controller and the measurement system

The Controller should understand both the MA's LMAP Capabilities (for instance what Measurement Methods it can perform) and about the MA's other capabilities like processing power and memory. This allows the Controller to make sure that the Measurement Schedule of Measurement Tasks and the Reporting Schedule are sensible for each MA that it Instructs.

An Instruction is likely to include several Measurement Tasks. Typically these run at different times, but it is also possible for them to run at the same time. Some Tasks may be compatible, in that they do not affect each other's Results, whilst with others great care would need to be taken.

The Controller should ensure that the Active Measurement Tasks do not have an adverse effect on the end user. Typically Tasks, especially those that generate a substantial amount of traffic, will include a pre-check that the user isn’t already sending traffic (Section 5.3). Another consideration is whether Active Measurement Traffic will impact a Subscriber's bill or traffic cap; if it will, then the measurement system may need to compensate the Subscriber, for instance.

The different elements of the Instruction can be updated independently. For example, the Measurement Tasks could be configured with different Input Parameters whilst keeping the same Measurement Schedule. In general this should not create any issues, since Measurement Methods should be defined so their fundamental nature does not change for a new value of Input Parameter. There could be a problem if, for example, a Measurement Task involving a 1kB file upload could be changed into a 1GB file upload.

A measurement system may have multiple Controllers (but note the overriding principle that a single MA is instructed by a single Controller at any point in time (Section 4.2)). For example, there could be different Controllers for different types of MA (home gateways, tablets) or locations (Ipswich, Edinburgh), for load balancing or to cope with failure of one Controller.

The measurement system also needs to consider carefully how to interpret missing Results; for example, if the missing Results are ignored and the lack of a Report is caused by its broadband being broken, then the estimate of overall performance, averaged across all MAs, would be too optimistic.

6.2. Measurement Agent

The Measurement Agent could take a number of forms: a dedicated probe, software on a PC, embedded into an appliance, or even embedded into a gateway. A single site (home, branch office etc.) that is participating in a measurement could make use of one or multiple Measurement Agents or Measurement Peers in a single measurement.

The Measurement Agent could be deployed in a variety of locations. Not all deployment locations are available to every kind of Measurement Agent. There are also a variety of limitations and trade-offs depending on the final placement. The next sections outline some of the locations a Measurement Agent may be deployed. This is not an exhaustive list and combinations may also apply.

6.2.1. Measurement Agent on a networked device

A MA may be embedded on a device that is directly connected to the network, such as a MA on a smartphone.

6.2.2. Measurement Agent embedded in site gateway

A Measurement Agent embedded with the site gateway, for example a home router or the edge router of a branch office in a managed service environment, is one of better places the Measurement Agent could be deployed. All site-to-ISP traffic would traverse through the gateway and passive measurements could easily be performed. Similarly, due to this user traffic visibility, an Active Measurement Task could be rescheduled so as not to compete with user traffic. Generally NAT and firewall services are built into the gateway, allowing the Measurement Agent the option to offer its Controller-facing management interface outside of the NAT/firewall. This placement of the management interface allows the Controller to unilaterally contact the Measurement Agent for instructions. However, if the site gateway is owned and operated by the service provider, the Measurement Agent will generally not be directly available for over the top providers, the regulator, end users or enterprises.

6.2.3. Measurement Agent embedded behind site NAT /Firewall

The Measurement Agent could also be embedded behind a NAT, a firewall, or both. In this case the Controller may not be able to unilaterally contact the Measurement Agent unless either static port forwarding configuration or firewall pin holing is configured. For the former, protocols such as PCP [RFC6887], TR-069 [TR-069]or UPnP [UPnP]could be used. For the latter, the Measurement Agent could send keepalives towards the Controller to prop open the firewall (and perhaps use these also as a network reachability test).

6.2.4. Multi-homed Measurement Agent

If the device with the Measurement Agent is single homed then there is no confusion about what interface to measure. Similarly, if the MA is at the gateway and the gateway only has a single WAN-side and a single LAN-side interface, there is little confusion - for an Active Measurement Task, the location of the other MA or Measurement Peer determines whether the WAN or LAN is measured.

However, the device with the Measurement Agent may be multi-homed. For example, a home or campus may be connected to multiple broadband ISPs, such as a wired and wireless broadband provider, perhaps for redundancy or load- sharing. It may also be helpful to think of dual stack IPv4 and IPv6 broadband devices as multi-homed. More generally, Section 3.2 of [I-D.ietf-homenet-arch] describes dual-stack and multi-homing topologies that might be encountered in a home network, [RFC6419] provides the current practices of multi-interfaces hosts, and the Multiple Interfaces (mif) working group covers cases where hosts are either directly attached to multiple networks (physical or virtual) or indirectly (multiple default routers, etc.). In these cases, there needs to be clarity on which network connectivity option is being measured.

One possibility is to have a Measurement Agent per interface. Then the Controller's choice of MA determines which interface is measured. However, if a MA can measure any of the interfaces, then the Controller defines in the Instruction which interface the MA should use for a Measurement Task; if the choice of interface is not defined then the MA uses the default one. Explicit definition is preferred if the measurement system wants to measure the performance of a particular network, whereas using the default is better if the measurement system wants to include the impact of the MA's interface selection algorithm. In any case, the Measurement Result should include the network that was measured.

6.3. Measurement Peer

A Measurement Peer participates in Active Measurement Tasks. It may have specific functionality to enable it to participate in a particular Measurement Method. On the other hand, other Measurement Methods may require no special functionality, for example if the Measurement Agent sends a ping to example.com then the server at example.com plays the role of a Measurement Peer.

A device may participate in some Measurement Tasks as a Measurement Agent and in others as a Measurement Peer.

Measurement schedules should account for limited resources in a Measurement Peer when instructing a MA to execute measurements with a Measurement Peer. In some measurement protocols, such as [RFC4656] and [RFC5357], the Measurement Peer can reject a measurement session or refuse a control connection prior to setting-up a measurement session and so protect itself from resource exhaustion. This is a valuable capability because the MP may be used by more than one organisation.

7. Security considerations

The security of the LMAP framework should protect the interests of the measurement operator(s), the network user(s) and other actors who could be impacted by a compromised measurement deployment. The measurement system must secure the various components of the system from unauthorised access or corruption. Much of the general advice contained in section 6 of [RFC4656] is applicable here.

We assume that each Measurement Agent (MA) will receive its Instructions from a single organisation, which operates the Controller. These Instructions must be authenticated (to ensure that they come from the trusted Controller), checked for integrity (to ensure no-one has tampered with them) and not vulnerable to replay attacks. If a malicious party can gain control of the MA they can use it to launch DoS attacks at targets, reduce the end user's quality of experience and corrupt the Measurement Results that are reported to the Collector. By altering the Measurement Tasks and/or the address that Results are reported to, they can also compromise the confidentiality of the network user and the MA environment (such as information about the location of devices or their traffic).

The process to upgrade the firmware in an MA is out-of-scope for this phase of LMAP development, similar to the protocol to bootstrap the MAs (as specified in the charter). However, systems which provide remote upgrade must secure authorised access and integrity of the process.

Reporting by the MA must also be secured to maintain confidentiality. The results must be encrypted such that only the authorised Collector can decrypt the results to prevent the leakage of confidential or private information. In addition it must be authenticated that the results have come from the expected MA and that they have not been tampered with. It must not be possible to fool a MA into injecting falsified data into the measurement platform or to corrupt the results of a real MA. The results must also be held and processed securely after collection and analysis. See section 8.5.2 below for additional considerations on stored data compromise, and section 8.6 on potential mitigations for compromise.

Since Collectors will be contacted repeatedly by MAs using the Collection Protocol to convey their recent results, a successful attack to exhaust the communication resources would prevent a critical operation: reporting. Therefore, all LMAP Collectors should implement technical mechanisms to:

Many of the above considerations are applicable to Controllers using a "push" model, where the MA must contact the Controller because NAT or other network aspect prevents Controllers from contacting MAs directly.

Availability should also be considered. While the loss of some MAs may not be considered critical, the unavailability of the Collector could mean that valuable business data or data critical to a regulatory process is lost. Similarly, the unavailability of a Controller could mean that the MAs do not operate a correct Measurement Schedule.

A malicious party could "game the system". For example, where a regulator is running a measurement system in order to benchmark operators, an operator could try to identify the broadband lines that the regulator was measuring and prioritise that traffic. This potential issue is currently handled by a code of conduct. It is outside the scope of the LMAP WG to consider the issue.

8. Privacy Considerations for LMAP

The LMAP Working Group will consider privacy as a core requirement and will ensure that by default the Control and Report Protocols operate in a privacy-sensitive manner and that privacy features are well-defined.

This section provides a set of privacy considerations for LMAP. This section benefits greatly from the timely publication of [RFC6973]. Privacy and security (Section 7) are related. In some jurisdictions privacy is called data protection.

We begin with a set of assumptions related to protecting the sensitive information of individuals and organisations participating in LMAP-orchestrated measurement and data collection.

8.1. Categories of Entities with Information of Interest

LMAP protocols need to protect the sensitive information of the following entities, including individuals and organisations who participate in measurement and collection of results.

Although privacy is a protection extended to individuals, we include discussion of ISPs and other LMAP system operators in this section. These organisations have sensitive information involved in the LMAP system, and many of the same dangers and mitigations are applicable. Further, the ISPs store information on their Subscribers beyond that used in the LMAP system (for instance billing information), and there should be a benefit in considering all the needs and potential solutions coherently.

8.2. Examples of Sensitive Information

This section gives examples of sensitive information which may be measured or stored in a measurement system, and which is to be kept private by default in the LMAP core protocols.

Examples of Subscriber or authorised Internet user sensitive information:

Examples of Internet Service Provider sensitive information:

Other organisations will have some combination of the lists above. The LMAP system would not typically expose all of the information above, but could expose a combination of items which could be correlated with other pieces collected by an attacker (as discussed in the section on Threats below).

8.3. Key Distinction Between Active and Passive Measurement Tasks

Passive and Active Measurement Tasks raise different privacy issues.

Passive Measurement Tasks are conducted on a user's traffic, such that sensitive information is present and stored in the measurement system (however briefly this storage may be). We note that some authorities make a distinction on time of storage, and information that is kept only temporarily to perform a communications function is not subject to regulation (for example, active queue management, deep packet inspection). Passive Measurement Tasks could reveal all the websites a Subscriber visits and the applications and/or services they use.

Active Measurement Tasks are conducted on traffic which is created specifically for the purpose. Even if a user host generates Active Measurement Traffic, there is limited sensitive information about the Subscriber present and stored in the measurement system compared to the passive case, as follows:

On the other hand, for a service provider the sensitive information like Measurement Results is the same for Passive and Active Measurement Tasks.

From the Subscriber perspective, both Active and Passive Measurement Tasks potentially expose the description of Internet access service and specific service parameters, such as subscribed rate and type of access.

8.4. Privacy analysis of the Communications Models

This section examines each of the protocol exchanges described at a high level in Section 5 and some example Measurement Tasks, and identifies specific sensitive information which must be secured during communication for each case. With the protocol-related sensitive information identified, we can better consider the threats described in the following section.

From the privacy perspective, all entities participating in LMAP protocols can be considered "observers" according to the definition in [RFC6973]. Their stored information potentially poses a threat to privacy, especially if one or more of these functional entities has been compromised. Likewise, all devices on the paths used for control, reporting, and measurement are also observers.

8.4.1. MA Bootstrapping

Section 5.1 provides the communication model for the Bootstrapping process.

Although the specification of mechanisms for Bootstrapping the MA are beyond the LMAP scope, designers should recognize that the Bootstrapping process is extremely powerful and could cause an MA to join a new or different LMAP system with a different Controller and Collector, or simply install new Measurement Methods (for example to passively record DNS queries). A Bootstrap attack could result in a breach of the LMAP system with significant sensitive information exposure depending on the capabilities of the MA, so sufficient security protections are warranted.

The Bootstrapping process provides sensitive information about the LMAP system and the organisation that operates it, such as

During the Bootstrap process, the MA receives its MA-ID which is a persistent pseudonym for the Subscriber in the case that the MA is located at a service demarcation point. Thus, the MA-ID is considered sensitive information, because it could provide the link between Subscriber identification and Measurements Results.

Also, the Bootstrap process could assign a Group-ID to the MA. The specific definition of information represented in a Group-ID is to be determined, but several examples are envisaged including use as a pseudonym for a set of Subscribers, a class of service, an access technology, or other important categories. Assignment of a Group-ID enables anonymisation sets to be formed on the basis of service type/grade/rates. Thus, the mapping between Group-ID and MA-ID is considered sensitive information.

8.4.2. Controller <-> Measurement Agent

The high-level communication model for interactions between the LMAP Controller and Measurement Agent is illustrated in Section 5.2. The primary purpose of this exchange is to authenticate and task a Measurement Agent with Measurement Instructions, which the Measurement Agent then acts on autonomously.

Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged with a capability request, then measurement-related information of interest such as the parameters, schedule, metrics, and IP addresses of measurement devices. Thus, the measurement Instruction contains sensitive information which must be secured. For example, the fact that an ISP is running additional measurements beyond the set reported externally is sensitive information, as are the additional Measurements Tasks themselves. The Measurement Schedule is also sensitive, because an attacker intending to bias the results without being detected can use this information to great advantage.

An organisation operating the Controller having no service relationship with a user who hosts the Measurement Agent *could* gain real-name mapping to a public IP address through user participation in an LMAP system (this applies to the Measurement Collection protocol, as well).

8.4.3. Collector <-> Measurement Agent

The high-level communication model for interactions between the Measurement Agent and Collector is illustrated in Section 5.4. The primary purpose of this exchange is to authenticate and collect Measurement Results from a MA, which the MA has measured autonomously and stored.

The Measurement Results are the additional sensitive information included in the Collector-MA exchange. Organisations collecting LMAP measurements have the responsibility for data control. Thus, the Results and other information communicated in the Collector protocol must be secured.

8.4.4. Measurement Peer <-> Measurement Agent

Although the specification of the mechanisms for an Active Measurement Task is beyond the scope of LMAP, it raises potential privacy issues. The high-level communications model below illustrates the various exchanges to execute Active Measurement Tasks and store the Results.

We note the potential for additional observers in the figures below by indicating the possible presence of a NAT, which has additional significance to the protocols and direction of initiation.

 _________________                              _________________
|                 |                            |                 |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________|                            |_________________|

                               <-              (Key Negotiation &
                                               Encryption Setup)
(Encrypted Channel             ->
Established)
(Announce capabilities         ->
& status)
                               <-              (Select capabilities)
ACK                            ->
                               <-              (Measurement Request
                                              (MA+MP IPAddrs,set of
                                                Metrics, Schedule))
ACK                            ->

Active Measurement Traffic     <>        Active Measurement Traffic
(may/may not be encrypted)               (may/may not be encrypted)

                               <-            (Stop Measurement Task)

Measurement Results            ->
(if applicable)
                               <-               ACK, Close

The various messages are optional, depending on the nature of the Active Measurement Task. It may involve sending Active Measurement Traffic from the Measurement Peer to MA, MA to Measurement Peer, or both.

If the Active Measurement Traffic is unencrypted, as found in many systems today, then both timing and limited results are open to on-path observers.

8.4.5. Passive Measurement Agent

Although the specification of the mechanisms for a Passive Measurement Task is beyond the scope of LMAP, it raises potential privacy issues.

The high-level communications model below illustrates the collection of user information of interest with the Measurement Agent performing the monitoring and storage of the Results. This particular exchange is for passive measurement of DNS Response Time, which most frequently uses UDP transport.

 _________________                                      ____________
|                 |                                    |            |
|  DNS Server     |=========== NAT ? ==========*=======| User client|
|_________________|                            ^       |____________|
                                         ______|_______
                                        |              |
                                        |  Measurement |
                                        |    Agent     |
                                        |______________|

                               <-              Name Resolution Req
                                              (MA+MP IPAddrs, 
                                               Desired Domain Name)
Return Record                  ->

This exchange primarily exposes the IP addresses of measurement devices and the intent to communicate with or access the services of "Domain Name". There may be information on key points in a service provider's network, such as the address of one of its DNS servers. The Measurement Agent may be embedded in the user host, or it may be located in another device capable of observing user traffic.

In principle, any of the user sensitive information of interest (listed above) can be collected and stored in the passive monitoring scenario and so must be secured.

It would also be possible for a Measurement Agent to source the DNS query itself. But then, as with any active measurement task, there are few privacy concerns.

8.4.6. Storage and Reporting of Measurement Results

Although the mechanisms for communicating results (beyond the initial Collector) are beyond the LMAP scope, there are potential privacy issues related to a single organisation's storage and reporting of Measurement Results. Both storage and reporting functions can help to preserve privacy by implementing the mitigations described below.

8.5. Threats

This section indicates how each of the threats described in [RFC6973] apply to the LMAP entities and their communication and storage of "information of interest".

8.5.1. Surveillance

Section 5.1.1 of [RFC6973] describes Surveillance as the "observation or monitoring of and individual's communications or activities." Hence all Passive Measurement Tasks are a form of surveillance, with inherent risks.

Active Measurement Methods which avoid periods of user transmission indirectly produce a record of times when a subscriber or authorised user has used their network access service.

Active Measurement Methods may also utilise and store a Subscriber's currently assigned IP address when conducting measurements that are relevant to a specific Subscriber. Since the Measurement Results are time-stamped, they could provide a record of IP address assignments over time.

Either of the above pieces of information could be useful in correlation and identification, described below.

8.5.2. Stored Data Compromise

Section 5.1.2 of [RFC6973] describes Stored Data Compromise as resulting from inadequate measures to secure stored data from unauthorised or inappropriate access. For LMAP systems this includes deleting or modifying collected measurement records, as well as data theft.

The primary LMAP entity subject to compromise is the repository, which stores the Measurement Results; extensive security and privacy threat mitigations are warranted. The Collector and MA also store sensitive information temporarily, and need protection. The communications between the local storage of the Collector and the repository is beyond the scope of the LMAP work at this time, though this communications channel will certainly need protection as well as the mass storage itself.

The LMAP Controller may have direct access to storage of Subscriber information (location, billing, service parameters, etc.) and other information which the controlling organisation considers private, and again needs protection.

Note that there is tension between the desire to store all raw results in the LMAP Collector (for reproduceability and custom analysis), and the need to protect the privacy of measurement participants. Many of the compromise mitigations described in section 8.6 below are most efficient when deployed at the MA, therefore minimizing the risks with stored results.

8.5.3. Correlation and Identification

Sections 5.2.1 and 5.2.2 of [RFC6973] describes Correlation as combining various pieces of information to obtain desired characteristics of an individual, and Identification as using this process to infer identity.

The main risk is that the LMAP system could unwittingly provide a key piece of the correlation chain, starting with an unknown Subscriber's IP address and another piece of information. For example, a Subscriber utilised Internet access from 2000 to 2310 UTC, because the Active Measurement Tasks were deferred, or sent a name resolution for www.example.com at 2300 UTC.

8.5.4. Secondary Use and Disclosure

Sections 5.2.3 and 5.2.4 of [RFC6973] describes Secondary Use as unauthorised utilisation of an individual's information for a purpose the individual did not intend, and Disclosure is when such information is revealed causing other's notions of the individual to change, or confidentiality to be violated.

Passive Measurement Tasks are a form of Secondary Use, and the Subscribers' permission and the measured ISP's permission should be obtained beforehand. Although user traffic is only indirectly involved, the Measurement Results from Active Measurement Tasks provide some limited information about the Subscriber/ISP and could be used for Secondary Uses. For example, the use of the Results in unauthorised marketing campaigns would qualify as Secondary Use.

8.6. Mitigations

This section examines the mitigations listed in section 6 of [RFC6973] and their applicability to LMAP systems. Note that each section in [RFC6973] identifies the threat categories that each technique mitigates.

8.6.1. Data Minimisation

Section 6.1 of [RFC6973] encourages collecting and storing the minimal information needed to perform a task.

There are two levels of information needed for LMAP results to be useful for a specific task: troubleshooting and general results reporting.

For general results, the results can be aggregated into large categories (the month of March, all subscribers West of the Mississippi River). In this case, all individual identifications (including IP address of the MA) can be excluded, and only relevant results are provided. However, this implies a filtering process to reduce the information fields, because greater detail was needed to conduct the Measurement Tasks in the first place.

For troubleshooting, so that a network operator or end user can identify a performance issue or failure, potentially all the network information (IP addresses, equipment IDs, location), Measurement Schedule, service configuration, Measurement Results, and other information may assist in the process. This includes the information needed to conduct the Measurements Tasks, and represents a need where the maximum relevant information is desirable, therefore the greatest protections should be applied.

We note that a user may give temporary permission for Passive Measurement Tasks to enable detailed troubleshooting, but withhold permission for them in general. Here the greatest breadth of sensitive information is potentially exposed, and the maximum privacy protection must be provided.

For MAs with access to the sensitive information of users (e.g., within a home or a personal host/handset), it is desirable for the results collection to minimise the data reported, but also to balance this desire with the needs of troubleshooting when a service subscription exists between the user and organisation operating the measurements.

For passive measurements where the MA reports flow information to the Collector, the Collector may perform pre-storage minimisation and other mitigations (below) to help preserve privacy.

8.6.2. Anonymity

Section 6.1.1 of [RFC6973] describes a way in which anonymity is achieved: "there must exist a set of individuals that appear to have the same attributes as the individual", defined as an "anonymity set".

Experimental methods for anonymisation of user identifiable data applicable to Passive Measurement Methods have been identified in [RFC6235]. However, the findings of several of the same authors is that "there is increasing evidence that anonymisation applied to network trace or flow data on its own is insufficient for many data protection applications as in [Bur10]."

Essentially, the details of passive measurement tasks can only be accessed by closed organisations, and unknown injection attacks are always less expensive than the protections from them. However, some forms of summary may protect the user's sensitive information sufficiently well, and so each Metric must be evaluated in the light of privacy.

The methods in [RFC6235] could be applied more successfully in Active Measurement Methods, where there are protections from injection attack. The successful attack would require breaking the integrity protection of the LMAP Reporting Protocol and injecting Measurement Results (known fingerprint, see section 3.2 of [RFC6973]) for inclusion with the shared and anonymised results, then fingerprinting those records to ascertain the anonymisation process.

Beside anonymisation of measured Results for a specific user or provider, the value of sensitive information can be further diluted by summarising the results over many individuals or areas served by the provider. There is an opportunity enabled by forming anonymity sets [RFC6973] based on the reference path measurement points in [I-D.ietf-ippm-lmap-path]. For example, all measurements from the Subscriber device can be identified as "mp000", instead of using the IP address or other device information. The same anonymisation applies to the Internet Service Provider, where their Internet gateway would be referred to as "mp190".

8.6.3. Pseudonymity

Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, are a possible mitigation to revealing one's true identity, since there is no requirement to use real names in almost all protocols.

A pseudonym for a measurement device's IP address could be an LMAP-unique equipment ID. However, this would likely be a permanent handle for the device, and long-term use weakens a pseudonym's power to obscure identity.

8.6.4. Other Mitigations

Data can be de-personalised by blurring it, for example by adding synthetic data, data-swapping, or perturbing the values in ways that can be reversed or corrected.

Sections 6.2 and 6.3 of [RFC6973] describe User Participation and Security, respectively.

Where LMAP measurements involve devices on the Subscriber's premises or Subscriber-owned equipment, it is essential to secure the Subscriber's permission with regard to the specific information that will be collected. The informed consent of the Subscriber (and, if different, the end user) is needed, including the specific purpose of the measurements. The approval process could involve showing the Subscriber their measured information and results before instituting periodic collection, or before all instances of collection, with the option to cancel collection temporarily or permanently.

It should also be clear who is legally responsible for data protection (privacy); in some jurisdictions this role is called the 'data controller'. It is good practice to time limit the storage of personal information.

Although the details of verification would be impenetrable to most subscribers, the MA could be architected as an "app" with open source-code, pre-download and embedded terms of use and agreement on measurements, and protection from code modifications usually provided by the app-stores. Further, the app itself could provide data reduction and temporary storage mitigations as appropriate and certified through code review.

LMAP protocols, devices, and the information they store clearly need to be secure from unauthorised access. This is the hand-off between privacy and security considerations (Section 7). The Data Controller has the (legal) responsibility to maintain data protections described in the Subscriber's agreement and agreements with other organisations.

9. IANA Considerations

There are no IANA considerations in this memo.

10. Appendix: Deployment examples

In this section we describe some deployment scenarios that are feasible within the LMAP framework defined in this document.

The LMAP framework defines two types of components involved in the actual measurement task, namely the Measurement Agent (MA) and the Measurement Peer (MP). The fundamental difference conveyed in the definition of these terms is that the MA has a interface with the Controller/Collector while the MP does not. The MP is broadly defined as a function that assists the MA in the Measurement Task but has no interface with the Controller/Collector. There are many elements in the network that can fall into this broad definition of MP. We believe that the MP terminology is useful to allow us to refer an element of the network that plays a role that is conceptually important to understand and describe the measurement task being performed. We next illustrate these concepts by describing several deployment scenarios.

                                                         ^
   +----------------+  Web Traffic +----------------+  IPPM
   |   Web Client   |<------------>| MP: Web Server |  Scope
   |                |              +----------------+    |
...|................|....................................V...  
   | LMAP interface |                                    ^
   +----------------+                                    |
            ^     |                                      |
Instruction |     |  Report                              |
            |     +-----------------+                    |
            |                       |                    |
            |                       v                   LMAP
       +------------+             +------------+        Scope
       | Controller |             |  Collector |         |
       +------------+             +------------+         V

Figure A1: Schematic of LMAP-based measurement system,
with Web server as Measurement Peer

A very simple example of a Measurement Peer is a web server that the MA is downloading a web page from (such as www.example.com) in order to perform a speed test. The web server is an MP and from its perspective, the MA is just another customer; the MP doesn't have a specific function for assisting measurements. This is described in the figure A1.

Another case that is slightly different than this would be the one of a ping responder. This is also an MP, with a helper function, the ping server, which is specially deployed to assist the MAs that perform pings. It only has the data plane interface. This example is described in Section 2.

A third related example would be the case of a traceroute like measurement. In this case, for each packet sent, the router where the TTL expires is performing the MP function. So for a given Measurement Task, there is one MA involved and several MPs, one per hop.

In figure A2 we depict the case of an OWAMP responder acting as an MP. In this case, the helper function in addition reports results back to the MA. So it has both a data plane and control interface with the MA.

   +----------------+    OWAMP     +----------------+    ^
   | OWAMP          |<--control--->| MP:            |    |
   | control-client |>test-traffic>| OWAMP server & |   IPPM
   | fetch-client & |<----fetch----| session-rec'ver|  Scope
   | session-sender |              |                |    |
   |                |              +----------------+    |
...|................|....................................v...  
   | LMAP interface |                                    ^
   +----------------+                                    |
            ^     |                                      |
Instruction |     |  Report                              |
            |     +-----------------+                    |
            |                       |                    |
            |                       v                  LMAP
       +------------+             +------------+       Scope
       | Controller |             |  Collector |         |
       +------------+             +------------+         v
                                                       IPPM

Figure A2: Schematic of LMAP-based measurement system,
with OWAMP server as Measurement Peer

However, it is also possible to use two Measurement Agents when performing one way Measurement Tasks, as described in figure A3 below. In this case, MA1 generates the traffic and MA2 receives the traffic and send the reports to the Collector. Note that both MAs are instructed by the Controller. MA1 receives an Instruction to send the traffic and MA2 receives an Instruction to measured the received traffic and send Reports to the Collector.

   +----------------+              +----------------+    ^
   |  MA1           |              |  MA2           |  IPPM
   | iperf -u sender|-UDP traffic->| iperf -u recvr |  Scope
   |                |              |                |    v
...|................|..............|................|....v...  
   | LMAP interface |              | LMAP interface |    ^
   +----------------+              +----------------+    |
            ^                        ^   |               |
Instruction |    Instruction{Report} |   | Report        |
{task,      |    +-------------------+   |               |
 schedule}  |    |                       |               |
            |    |                       v              LMAP
       +------------+             +------------+       Scope
       | Controller |             |  Collector |         |
       +------------+             +------------+         v
                                                       IPPM

Figure A3: Schematic of LMAP-based measurement system,
with two Measurement Agents cooperating to measure UDP traffic

Next, we consider Passive Measurement Tasks. Traffic generated in one point in the network flowing towards a given destination and the traffic is passively observed in some point along the path. One way to implement this is that the endpoints generating and receiving the traffic are not instructed by the Controller; hence they are MPs. The MA is located along the path with a passive monitor function that measures the traffic. The MA is instructed by the Controller to monitor that particular traffic and to send the Report to the Collector. It is depicted in figure A4 below.

+-----+   +----------------+              +------+   ^   
| MP  |   | Passive Monitor|              | MP   | IPPM
|     |<--|----------------|---traffic--->|      | Scope
+-----+   |                |              +------+   |
   .......|................|.........................v...........  
          | LMAP interface |                                ^
          +----------------+                                |
                     ^     |                                |
         Instruction |     |  Report                        |
                     |     +-----------------+              |
                     |                       |              |
                     |                       v             LMAP
               +------------+             +------------+   Scope
               | Controller |             |  Collector |    |
               +------------+             +------------+    v


Figure A4: Schematic of LMAP-based measurement system,
with a Measurement Agent passively monitoring traffic

Finally, we should consider the case of a router or a switch along the measurement path. This certainly performs an important role in the measurement - if packets are not forwarded, the measurement task will not work. Whilst it doesn't has an interface with the Controller or Collector, and so fits into the definition of MP, usually it is not particularly useful to highlight it as a MP.

11. Acknowledgments

This document is a merger of three individual drafts: draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, and draft-eardley-lmap-framework-02.

Thanks to Juergen Schoenwaelder for his detailed review of the terminology. Thanks to Charles Cook for a very detailed review of -02.

Thanks to numerous people for much discussion, directly and on the LMAP list (apologies to those unintentionally omitted): Alan Clark, Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian Trammell, Charles Cook, Dave Thorne, Frode Sørensen, Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Michael Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey, Vaibhav Bajpai, William Lupton.

Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on the Leone research project, which receives funding from the European Union Seventh Framework Programme [FP7/2007-2013] under grant agreement number 317647.

12. History

First WG version, copy of draft-folks-lmap-framework-00.

12.1. From -00 to -01

12.2. From -01 to -02

12.3. From -02 to -03

12.4. From -03 to -04

13. Informative References

[Bur10] Burkhart, M., Schatzmann, D., Trammell, B. and E. Boschi, "The Role of Network Trace anonymisation Under Attack", January 2010.
[Q1741] Q.1741.7, , "IMT-2000 references to Release 9 of GSM-evolved UMTS core network", http://www.itu.int/rec/T-REC-Q.1741.7/en, November 2011.
[TR-069] TR-069, , "CPE WAN Management Protocol", http://www.broadband-forum.org/technical/trlist.php, November 2013.
[UPnP] ISO/IEC 29341-x, , "UPnP Device Architecture and UPnP Device Control Protocols specifications", http://upnp.org/sdcps-and-certification/standards/, 2011.
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, November 1987.
[RFC4101] Rescorla, E., IAB, "Writing Protocol Models", RFC 4101, June 2005.
[RFC4122] Leach, P., Mealling, M. and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, July 2005.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K. and J. Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", RFC 5357, October 2008.
[I-D.ietf-lmap-use-cases] Linsner, M., Eardley, P., Burbridge, T. and F. Sorensen, "Large-Scale Broadband Measurement Use Cases", Internet-Draft draft-ietf-lmap-use-cases-02, January 2014.
[I-D.manyfolks-ippm-metric-registry] Bagnulo, M., Claise, B., Eardley, P. and A. Morton, "Registry for Performance Metrics", Internet-Draft draft-manyfolks-ippm-metric-registry-00, February 2014.
[I-D.ietf-homenet-arch] Chown, T., Arkko, J., Brandt, A., Troan, O. and J. Weil, "IPv6 Home Networking Architecture Principles", Internet-Draft draft-ietf-homenet-arch-13, March 2014.
[RFC6419] Wasserman, M. and P. Seite, "Current Practices for Multiple-Interface Hosts", RFC 6419, November 2011.
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R. and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2013.
[I-D.burbridge-lmap-information-model] Burbridge, T., Eardley, P., Bagnulo, M. and J. Schönwälder, "Information Model for Large-Scale Measurement Platforms (LMAP)", Internet-Draft draft-burbridge-lmap-information-model-01, October 2013.
[RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization Support", RFC 6235, May 2011.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M. and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, July 2013.
[I-D.ietf-ippm-lmap-path] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P. and A. Morton, "A Reference Path and Measurement Points for LMAP", Internet-Draft draft-ietf-ippm-lmap-path-02, February 2014.
[RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J. and M. Zekauskas, "A One-way Active Measurement Protocol (OWAMP)", RFC 4656, September 2006.
[RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K. and J. Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", RFC 5357, October 2008.
[RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003.

Authors' Addresses

Philip Eardley BT Adastral Park, Martlesham Heath Ipswich, ENGLAND EMail: philip.eardley@bt.com
Al Morton AT&T Labs 200 Laurel Avenue South Middletown, NJ, USA EMail: acmorton@att.com
Marcelo Bagnulo Universidad Carlos III de Madrid Av. Universidad 30 Leganes, Madrid 28911 SPAIN Phone: 34 91 6249500 EMail: marcelo@it.uc3m.es URI: http://www.it.uc3m.es
Trevor Burbridge BT Adastral Park, Martlesham Heath Ipswich, ENGLAND EMail: trevor.burbridge@bt.com
Paul Aitken Cisco Systems, Inc. 96 Commercial Street Edinburgh, Scotland EH6 6LX UK EMail: paitken@cisco.com
Aamer Akhter Cisco Systems, Inc. 7025 Kit Creek Road RTP, NC 27709 USA EMail: aakhter@cisco.com