One document matched: draft-ietf-lmap-framework-04.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes" ?>
<?rfc compact="yes"?>
<?rfc text-list-symbols="o*+-"?>
<rfc category="info" docName="draft-ietf-lmap-framework-04" ipr="trust200902"
obsoletes="" updates="">
<front>
<title abbrev="LMAP Framework">A framework for large-scale measurement
platforms (LMAP)</title>
<author fullname="Philip Eardley" initials="P." surname="Eardley">
<organization abbrev="BT">BT</organization>
<address>
<postal>
<street>Adastral Park, Martlesham Heath</street>
<city>Ipswich</city>
<country>ENGLAND</country>
</postal>
<email>philip.eardley@bt.com</email>
</address>
</author>
<author fullname="Al Morton" initials="A." surname="Morton">
<organization abbrev="AT&T Labs">AT&T Labs</organization>
<address>
<postal>
<street>200 Laurel Avenue South</street>
<city>Middletown, NJ</city>
<country>USA</country>
</postal>
<email>acmorton@att.com</email>
</address>
</author>
<author fullname="Marcelo Bagnulo" initials="M." surname="Bagnulo">
<organization abbrev="UC3M">Universidad Carlos III de
Madrid</organization>
<address>
<postal>
<street>Av. Universidad 30</street>
<city>Leganes</city>
<region>Madrid</region>
<code>28911</code>
<country>SPAIN</country>
</postal>
<phone>34 91 6249500</phone>
<email>marcelo@it.uc3m.es</email>
<uri>http://www.it.uc3m.es</uri>
</address>
</author>
<author fullname="Trevor Burbridge" initials="T." surname="Burbridge">
<organization abbrev="BT">BT</organization>
<address>
<postal>
<street>Adastral Park, Martlesham Heath</street>
<city>Ipswich</city>
<country>ENGLAND</country>
</postal>
<email>trevor.burbridge@bt.com</email>
</address>
</author>
<author fullname="Paul Aitken" initials="P." surname="Aitken">
<organization abbrev="Cisco Systems">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>96 Commercial Street</street>
<city>Edinburgh</city>
<region>Scotland</region>
<code>EH6 6LX</code>
<country>UK</country>
</postal>
<email>paitken@cisco.com</email>
</address>
</author>
<author fullname="Aamer Akhter" initials="A." surname="Akhter">
<organization abbrev="Cisco Systems">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>7025 Kit Creek Road</street>
<city>RTP</city>
<region>NC</region>
<code>27709</code>
<country>USA</country>
</postal>
<email>aakhter@cisco.com</email>
</address>
</author>
<date day="31" month="March" year="2014"/>
<abstract>
<t>Measuring broadband service on a large scale requires a description
of the logical architecture and standardisation of the key protocols
that coordinate interactions between the components. The document
presents an overall framework for large-scale measurements. It also
defines terminology for LMAP (large-scale measurement platforms).</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>There is a desire to be able to coordinate the execution of broadband
measurements and the collection of measurement results across a large
scale set of diverse devices. These devices could be software based
agents on PCs, embedded agents in consumer devices (e.g. blu-ray
players), service provider controlled devices such as set-top players
and home gateways, or simply dedicated probes. It is expected that such
a system could easily comprise 100,000 devices. Such a scale presents
unique problems in coordination, execution and measurement result
collection. Several use cases have been proposed for large-scale
measurements including:</t>
<t><list style="symbols">
<t>Operators: to help plan their network and identify faults</t>
<t>Regulators: to benchmark several network operators and support
public policy development</t>
</list>Further details of the use cases can be found in <xref
target="I-D.ietf-lmap-use-cases"/>. The LMAP framework should be useful
for these, as well as other use cases, such as to help end users run
diagnostic checks like a network speed test.</t>
<t>The LMAP framework has three basic elements: Measurement Agents,
Controllers and Collectors.</t>
<t>Measurement Agents (MAs) perform the actual measurements, which are
called Measurement Tasks in the LMAP terminology.</t>
<t>The Controller manages one or more MAs by instructing it which
Measurement Tasks it should perform and when. For example it may
instruct a MA at a home gateway: “Measure the ‘UDP
latency’ with www.example.org; repeat every hour at xx.05”.
The Controller also manages a MA by instructing it how to report the
Measurement Results, for example: “Report results once a day in a
batch at 4am”. We refer to these as the Measurement Schedule and
Report Schedule.</t>
<t>The Collector accepts Reports from the MAs with the Results from
their Measurement Tasks. Therefore the MA is a device that gets
Instructions from the Controller, initiates the Measurement Tasks, and
reports to the Collector.</t>
<t>There are additional elements that are part of a measurement system,
but these are out of the scope for LMAP. We provide a detailed
discussion of all the elements in the rest of the document.</t>
<t>The desirable features for a large-scale measurement systems we are
designing for are:</t>
<t><list style="symbols">
<t>Standardised - in terms of the Measurement Tasks that they
perform, the components, the data models and protocols for
transferring information between the components. Amongst other
things, standardisation enables meaningful comparisons of
measurements made of the same metric at different times and places,
and provides the operator of a measurement system with a criteria
for evaluation of the different solutions that can be used for
various purposes including buying decisions (such as buying the
various components from different vendors). Today's systems are
proprietary in some or all of these aspects.</t>
<t>Large-scale - <xref target="I-D.ietf-lmap-use-cases"/> envisages
Measurement Agents in every home gateway and edge device such as
set-top-boxes and tablet computers. It is expected that a
measurement system could easily encompass a few hundred thousand
Measurement Agents. Existing systems have up to a few thousand MAs
(without judging how much further they could scale).</t>
<t>Diversity - a measurement system should handle different types of
Measurement Agent - for example Measurement Agents may come from
different vendors, be in wired and wireless networks, have different
Measurement Task capabilities and be on devices with IPv4 or IPv6
addresses.</t>
</list></t>
</section>
<section title="Outline of an LMAP-based measurement system">
<t>Figure 1 shows the main components of a measurement system, and the
interactions of those components. Some of the components are outside the
scope of LMAP. In this section we provide an overview of the whole
measurement system and we introduce the main terms needed for the LMAP
framework. The new terms are capitalised. In the next section we provide
a terminology section with a compilation of all the LMAP terms and their
definition.</t>
<t>The main work of the LMAP working group is to define the Control
Protocol between the Controller and MA, and the Report Protocol between
the MA and Collector. Section 4 onwards considers the LMAP components in
more detail.</t>
<t>The MA performs Measurement Tasks. The MAs are pieces of code that
can be executed in specialised hardware (hardware probe) or on a
general-purpose device (like a PC or mobile phone). A device with a
Measurement Agent may have multiple interfaces (WiFi, Ethernet, DSL,
fibre, etc.) and the Measurement Tasks may specify any one of these.
Measurement Tasks may be Active (the MA generates Active Measurement
Traffic and measures some metric associated with its transfer), Passive
(the MA observes user traffic), or some hybrid form of the two.</t>
<t>The MA is managed by a Controller using the Control Protocol. The MA
receives Instructions from the Controller about which Measurement Tasks
it should perform and when. For example the Controller may instruct a MA
at a home gateway: “Count the number of TCP SYN packets observed
in a 1 minute interval; repeat every hour at xx.05 + Unif[0,180]
seconds”. The Measurement Schedule determines when the Measurement
Tasks are executed. The Controller also manages a MA by instructing it
how to report the Measurement Results, for example: “Report
results once a day in a batch at 4am + Unif[0,180] seconds; if the end
user is active then delay the report 5 minutes”. The Report
Schedule determines when the Reports are uploaded to the Collector. The
Measurement chedule and Report Schedule can define one-off
(non-recurring) actions ("Do measurement now", "Report as soon as
possible"), as well as recurring ones.</t>
<t>The Collector accepts a Report from a MA with the Measurement Results
from its Measurement Tasks. It then provides the Results to a repository
(see below).</t>
<t>Some Measurement Tasks involve several MAs acting in a coordinated
fashion. This coordination is achieved by the Controller instructing the
multiple MAs in a coherent manner. In some Measurement Tasks the MA(s)
is assisted by one or more network entities that are not managed by the
Controller. The entities that helps the MA in the Measurement Tasks but
are not managed by the Controller are called Measurement Peers (MPs).
For example consider the case of a "ping" Measurement Task, to measure
the round trip delay between the MA and a given ICMP ECHO responder in
the Internet. In this case, the responder is the Measurement Peer. The
ICMP ECHO request and ICMP ECHO Requests and Replies flowing between the
MA and the MP is called Active Measurement Traffic. The Appendix has
some other examples of possible arrangements of Measurement Agents and
Peers.</t>
<t>A Measurement Method defines how to measure a Metric of interest. It
is very useful to standardise Measurement Methods, so that it is
meaningful to compare measurements of the same Metric made at different
times and places. It is also useful to define a registry for
commonly-used Metrics <xref
target="I-D.manyfolks-ippm-metric-registry"/> so that a Measurement
Method can be referred to simply by its identifier in the registry. The
Measurement Methods and registry will hopefully be referenced by other
standards organisations.</t>
<t>A Measurement Task is a specific instantiation of a Measurement
Method.It generates a Measurement Result. An Active Measurement Task
involves either a Measurement Agent (MA) injecting Active Measurement
Traffic into the network destined for a Measurement Peer or for another
Measurement Agent, and/or a Measurement Peer (or another Measurement
Agent) sending Active Measurement Traffic to a MA; one of them measures
some parameter associated with the transfer of the packet(s). A Passive
Measurement Task involves a MA simply observing existing traffic - for
example, it could count bytes or it might calculate the average loss for
a particular flow.</t>
<t>In order for a Measurement Agent and a Measurement Peer (or another
Measurement Agent) to execute an Active Measurement Task, they exchange
Active Measurement Traffic. The protocols used for the Active
Measurement Traffic are out of the scope of the LMAP WG; they fall
within the scope of other IETF WGs such as IPPM.</t>
<t>For Measurement Results to be truly comparable, as might be required
by a regulator, not only do the same Measurement Methods need to be used
but also the set of Measurement Tasks should follow a similar
Measurement Schedule and be of similar number. The details of such a
characterisation plan are beyond the scope of work in IETF although
certainly facilitated by IETF's work.</t>
<t>Finally we introduce several components that are out of scope of the
LMAP WG and will be provided through existing protocols or applications.
They affect how the measurement system uses the Measurement Results and
how it decides what set of Measurement Tasks to perform.</t>
<t>The MA needs to be bootstrapped with initial details about its
Controller, including authentication credentials. The LMAP WG considers
the bootstrap process, since it affects the Information Model. However,
it does not define a bootstrap protocol, since it is likely to be
technology specific and could be defined by the Broadband Forum,
CableLabs or IEEE depending on the device. Possible protocols are SNMP,
NETCONF or (for Home Gateways) CPE WAN Management Protocol (CWMP) from
the Auto Configuration Server (ACS) (as specified in TR-069 <xref
target="TR-069"/>).</t>
<t>A Subscriber parameter database contains information about the line,
such as the customer's broadband contract (perhaps 2, 40 or 80Mb/s), the
line technology (DSL or fibre), the time zone where the MA is located,
and the type of home gateway and MA. These parameters are already
gathered and stored by existing operations systems. They may affect the
choice of what Measurement Tasks to run and how to interpret the
Measurement Results. For example, a download test suitable for a line
with an 80Mb/s contract may overwhelm a 2Mb/s line.</t>
<t>A results repository records all Measurement Results in an equivalent
form, for example an SQL database, so that they can easily be accessed
by the data analysis tools.</t>
<t>The data analysis tools receive the results from the Collector or via
the Results repository. They might visualise the data or identify which
component or link is likely to be the cause of a fault or degradation.
This information could help the Controller decide what follow-up
Measurement Task to perform in order to diagnose a fault. The data
analysis tools also need to understand the Subscriber's service
information, for example the broadband contract.</t>
<t/>
<figure>
<artwork><![CDATA[ ^
|
Active +-------------+ IPPM
+---------------+ Measurement | Measurement | Scope
| Measurement |<------------>| Peer | |
| Agent | Traffic +-------------+ v
+------->| | ^
| +---------------+ |
| ^ | |
| Instruction | | Report |
| | +-----------------+ |
| | | |
| | v LMAP
| +------------+ +------------+ Scope
| | Controller | | Collector | |
| +------------+ +------------+ v
| ^ ^ | ^
| | | | |
| | +----------+ | |
| | | v |
+------------+ +----------+ +--------+ +----------+ |
|Bootstrapper| |Subscriber|--->| data |<---|repository| Out
+------------+ |parameter | |analysis| +----------+ of
|database | | tools | Scope
+----------+ +--------+ |
|
v
Figure 1: Schematic of main elements of an LMAP-based
measurement system
(showing the elements in and out of the scope of the LMAP WG)
]]></artwork>
</figure>
</section>
<section title="Terminology">
<t>This section defines terminology for LMAP. Please note that defined
terms are capitalized.</t>
<t>Active Measurement Method (Task): A Measurement Method (Task) in
which a Measurement Agent creates or receives Active Measurement
Traffic, by coordinating with one or more other Measurement Agents or
Measurement Peers using protocols outside LMAP's scope.</t>
<t>Active Measurement Traffic: the packet(s) generated in order to
execute an Active Measurement Task.</t>
<t>Bootstrap: A process that integrates a Measurement Agent into a
measurement system.</t>
<t>Capabilities: Information about the Measurement Methods that the MA
can perform and the device hosting the MA, for example its interface
type and speed, but not dynamic information.</t>
<t>Channel: A bi-directional logical connection that is defined by a
specific Controller and MA, or Collector and MA, plus associated
security.</t>
<t>Collector: A function that receives a Report from a Measurement
Agent.</t>
<t>Controller: A function that provides a Measurement Agent with its
Instruction.</t>
<t>Control Channel: a Channel between a Controller and a MA over which
Instruction Messages and Capabilities and Failure information are
sent.</t>
<t>Control Protocol: The protocol delivering Instruction(s) from a
Controller to a Measurement Agent. It also delivers Failure Information
and Capabilities Information from the Measurement Agent to the
Controller.</t>
<t>Cycle-ID: A tag that is sent by the Controller in an Instruction and
echoed by the MA in its Report. The same Cycle-ID is used by several MAs
that use the same Measurement Method with the same Input Parameters.
Hence the Cycle-ID allows the Collector to easily identify Measurement
Results that should be comparable.</t>
<t>Data Model: The implementation of an Information Model in a
particular data modelling language <xref target="RFC3444"/>.</t>
<t>Data Transfer Method: The process whereby: a Controller transfers
information over a Control Channel to a MA; or a MA transfers
information over a Control Channel to a Controller; or a MA transfers
information over a Report Channel to a Collector; the generalisation of
a Data Transfer Task.</t>
<t>Data Transfer Task: The act consisting of the (single) operation of a
Data Transfer Method at a particular time.</t>
<t>Environmental Constraint: A parameter that is measured as part of the
Measurement Task, its value determining whether the rest of the
Measurement Task proceeds.</t>
<t>Failure Information: Information about the MA's failure to action or
execute an Instruction, whether concerning Measurement Tasks or
Reporting.</t>
<t>Group-ID: An identifier of a group of MAs.</t>
<t>Information Model: The protocol-neutral definition of the semantics
of the Instructions, the Report, the status of the different elements of
the measurement system as well of the events in the system <xref
target="RFC3444"/>.</t>
<t>Input Parameter: A parameter whose value is left open by the
Measurement Method and is set to a specific value in a Measurement Task.
Altering the value of an Input Parameter does not change the fundamental
nature of the Measurement Method.</t>
<t>Instruction: The description of Measurement Tasks for a MA to perform
and the details of the Report for it to send. It is the collective
description of the Measurement Task configurations, the configuration of
the Report Channel(s), the configuration of Data Transfer Tasks, the
configuration of the Measurement Schedules, and the details of any
suppression.</t>
<t>Instruction Message: The message that carries an Instruction from a
Controller to a Measurement Agent.</t>
<t>Measurement Agent (MA): The function that receives Instruction
Messages from a Controller and operates the Instruction by executing
Measurement Tasks (using protocols outside LMAP's scope and perhaps in
concert with one or more other Measurement Agents or Measurement Peers)
and (if part of the Instruction) by reporting Measurement Results to a
Collector or Collectors.</t>
<t>Measurement Agent Identifier (MA-ID): a UUID <xref target="RFC4122"/>
that identifies a particular MA and is configured as part of the
Bootstrapping process.</t>
<t>Measurement Method: The process for assessing the value of a Metric;
the process of measuring some performance or reliability parameter
associated with the transfer of traffic; the generalisation of a
Measurement Task.</t>
<t>Measurement Peer (MP): The function that assists a Measurement Agent
with Measurement Tasks and does not have an interface to the Controller
or Collector.</t>
<t>Measurement Result: The output of a single Measurement Task (the
value obtained for the parameter of interest or Metric).</t>
<t>Measurement Schedule: The schedule for performing Measurement
Tasks.</t>
<t>Measurement Task: The act that consistsof the single operation of the
Measurement Method at a particular time and with all its Input
Parameters set to specific values.</t>
<t>Metric: The quantity related to the performance and reliability of
the network that we'd like to know the value of, and that is carefully
specified.</t>
<t>Passive Measurement Method (Task): A Measurement Method (Task) in
which a Measurement Agent observes existing traffic but does not inject
Active Measurement Traffic.</t>
<t>Report: The set of Measurement Results and other associated
information (as defined by the Instruction). The Report is sent by a
Measurement Agent to a Collector.</t>
<t>Report Channel: a communications channel between a MA and a
Collector, which is defined by a specific MA, Collector, Report Schedule
and associated security, and over which Reports are sent.</t>
<t>Report Protocol: The protocol delivering Report(s) from a Measurement
Agent to a Collector.</t>
<t>Report Schedule: the schedule for sending Reports to a Collector.</t>
<t>Subscriber: An entity (associated with one or more users) that is
engaged in a subscription with a service provider. The Subscriber is
allowed to subscribe and un-subscribe services, and to register a user
or a list of users authorized to enjoy these services. <xref
target="Q1741"/>. Both the Subscriber and service provider are allowed
to set the limits relative to the use that associated users make of
subscribed services.</t>
<t>Suppression: the temporary cessation of Active Measurement Tasks.</t>
</section>
<section title="Constraints">
<t>The LMAP framework makes some important assumptions, which constrain
the scope of the work to be done.</t>
<section title="Measurement system is under the direction of a single organisation">
<t>In the LMAP framework, the measurement system is under the
direction of a single organisation that is responsible for any impact
that measurements have on a user's quality of experience and privacy.
Clear responsibility is critical given that a misbehaving large-scale
measurement system could potentially harm user experience, user
privacy and network security.</t>
<t>However, the components of an LMAP measurement system can be
deployed in administrative domains that are not owned by the measuring
organisation. Thus, the system of functions deployed by a single
organisation constitutes a single LMAP domain which may span ownership
or other administrative boundaries.</t>
</section>
<section title="Each MA may only have a single Controller at any point in time">
<t>A MA is instructed by one Controller and is in one measurement
system. The constraint avoids different Controllers giving a MA
conflicting instructions and so means that the MA does not have to
manage contention between multiple Measurement (or Report) Schedules.
This simplifies the design of MAs (critical for a large-scale
infrastructure) and allows a Measurement Schedule to be tested on
specific types of MA before deployment to ensure that the end user
experience is not impacted (due to CPU, memory or broadband-product
constraints).</t>
<t>An operator may have several Controllers, perhaps with a Controller
for different types of MA (home gateways, tablets) or location
(Ipswich, Edinburgh).</t>
</section>
</section>
<section title="LMAP Protocol Model">
<t>A protocol model <xref target="RFC4101"/> presents an architectural
model for how the protocol operates and needs to answer three basic
questions:</t>
<t><list style="numbers">
<t>What problem is the protocol trying to achieve?</t>
<t>What messages are being transmitted and what do they mean?</t>
<t>What are the important, but unobvious, features of the
protocol?</t>
</list></t>
<t>An LMAP system goes through the following phases:</t>
<t><list style="symbols">
<t>a bootstrapping process before the MA can take part in the other
three phases</t>
<t>a Control Protocol, which delivers an Instruction from a
Controller to a MA, detailing what Measurement Tasks the MA should
perform and when, and how it should report the Measurement
Results</t>
<t>the actual Measurement Tasks, which measure some performance or
reliability parameter(s) associated with the transfer of packets.
The LMAP WG does not define Measurement Methods, however the IPPM WG
does.</t>
<t>a Report Protocol, which delivers a Report from the MA to a
Collector. The Report contains the Measurement Results.</t>
</list></t>
<t>The diagrams show the various LMAP messages and usesthe following
convention:</t>
<t><list style="symbols">
<t>(optional): indicated by round brackets</t>
<t>[potentially repeated]: indicated by square brackets</t>
</list></t>
<t>The protocol model is closely related to the Information Model <xref
target="I-D.burbridge-lmap-information-model"/>, which is the abstract
definition of the information carried by the protocol model. The purpose
of both is to provide a protocol and device independent view, which can
be implemented via specific protocols. The LMAP WG will define a
specific Control Protocol and Report Protocol, but others could be
defined by other standards bodies or be proprietary. However it is
important that they all implement the same Information Model and
protocol model, in order to ease the definition, operation and
interoperability of large-scale measurement systems.</t>
<t/>
<section title="Bootstrapping process">
<t>The primary purpose of bootstrapping is to enable a MA to be
integrated into a measurement system. The MA retrieves information
about itself (like its identity in the measurement system) and about
the Controller, the Controller learns information about the MA, and
they learn about security information to communicate (such as
certificates and credentials).</t>
<t>Whilst the LMAP WG considers the bootstrapping process, it is out
of scope to define a bootstrap mechanism, as it depends on the type of
device and access.</t>
<t>As a result of the bootstrapping process the MA learns the
following information:</t>
<t><list style="symbols">
<t>its identifier, MA-ID</t>
<t>(optionally) a Group-ID. A Group-ID would be shared by several
MAs and could be useful for privacy reasons, for instance to
hinder tracking of a mobile device</t>
<t>the Control Channel, which is defined by:<list style="symbols">
<t>the address of the Controller (such as its FQDN (Fully
Qualified Domain Name) <xref target="RFC1035"/>)</t>
<t>security information (for example to enable the MA to
decrypt the Instruction Message and encrypt messages sent to
the Controller)</t>
<t>the name of this Control Channel</t>
</list></t>
</list>The details of the bootstrapping process are device /access
specific. For example, the information could be in the firmware,
manually configured or transferred via a protocol like TR-069. There
may be a multi-stage process where the MA contacts the device at a
'hard-coded' address, which replies with the boostrapping
information.</t>
<t/>
</section>
<section title="Control Protocol">
<t>The primary purpose of the Control Protocol is to allow the
Controller to configure a Measurement Agent with an Instruction about
what Measurement Tasks to do, when to do them, and how to report the
Measurement Results (Section 5.2.1). The Measurement Agent then acts
on the Instruction autonomously. The Control Protocol also enables the
MA to inform the Controller about its Capabilities and any Failures
(Section 5.2.2).</t>
<t/>
<section title="Instruction">
<t>The Instruction is the description of the Measurement Tasks for a
Measurement Agent to do and the details of the Measurement Reports
for it to send. In order to update the Instruction the Controller
uses a Data Transfer Task to send an Instruction Message over the
Control Channel.</t>
<t/>
<t><figure>
<artwork><![CDATA[+-----------------+ +-------------+
| | | Measurement |
| Controller |======================================| Agent |
+-----------------+ +-------------+
Instruction: ->
[(Measurement Task configuration(
[Input Parameter],
(interface),
(Cycle-ID))),
(Report Channel),
(Data Transfer Task),
(Measurement Schedule),
(Suppression information)]
<- Response(details)
]]></artwork>
</figure></t>
<t>The Instruction defines the following:</t>
<t><list style="symbols">
<t>the Measurement Task configurations, each of which
needs:<list style="symbols">
<t>the Measurement Method, specified as a URN to a registry
entry. The registry could be defined by the IETF <xref
target="I-D.manyfolks-ippm-metric-registry"/>, locally by
the operator of the measurement system or perhaps by another
standards organisation.</t>
<t>any Input Parameters that need to be set for the
Measurement Method, such as the address of the Measurement
Peer (or other Measurement Agent) that are involved in an
Active Measurement Task</t>
<t>if the device with the MA has multiple interfaces, then
the interface to use (if not defined, then the default
interface is used)</t>
<t>optionally, a Cycle-ID (a tag that may help the data
analysis tools identify Measurement Results that should be
comparable)</t>
<t>a name for this Measurement Task configuration</t>
</list></t>
<t>configuration of the Report Channels, each of which
needs:<list style="symbols">
<t>the address of the Collector, for instance its URL</t>
<t>security for this Report Channel, for example the X.509
certificate</t>
<t>a name for this Report Channel</t>
</list></t>
<t>configuration of the Data Transfer Tasks, each of which
needs:<list style="symbols">
<t>the name of the Channel to use</t>
<t>the timing of when to operate this Data Transfer Task</t>
<t>whether to include the MA-ID &/or Group-ID in a
Measurement Report</t>
<t>a name for this Data Transfer Task</t>
</list>A Data Transfer Task may concern the reporting of
Measurement Results (when the timing could be every hour or
immediately, for instance). Alternatively, a Data Transfer Task
may concern the MA informing the Controller about its
Capabilities or any Failures.</t>
<t>configuration of the Measurement Schedules, each of which
needs:<list style="symbols">
<t>the name of one or several Measurement Task
configurations</t>
<t>the timing of when the Measurement Tasks are to be
performed. Possible types of timing are periodic,
calendar-based periodic, one-off immediate and one-off at a
future time</t>
<t>the name of a Data Transfer Task or Tasks on which to
report the Measurement Results</t>
<t>a name for this Measurement Schedule</t>
</list></t>
<t>Suppression information, if any (see Section 5.2.1.1)</t>
</list></t>
<t>A single Instruction Message may contain some or all of the above
parts. The finest level of granularity possible in an Instruction
Message is determined by the implementation and operation of the
Control Protocol. For example, a single Instruction Message may be
able to add or update an individual Measurement Schedule - or it may
only be able to update the complete set of Measurement Schedules; a
single Instruction Message may be able to update both Measurement
Schedules and Measurement Task configurations - or only one at a
time; and so on.</t>
<t>The MA informs the Controller that it has successfully understood
the Instruction Message, or that it cannot action the Instruction -
for example, if it doesn't include a parameter that is mandatory for
the requested Measurement Method, or it is missing details of the
target Collector.</t>
<t>The Instruction Message instructs the MA; the Control Protocol
does not allow the MA to negotiate, as this would add complexity to
the MA, Controller and Control Protocol for little benefit.</t>
<t/>
<section title="Suppression">
<t>The Instruction may include Suppression information.
Suppression is used if the measurement system wants to eliminate
inessential traffic, because there is some unexpected network
issue for example. By default, Suppression means that the MA does
not begin any new Active Measurement Task. The impact on other
Measurement Tasks is not defined by LMAP; since they do not
involve the MA creating any Active Measurement Traffic there is no
need to suppress them, however it may be simpler for an
implementation to do so. Also, by default Suppression starts
immediately and continues until an un-suppress message is
received. Optionally the Suppression information may include:</t>
<t><list style="symbols">
<t>a set of Measurement Tasks to suppress; the others are not
suppressed. For example, this could be useful if a particular
Measurement Task is overloading a Measurement Peer.</t>
<t>a set of Measurement Schedules to suppress; the others are
not suppressed. For example, suppose the measurement system
has defined two Schedules, one with the most critical
Measurement Tasks and the other with less critical ones that
create a lot of Active Measurement Traffic, then it may only
want to suppress the second.</t>
<t>a start time, at which suppression begins</t>
<t>an end time, at which suppression ends</t>
<t>that the MA should end its on-going Active Measurement
Task(s).</t>
</list></t>
<t>Note that Suppression is not intended to permanently stop a
Measurement Task (instead, the Controller should send a new
Measurement Schedule), nor to permanently disable a MA (instead,
some kind of management action is suggested).</t>
<t/>
<figure>
<artwork><![CDATA[+-----------------+ +-------------+
| | | Measurement |
| Controller |===================================| Agent |
+-----------------+ +-------------+
Suppress:
[(Measurement Task), ->
(Measurement Schedule),
start time,
end time,
on-going suppressed?]
Un-suppress ->
]]></artwork>
</figure>
</section>
</section>
<section title="Capabilities and Failure information">
<t>The Control Protocol also enables the MA to inform the Controller
about various information, such as its Capabilities and any
Failures, by the MA operating a Data Transfer Task. It is also
possible that a device-specific mechanism beyond the scope of LMAP
is used.</t>
<t>Capabilities are information about the MA that the Controller
needs to know in order to correctly instruct the MA, such as:</t>
<t><list style="symbols">
<t>the Measurement Methods that the MA supports</t>
<t>the interfaces that the MA has</t>
<t>the version of the MA</t>
<t>the version of the hardware, firmware or software of the
device with the MA</t>
<t>but not dynamic information like the currently unused CPU,
memory or battery life of the device with the MA.</t>
</list></t>
<t>The MA could do this in response to a request from the Controller
(for example, if the Controller forgets what the MA can do or
otherwise wants to resynchronize what it knows about the MA) or on
its own initiative (for example when the MA first communicates with
a Controller or if it becomes capable of a new Measurement Method).
Another example of the latter case is if the device with the MA
re-boots, then the MA should notify its Controller in case its
Instruction needs to be updated; to avoid a "mass calling event"
after a widespread power restoration affecting many MAs, it is
sensible for an MA to pause for a random delay, perhaps in the range
of one minute or so.</t>
<t>Failure information is sent on the initiative of the MA and
concerns why the MA has been unable to execute a Measurement Task or
Data Transfer Task, for example:</t>
<t><list style="symbols">
<t>the Measurement Task failed to run properly because the MA
(unexpectedly) has no spare CPU cycles</t>
<t>the MA failed record the Measurement Results because it
(unexpectedly) is out of spare memory</t>
<t>a Data Transfer Task failed to deliver Measurement Results
because the Collector (unexpectedly) is not responding</t>
<t>but not if a Measurement Task correctly doesn't start. For
example, the first step of some Measurement Methods is for the
MA to check there is no cross-traffic.</t>
</list></t>
<t>Logging information is sent by the MA in response to a request
from the Controller; it concerns how the MA is operating and may
help debugging, for example:</t>
<t><list style="symbols">
<t>the last time the MA ran a Measurement Task</t>
<t>the last time the MA sent a Measurement Report</t>
<t>the last time the MA received an Instruction Message</t>
<t>whether the MA is currently Suppressing Measurement Tasks</t>
</list>.</t>
<t><figure>
<artwork><![CDATA[+-----------------+ +-------------+
| | | Measurement |
| Controller |===================================| Agent |
+-----------------+ +-------------+
(Capabilities request) ->
<- Capabilities
<- Failure Information
[reason]
Logging request ->
<- Logging Information
[details]
]]></artwork>
</figure></t>
<t/>
</section>
</section>
<section title="Operation of Measurement Tasks">
<t>The LMAP WG is neutral to what the actual Measurement Task is. It
does not define Measurement Methods, however the IPPM WG does.</t>
<t>The MA carries out the Measurement Tasks as instructed, unless it
gets an updated Instruction. The MA acts autonomously, in terms of
operation of the Measurement Tasks and reporting of the Results; it
doesn't do a 'safety check' with the Controller to ask whether it
should still continue with the requested Measurement Tasks.</t>
<t/>
<section title="Starting and Stopping Measurement Tasks">
<t>The WG does not define a generic start and stop process, since
the correct approach depends on the particular Measurement Task; the
details are defined as part of each Measurement Method. This section
provides some general hints. The MA does not inform the Controller
about Measurement Tasks starting and stopping.</t>
<t>Before sending Active Measurement Traffic the MA may run a
pre-check. Action could include:</t>
<t><list style="symbols">
<t>the MA checking that there is no cross-traffic. In other
words, a check that the end-user isn’t already sending
traffic;</t>
<t>the MA checking with the Measurement Peer (or other
Measurement Agent involved in the Measurement Task) that it can
handle a new Measurement Task (in case, for example, the
Measurement Peer is already handling many Measurement Tasks with
other MAs);</t>
<t>the first part of the Measurement Task consisting of traffic
that probes the path to make sure it isn’t overloaded;</t>
<t>the first part of the Measurement Task checking that the
device with the MA has enough resources to execute the
Measurement Task reliably. Note that the designer of the
measurement system should ensure that the device's capabilities
are normally sufficient to comfortably operate the Measurement
Tasks.</t>
</list>It is possible that similar checks continue during the
Measurement Task, especially one that is long-running and/or creates
a lot of Active Measurement Traffic, and might lead to it being
abandoned whilst in-progress. A Measurement Task could also be
abandoned in response to a "suppress" message (see Section 5.2.1).
Action could include:</t>
<t><list style="symbols">
<t>For ‘upload’ tests, the MA not sending
traffic</t>
<t>For ‘download’ tests, the MA closing the TCP
connection or sending a TWAMP Stop control message <xref
target="RFC5357"/>.</t>
</list></t>
<t>The Controller may want a MA to run the same Measurement Task
indefinitely (for example, "run the 'upload speed' Measurement Task
once an hour until further notice"). To avoid the MA generating
traffic forever after a Controller has permanently failed, it is
suggested that the Measurement Schedule includes a time limit ("run
the 'upload speed' Measurement Task once an hour for the next 30
days") and that the Measurement Schedule is updated regularly (say,
every 10 days).</t>
<t/>
</section>
<section title="Overlapping Measurement Tasks">
<t>It is possible that a MA starts a new Measurement Task before
another Measurement Task has completed. This may be intentional (the
way that the measurement system has designed the Measurement
Schedules), but it could also be unintentional - for instance, if a
Measurement Task has a 'wait for X' step which pauses for an
unexpectedly long time. The operator of the measurement system can
handle (or not) overlapping Measurement Tasks in any way they choose
- it is a policy or implementation issue and not the concern of
LMAP. Some possible approaches are: to configure the MA not to begin
the second Measurement Task; to start the second Measurement Task as
usual; for the action to be an Input Parameter of the Measurement
Task; and so on.</t>
<t>It is likely to be important to include in the Measurement Report
the fact that the Measurement Task overlapped with another.</t>
</section>
</section>
<section title="Report Protocol">
<t>The primary purpose of the Report Protocol is to allow a
Measurement Agent to report its Measurement Results to a Collector,
along with the context in which they were obtained.</t>
<t><figure>
<artwork><![CDATA[+-----------------+ +-------------+
| | | Measurement |
| Collector |===================================| Agent |
+-----------------+ +-------------+
<- Report:
[MA-ID &/or Group-ID],
[Measurement Result
[details of Measurement Task]]
ACK ->
]]></artwork>
</figure></t>
<t>The Report contains:<list style="symbols">
<t>the MA-ID or a Group-ID (to anonymise results)</t>
<t>the actual Measurement Results, including the time they were
measured</t>
<t>the details of the Measurement Task (to avoid the Collector
having to ask the Controller for this information later)</t>
<t>perhaps the Subscriber's service parameters (see Section
5.4.1).</t>
</list></t>
<t>The MA sends Reports as defined by the Data Transfer Task in the
Controller's Instruction. It is possible that the Instruction tells
the MA to report the same Results to more than one Collector, or to
report a different subset of Results to different Collectors. It is
also possible that a Measurement Task may create two (or more)
Measurement Results, which could be reported differently (for example,
one Result could be reported periodically, whilst the second Result
could be an alarm that is created as soon as the measured value of the
Metric crosses a threshold and that is reported immediately).</t>
<t>Optionally, a Report is not sent when there are no Measurement
Results.</t>
<t>In the initial LMAP Information Model and Report Protocol, for
simplicity we assume that all Measurement Results are reported as-is,
but allow extensibility so that a measurement system (or perhaps a
second phase of LMAP) could allow a MA to:</t>
<t><list style="symbols">
<t>label, or perhaps not include, Measurement Results impacted by,
for instance, cross-traffic or the Measurement Peer (or other
Measurment Agent) being busy</t>
<t>label Measurement Results obtained by a Measurement Task that
overlapped with another</t>
<t>not report the Measurement Results if the MA believes that they
are invalid</t>
<t>detail when Suppression started and ended</t>
</list></t>
<t/>
<section title="Reporting of Subsriber's service parameters">
<t>The Subscriber's service parameters are information about his/her
broadband contract, line rate and so on. Such information is likely
to be needed to help analyse the Measurement Results, for example to
help decide whether the measured download speed is reasonable.</t>
<t>The information could be transferred directly from the Subscriber
parameter database to the data analysis tools. It may also be
possible to transfer the information via the MA. How (and if) the MA
knows such information is likely to depend on the device type. The
MA could either include the information in a Measurement Report or
run a separate Data Transfer Task. All such considerations are out
of scope of LMAP.</t>
</section>
</section>
<section title="Operation of LMAP over the underlying transport protocol">
<t>The above sections have described LMAP's protocol model. As part of
the design of the Control and Report Protocols, the LMAP working group
will specify operation over an existing protocol, to be selected, for
example REST-style HTTP(S). It is also possible that a different
choice is made for the Control and Report Protocols, for example
NETCONF-YANG and IPFIX respectively.</t>
<t>From an LMAP perspective, the Controller needs to know that the MA
has received the Instruction Message, or at least that it needs to be
re-sent as it may have failed to be delivered. Similarly the MA needs
to know about the delivery of Capabilities and Failure information to
the Controller and Reports to the Collector. How this is done depends
on the design of the Control and Report Protocols and the underlying
transport protocol.</t>
<t>For the Control Protocol, the underlying transport protocol could
be:</t>
<t><list style="symbols">
<t>a 'push' protocol (that is, from the Controller to the MA)</t>
<t>a multicast protocol (from the Controller to a group of
MAs)</t>
<t>a 'pull' protocol. The MA periodically checks with Controller
if the Instruction has changed and pulls a new Instruction if
necessary. A pull protocol seems attractive for a MA behind a NAT
(as is typical for a MA on an end-user's device), so that it can
initiate the communications. A pull mechanism is likely to require
the MA to be configured with how frequently it should check in
with the Controller, and perhaps what it should do if the
Controller is unreachable after a certain number of attempts.</t>
<t>a hybrid protocol. In addition to a pull protocol, the
Controller can also push an alert to the MA that it should
immediately pull a new Instruction.</t>
</list>For the Report Protocol, the underlying transport protocol
could be:</t>
<t><list style="symbols">
<t>a 'push' protocol (that is, from the MA to the Collector)</t>
<t>perhaps supplemented by the ability for the Collector to 'pull'
Measurement Results from a MA.</t>
</list></t>
</section>
<section title="Items beyond the scope of the LMAP Protocol Model">
<t>There are several potential interactions between LMAP elements that
are out of scope of definition by the LMAP WG:</t>
<t><list style="numbers">
<t>It does not define a coordination process between MAs. Whilst a
measurement system may define coordinated Measurement Schedules
across its various MAs, there is no direct coordination between
MAs.</t>
<t>It does not define interactions between the Collector and
Controller. It is quite likely that there will be such
interactions, optionally intermediated by the data analysis tools.
For example, if there is an "interesting" Measurement Result then
the measurement system may want to trigger extra Measurement Tasks
that explore the potential cause in more detail; or if the
Collector unexpectedly does not hear from a MA, then the
measurement system may want to trigger the Controller to send a
fresh Instruction Message to the MA.</t>
<t>It does not define coordination between different measurement
systems. For example, it does not define the interaction of a MA
in one measurement system with a Controller or Collector in a
different measurement system. Whilst it is likely that the Control
and Report Protocols could be re-used or adapted for this
scenario, any form of coordination between different organisations
involves difficult commercial and technical issues and so, given
the novelty of large-scale measurement efforts, any form of
inter-organisation coordination is outside the scope of the LMAP
WG. Note that a single MA is instructed by a single Controller and
is only in one measurement system.<list style="symbols">
<t>An interesting scenario is where a home contains two
independent MAs, for example one controlled by a regulator and
one controlled by an ISP. Then the Active Measurement Traffic
of one MA is treated by the other MA just like any other
end-user traffic.</t>
</list></t>
<t>It does not consider how to prevent a malicious party "gaming
the system". For example, where a regulator is running a
measurement system in order to benchmark operators, a malicious
operator could try to identify the broadband lines that the
regulator was measuring and prioritise that traffic. It is assumed
this is a policy issue and would be dealt with through a code of
conduct for instance.</t>
<t>It does not define how to analyse Measurement Results,
including how to interpret missing Results.</t>
<t>It does not specifically define a end-user-controlled
measurement system, see sub-section 5.6.1.</t>
</list></t>
<section title="End-user-controlled measurement system">
<t>The WG concentrates on the cases where an ISP or a regulator runs
the measurement system. However, we expect that LMAP functionality
will also be used in the context of an end-user-controlled
measurement system. There are at least two ways this could happen
(they have various pros and cons):</t>
<t><list style="numbers">
<t>an end-user could somehow request the ISP- (or regulator-)
run measurement system to test his/her line. The ISP (or
regulator) Controller would then send an Instruction to the MA
in the usual LMAP way. Note that a user can’t directly
initiate a Measurement Task on an ISP- (or regulator-)
controlled MA.</t>
<t>an end-user could deploy their own measurement system, with
their own MA, Controller and Collector. For example, the user
could implement all three functions onto the same end-user-owned
end device, perhaps by downloading the functions from the ISP or
regulator. Then the LMAP Control and Report Protocols do not
need to be used, but using LMAP's Information Model would still
be beneficial. The Measurement Peer (or other MA involved in the
Measurement Task) could be in the home gateway or outside the
home network; in the latter case the Measurement Peer is highly
likely to be run by a different organisation, which raises extra
privacy considerations.</t>
</list></t>
<t>In both cases there will be some way for the end-user to initiate
the Measurement Task(s). The mechanism is out-of-scope of the LMAP
WG, but could include the user clicking a button on a GUI or sending
a text message. Presumably the user will also be able to see the
Measurement Results, perhaps summarised on a webpage. It is
suggested that these interfaces conform to the LMAP guidance on
privacy in Section 8.</t>
<t/>
</section>
</section>
</section>
<section title="Deployment considerations">
<t>The Appendix has some examples of possible deployment arrangements of
Measurement Agents and Peers.</t>
<section title="Controller and the measurement system">
<t>The Controller should understand both the MA's LMAP Capabilities
(for instance what Measurement Methods it can perform) and about the
MA's other capabilities like processing power and memory. This allows
the Controller to make sure that the Measurement Schedule of
Measurement Tasks and the Reporting Schedule are sensible for each MA
that it Instructs.</t>
<t>An Instruction is likely to include several Measurement Tasks.
Typically these run at different times, but it is also possible for
them to run at the same time. Some Tasks may be compatible, in that
they do not affect each other's Results, whilst with others great care
would need to be taken.</t>
<t>The Controller should ensure that the Active Measurement Tasks do
not have an adverse effect on the end user. Typically Tasks,
especially those that generate a substantial amount of traffic, will
include a pre-check that the user isn’t already sending traffic
(Section 5.3). Another consideration is whether Active Measurement
Traffic will impact a Subscriber's bill or traffic cap; if it will,
then the measurement system may need to compensate the Subscriber, for
instance.</t>
<t>The different elements of the Instruction can be updated
independently. For example, the Measurement Tasks could be configured
with different Input Parameters whilst keeping the same Measurement
Schedule. In general this should not create any issues, since
Measurement Methods should be defined so their fundamental nature does
not change for a new value of Input Parameter. There could be a
problem if, for example, a Measurement Task involving a 1kB file
upload could be changed into a 1GB file upload.</t>
<t>A measurement system may have multiple Controllers (but note the
overriding principle that a single MA is instructed by a single
Controller at any point in time (Section 4.2)). For example, there
could be different Controllers for different types of MA (home
gateways, tablets) or locations (Ipswich, Edinburgh), for load
balancing or to cope with failure of one Controller.</t>
<t>The measurement system also needs to consider carefully how to
interpret missing Results; for example, if the missing Results are
ignored and the lack of a Report is caused by its broadband being
broken, then the estimate of overall performance, averaged across all
MAs, would be too optimistic.</t>
</section>
<section title="Measurement Agent">
<t>The Measurement Agent could take a number of forms: a dedicated
probe, software on a PC, embedded into an appliance, or even embedded
into a gateway. A single site (home, branch office etc.) that is
participating in a measurement could make use of one or multiple
Measurement Agents or Measurement Peers in a single measurement.</t>
<t>The Measurement Agent could be deployed in a variety of locations.
Not all deployment locations are available to every kind of
Measurement Agent. There are also a variety of limitations and
trade-offs depending on the final placement. The next sections outline
some of the locations a Measurement Agent may be deployed. This is not
an exhaustive list and combinations may also apply.</t>
<t/>
<section title="Measurement Agent on a networked device">
<t>A MA may be embedded on a device that is directly connected to
the network, such as a MA on a smartphone.</t>
</section>
<section title="Measurement Agent embedded in site gateway">
<t>A Measurement Agent embedded with the site gateway, for example a
home router or the edge router of a branch office in a managed
service environment, is one of better places the Measurement Agent
could be deployed. All site-to-ISP traffic would traverse through
the gateway and passive measurements could easily be performed.
Similarly, due to this user traffic visibility, an Active
Measurement Task could be rescheduled so as not to compete with user
traffic. Generally NAT and firewall services are built into the
gateway, allowing the Measurement Agent the option to offer its
Controller-facing management interface outside of the NAT/firewall.
This placement of the management interface allows the Controller to
unilaterally contact the Measurement Agent for instructions.
However, if the site gateway is owned and operated by the service
provider, the Measurement Agent will generally not be directly
available for over the top providers, the regulator, end users or
enterprises.</t>
<t/>
</section>
<section title="Measurement Agent embedded behind site NAT /Firewall">
<t>The Measurement Agent could also be embedded behind a NAT, a
firewall, or both. In this case the Controller may not be able to
unilaterally contact the Measurement Agent unless either static port
forwarding configuration or firewall pin holing is configured. For
the former, protocols such as PCP <xref target="RFC6887"/>, TR-069
<xref target="TR-069"/>or UPnP <xref target="UPnP"/>could be used.
For the latter, the Measurement Agent could send keepalives towards
the Controller to prop open the firewall (and perhaps use these also
as a network reachability test).</t>
</section>
<section title="Multi-homed Measurement Agent">
<t>If the device with the Measurement Agent is single homed then
there is no confusion about what interface to measure. Similarly, if
the MA is at the gateway and the gateway only has a single WAN-side
and a single LAN-side interface, there is little confusion - for an
Active Measurement Task, the location of the other MA or Measurement
Peer determines whether the WAN or LAN is measured.</t>
<t>However, the device with the Measurement Agent may be
multi-homed. For example, a home or campus may be connected to
multiple broadband ISPs, such as a wired and wireless broadband
provider, perhaps for redundancy or load- sharing. It may also be
helpful to think of dual stack IPv4 and IPv6 broadband devices as
multi-homed. More generally, Section 3.2 of <xref
target="I-D.ietf-homenet-arch"/> describes dual-stack and
multi-homing topologies that might be encountered in a home network,
<xref target="RFC6419"/> provides the current practices of
multi-interfaces hosts, and the Multiple Interfaces (mif) working
group covers cases where hosts are either directly attached to
multiple networks (physical or virtual) or indirectly (multiple
default routers, etc.). In these cases, there needs to be clarity on
which network connectivity option is being measured.</t>
<t>One possibility is to have a Measurement Agent per interface.
Then the Controller's choice of MA determines which interface is
measured. However, if a MA can measure any of the interfaces, then
the Controller defines in the Instruction which interface the MA
should use for a Measurement Task; if the choice of interface is not
defined then the MA uses the default one. Explicit definition is
preferred if the measurement system wants to measure the performance
of a particular network, whereas using the default is better if the
measurement system wants to include the impact of the MA's interface
selection algorithm. In any case, the Measurement Result should
include the network that was measured.</t>
<t/>
</section>
</section>
<section title="Measurement Peer">
<t>A Measurement Peer participates in Active Measurement Tasks. It may
have specific functionality to enable it to participate in a
particular Measurement Method. On the other hand, other Measurement
Methods may require no special functionality, for example if the
Measurement Agent sends a ping to example.com then the server at
example.com plays the role of a Measurement Peer.</t>
<t>A device may participate in some Measurement Tasks as a Measurement
Agent and in others as a Measurement Peer.</t>
<t>Measurement schedules should account for limited resources in a
Measurement Peer when instructing a MA to execute measurements with a
Measurement Peer. In some measurement protocols, such as <xref
target="RFC4656"/> and <xref target="RFC5357"/>, the Measurement Peer
can reject a measurement session or refuse a control connection prior
to setting-up a measurement session and so protect itself from
resource exhaustion. This is a valuable capability because the MP may
be used by more than one organisation.</t>
</section>
</section>
<section title="Security considerations">
<t/>
<t>The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s) and other actors who
could be impacted by a compromised measurement deployment. The
measurement system must secure the various components of the system from
unauthorised access or corruption. Much of the general advice contained
in section 6 of <xref target="RFC4656"/> is applicable here.</t>
<t>We assume that each Measurement Agent (MA) will receive its
Instructions from a single organisation, which operates the Controller.
These Instructions must be authenticated (to ensure that they come from
the trusted Controller), checked for integrity (to ensure no-one has
tampered with them) and not vulnerable to replay attacks. If a malicious
party can gain control of the MA they can use it to launch DoS attacks
at targets, reduce the end user's quality of experience and corrupt the
Measurement Results that are reported to the Collector. By altering the
Measurement Tasks and/or the address that Results are reported to, they
can also compromise the confidentiality of the network user and the MA
environment (such as information about the location of devices or their
traffic).</t>
<t>The process to upgrade the firmware in an MA is out-of-scope for this
phase of LMAP development, similar to the protocol to bootstrap the MAs
(as specified in the charter). However, systems which provide remote
upgrade must secure authorised access and integrity of the process.</t>
<t>Reporting by the MA must also be secured to maintain confidentiality.
The results must be encrypted such that only the authorised Collector
can decrypt the results to prevent the leakage of confidential or
private information. In addition it must be authenticated that the
results have come from the expected MA and that they have not been
tampered with. It must not be possible to fool a MA into injecting
falsified data into the measurement platform or to corrupt the results
of a real MA. The results must also be held and processed securely after
collection and analysis. See section 8.5.2 below for additional
considerations on stored data compromise, and section 8.6 on potential
mitigations for compromise.</t>
<t>Since Collectors will be contacted repeatedly by MAs using the
Collection Protocol to convey their recent results, a successful attack
to exhaust the communication resources would prevent a critical
operation: reporting. Therefore, all LMAP Collectors should implement
technical mechanisms to:</t>
<t><list style="symbols">
<t>limit the number of reporting connections from a single MA
(simultaneous, and connections per unit time).</t>
<t>limit the transmission rate from a single MA.</t>
<t>limit the memory/storage consumed by a single MA's reports.</t>
<t>efficiently reject reporting connections from unknown
sources.</t>
<t>separate resources if multiple authentication strengths are used,
where the resources should be separated according to each class of
strength.</t>
<t>limit iteration counters to generate keys with both a lower and
upper limit, to prevent an attacking system from requesting the
maximum and causing the Controller to stall on the process (see
section 6 of <xref target="RFC5357"/>).</t>
</list>Many of the above considerations are applicable to Controllers
using a "push" model, where the MA must contact the Controller because
NAT or other network aspect prevents Controllers from contacting MAs
directly.</t>
<t>Availability should also be considered. While the loss of some MAs
may not be considered critical, the unavailability of the Collector
could mean that valuable business data or data critical to a regulatory
process is lost. Similarly, the unavailability of a Controller could
mean that the MAs do not operate a correct Measurement Schedule.</t>
<t>A malicious party could "game the system". For example, where a
regulator is running a measurement system in order to benchmark
operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. This potential
issue is currently handled by a code of conduct. It is outside the scope
of the LMAP WG to consider the issue.</t>
<t/>
</section>
<section title="Privacy Considerations for LMAP">
<t>The LMAP Working Group will consider privacy as a core requirement
and will ensure that by default the Control and Report Protocols operate
in a privacy-sensitive manner and that privacy features are
well-defined.</t>
<t>This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the timely publication of <xref
target="RFC6973"/>. Privacy and security (Section 7) are related. In
some jurisdictions privacy is called data protection.</t>
<t>We begin with a set of assumptions related to protecting the
sensitive information of individuals and organisations participating in
LMAP-orchestrated measurement and data collection.</t>
<section title="Categories of Entities with Information of Interest">
<t>LMAP protocols need to protect the sensitive information of the
following entities, including individuals and organisations who
participate in measurement and collection of results.<list
style="symbols">
<t>Individual Internet users: Persons who utilise Internet access
services for communications tasks, according to the terms of
service of a service agreement. Such persons may be a service
Subscriber, or have been given permission by the Subscriber to use
the service.</t>
<t>Internet service providers: Organisations who offer Internet
access service subscriptions, and thus have access to sensitive
information of individuals who choose to use the service. These
organisations desire to protect their Subscribers and their own
sensitive information which may be stored in the process of
performing Measurement Tasks and collecting and Results.</t>
<t>Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive
information.</t>
<t>Other LMAP system operators: Organisations who operate
measurement systems or participate in measurements in some
way.</t>
</list></t>
<t>Although privacy is a protection extended to individuals, we
include discussion of ISPs and other LMAP system operators in this
section. These organisations have sensitive information involved in
the LMAP system, and many of the same dangers and mitigations are
applicable. Further, the ISPs store information on their Subscribers
beyond that used in the LMAP system (for instance billing
information), and there should be a benefit in considering all the
needs and potential solutions coherently.</t>
</section>
<section title="Examples of Sensitive Information">
<t>This section gives examples of sensitive information which may be
measured or stored in a measurement system, and which is to be kept
private by default in the LMAP core protocols.</t>
<t>Examples of Subscriber or authorised Internet user sensitive
information:</t>
<t><list style="symbols">
<t>Sub-IP layer addresses and names (MAC address, base station ID,
SSID)</t>
<t>IP address in use</t>
<t>Personal Identification (real name)</t>
<t>Location (street address, city)</t>
<t>Subscribed service parameters</t>
<t>Contents of traffic (activity, DNS queries, destinations,
equipment types, account info for other services, etc.)</t>
<t>Status as a study volunteer and Schedule of (Active)
Measurement Tasks</t>
</list></t>
<t>Examples of Internet Service Provider sensitive information:<list
style="symbols">
<t>Measurement device identification (equipment ID and IP
address)</t>
<t>Measurement Instructions (choice of measurements)</t>
<t>Measurement Results (some may be shared, others may be
private)</t>
<t>Measurement Schedule (exact times)</t>
<t>Network topology (locations, connectivity, redundancy)</t>
<t>Subscriber billing information, and any of the above Subscriber
information known to the provider.</t>
<t>Authentication credentials (such as certificates)</t>
</list></t>
<t>Other organisations will have some combination of the lists above.
The LMAP system would not typically expose all of the information
above, but could expose a combination of items which could be
correlated with other pieces collected by an attacker (as discussed in
the section on Threats below).</t>
</section>
<section title="Key Distinction Between Active and Passive Measurement Tasks">
<t>Passive and Active Measurement Tasks raise different privacy
issues.</t>
<t>Passive Measurement Tasks are conducted on a user's traffic, such
that sensitive information is present and stored in the measurement
system (however briefly this storage may be). We note that some
authorities make a distinction on time of storage, and information
that is kept only temporarily to perform a communications function is
not subject to regulation (for example, active queue management, deep
packet inspection). Passive Measurement Tasks could reveal all the
websites a Subscriber visits and the applications and/or services they
use.</t>
<t>Active Measurement Tasks are conducted on traffic which is created
specifically for the purpose. Even if a user host generates Active
Measurement Traffic, there is limited sensitive information about the
Subscriber present and stored in the measurement system compared to
the passive case, as follows:<list style="symbols">
<t>IP address in use (and possibly sub-IP addresses and names)</t>
<t>Status as a study volunteer and Schedule of Active Measurement
Tasks</t>
</list></t>
<t>On the other hand, for a service provider the sensitive information
like Measurement Results is the same for Passive and Active
Measurement Tasks.</t>
<t>From the Subscriber perspective, both Active and Passive
Measurement Tasks potentially expose the description of Internet
access service and specific service parameters, such as subscribed
rate and type of access.</t>
</section>
<section title="Privacy analysis of the Communications Models">
<t>This section examines each of the protocol exchanges described at a
high level in Section 5 and some example Measurement Tasks, and
identifies specific sensitive information which must be secured during
communication for each case. With the protocol-related sensitive
information identified, we can better consider the threats described
in the following section.</t>
<t>From the privacy perspective, all entities participating in LMAP
protocols can be considered "observers" according to the definition in
<xref target="RFC6973"/>. Their stored information potentially poses a
threat to privacy, especially if one or more of these functional
entities has been compromised. Likewise, all devices on the paths used
for control, reporting, and measurement are also observers.</t>
<t/>
<section title="MA Bootstrapping">
<t>Section 5.1 provides the communication model for the
Bootstrapping process.</t>
<t>Although the specification of mechanisms for Bootstrapping the MA
are beyond the LMAP scope, designers should recognize that the
Bootstrapping process is extremely powerful and could cause an MA to
join a new or different LMAP system with a different Controller and
Collector, or simply install new Measurement Methods (for example to
passively record DNS queries). A Bootstrap attack could result in a
breach of the LMAP system with significant sensitive information
exposure depending on the capabilities of the MA, so sufficient
security protections are warranted.</t>
<t>The Bootstrapping process provides sensitive information about
the LMAP system and the organisation that operates it, such as <list
style="symbols">
<t>Initial Controller IP address or FQDN</t>
<t>Assigned Controller IP address or FQDN</t>
<t>Security certificates and credentials</t>
</list></t>
<t>During the Bootstrap process, the MA receives its MA-ID which is
a persistent pseudonym for the Subscriber in the case that the MA is
located at a service demarcation point. Thus, the MA-ID is
considered sensitive information, because it could provide the link
between Subscriber identification and Measurements Results.</t>
<t>Also, the Bootstrap process could assign a Group-ID to the MA.
The specific definition of information represented in a Group-ID is
to be determined, but several examples are envisaged including use
as a pseudonym for a set of Subscribers, a class of service, an
access technology, or other important categories. Assignment of a
Group-ID enables anonymisation sets to be formed on the basis of
service type/grade/rates. Thus, the mapping between Group-ID and
MA-ID is considered sensitive information.</t>
</section>
<section title="Controller <-> Measurement Agent">
<t>The high-level communication model for interactions between the
LMAP Controller and Measurement Agent is illustrated in Section 5.2.
The primary purpose of this exchange is to authenticate and task a
Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously.</t>
<t>Primarily IP addresses and pseudonyms (MA-ID, Group-ID) are
exchanged with a capability request, then measurement-related
information of interest such as the parameters, schedule, metrics,
and IP addresses of measurement devices. Thus, the measurement
Instruction contains sensitive information which must be secured.
For example, the fact that an ISP is running additional measurements
beyond the set reported externally is sensitive information, as are
the additional Measurements Tasks themselves. The Measurement
Schedule is also sensitive, because an attacker intending to bias
the results without being detected can use this information to great
advantage.</t>
<t>An organisation operating the Controller having no service
relationship with a user who hosts the Measurement Agent *could*
gain real-name mapping to a public IP address through user
participation in an LMAP system (this applies to the Measurement
Collection protocol, as well).</t>
</section>
<section title="Collector <-> Measurement Agent">
<t>The high-level communication model for interactions between the
Measurement Agent and Collector is illustrated in Section 5.4. The
primary purpose of this exchange is to authenticate and collect
Measurement Results from a MA, which the MA has measured
autonomously and stored.</t>
<t>The Measurement Results are the additional sensitive information
included in the Collector-MA exchange. Organisations collecting LMAP
measurements have the responsibility for data control. Thus, the
Results and other information communicated in the Collector protocol
must be secured.</t>
</section>
<section title="Measurement Peer <-> Measurement Agent ">
<t>Although the specification of the mechanisms for an Active
Measurement Task is beyond the scope of LMAP, it raises potential
privacy issues. The high-level communications model below
illustrates the various exchanges to execute Active Measurement
Tasks and store the Results.</t>
<t>We note the potential for additional observers in the figures
below by indicating the possible presence of a NAT, which has
additional significance to the protocols and direction of
initiation.</t>
<t>The various messages are optional, depending on the nature of the
Active Measurement Task. It may involve sending Active Measurement
Traffic from the Measurement Peer to MA, MA to Measurement Peer, or
both. <figure>
<artwork><![CDATA[ _________________ _________________
| | | |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent|
|_________________| |_________________|
<- (Key Negotiation &
Encryption Setup)
(Encrypted Channel ->
Established)
(Announce capabilities ->
& status)
<- (Select capabilities)
ACK ->
<- (Measurement Request
(MA+MP IPAddrs,set of
Metrics, Schedule))
ACK ->
Active Measurement Traffic <> Active Measurement Traffic
(may/may not be encrypted) (may/may not be encrypted)
<- (Stop Measurement Task)
Measurement Results ->
(if applicable)
<- ACK, Close
]]></artwork>
</figure>This exchange primarily exposes the IP addresses of
measurement devices and the inference of measurement participation
from such traffic. There may be sensitive information on key points
in a service provider's network included. There may also be access
to measurement-related information of interest such as the Metrics,
Schedule, and intermediate results carried in the Active Measurement
Traffic (usually a set of timestamps).</t>
<t>If the Active Measurement Traffic is unencrypted, as found in
many systems today, then both timing and limited results are open to
on-path observers.</t>
</section>
<section title="Passive Measurement Agent ">
<t>Although the specification of the mechanisms for a Passive
Measurement Task is beyond the scope of LMAP, it raises potential
privacy issues.</t>
<t>The high-level communications model below illustrates the
collection of user information of interest with the Measurement
Agent performing the monitoring and storage of the Results. This
particular exchange is for passive measurement of DNS Response Time,
which most frequently uses UDP transport.</t>
<t><figure>
<artwork><![CDATA[ _________________ ____________
| | | |
| DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________|
______|_______
| |
| Measurement |
| Agent |
|______________|
<- Name Resolution Req
(MA+MP IPAddrs,
Desired Domain Name)
Return Record ->
]]></artwork>
</figure></t>
<t>This exchange primarily exposes the IP addresses of measurement
devices and the intent to communicate with or access the services of
"Domain Name". There may be information on key points in a service
provider's network, such as the address of one of its DNS servers.
The Measurement Agent may be embedded in the user host, or it may be
located in another device capable of observing user traffic.</t>
<t>In principle, any of the user sensitive information of interest
(listed above) can be collected and stored in the passive monitoring
scenario and so must be secured.</t>
<t>It would also be possible for a Measurement Agent to source the
DNS query itself. But then, as with any active measurement task,
there are few privacy concerns.</t>
<t/>
</section>
<section title="Storage and Reporting of Measurement Results">
<t>Although the mechanisms for communicating results (beyond the
initial Collector) are beyond the LMAP scope, there are potential
privacy issues related to a single organisation's storage and
reporting of Measurement Results. Both storage and reporting
functions can help to preserve privacy by implementing the
mitigations described below.</t>
</section>
</section>
<section title="Threats">
<t>This section indicates how each of the threats described in <xref
target="RFC6973"/> apply to the LMAP entities and their communication
and storage of "information of interest".</t>
<section title="Surveillance">
<t>Section 5.1.1 of <xref target="RFC6973"/> describes Surveillance
as the "observation or monitoring of and individual's communications
or activities." Hence all Passive Measurement Tasks are a form of
surveillance, with inherent risks.</t>
<t>Active Measurement Methods which avoid periods of user
transmission indirectly produce a record of times when a subscriber
or authorised user has used their network access service.</t>
<t>Active Measurement Methods may also utilise and store a
Subscriber's currently assigned IP address when conducting
measurements that are relevant to a specific Subscriber. Since the
Measurement Results are time-stamped, they could provide a record of
IP address assignments over time.</t>
<t>Either of the above pieces of information could be useful in
correlation and identification, described below.</t>
</section>
<section title="Stored Data Compromise">
<t>Section 5.1.2 of <xref target="RFC6973"/> describes Stored Data
Compromise as resulting from inadequate measures to secure stored
data from unauthorised or inappropriate access. For LMAP systems
this includes deleting or modifying collected measurement records,
as well as data theft.</t>
<t>The primary LMAP entity subject to compromise is the repository,
which stores the Measurement Results; extensive security and privacy
threat mitigations are warranted. The Collector and MA also store
sensitive information temporarily, and need protection. The
communications between the local storage of the Collector and the
repository is beyond the scope of the LMAP work at this time, though
this communications channel will certainly need protection as well
as the mass storage itself.</t>
<t>The LMAP Controller may have direct access to storage of
Subscriber information (location, billing, service parameters, etc.)
and other information which the controlling organisation considers
private, and again needs protection.</t>
<t>Note that there is tension between the desire to store all raw
results in the LMAP Collector (for reproduceability and custom
analysis), and the need to protect the privacy of measurement
participants. Many of the compromise mitigations described in
section 8.6 below are most efficient when deployed at the MA,
therefore minimizing the risks with stored results.</t>
</section>
<section title="Correlation and Identification">
<t>Sections 5.2.1 and 5.2.2 of <xref target="RFC6973"/> describes
Correlation as combining various pieces of information to obtain
desired characteristics of an individual, and Identification as
using this process to infer identity.</t>
<t>The main risk is that the LMAP system could unwittingly provide a
key piece of the correlation chain, starting with an unknown
Subscriber's IP address and another piece of information. For
example, a Subscriber utilised Internet access from 2000 to 2310
UTC, because the Active Measurement Tasks were deferred, or sent a
name resolution for www.example.com at 2300 UTC.</t>
</section>
<section title="Secondary Use and Disclosure">
<t>Sections 5.2.3 and 5.2.4 of <xref target="RFC6973"/> describes
Secondary Use as unauthorised utilisation of an individual's
information for a purpose the individual did not intend, and
Disclosure is when such information is revealed causing other's
notions of the individual to change, or confidentiality to be
violated.</t>
<t>Passive Measurement Tasks are a form of Secondary Use, and the
Subscribers' permission and the measured ISP's permission should be
obtained beforehand. Although user traffic is only indirectly
involved, the Measurement Results from Active Measurement Tasks
provide some limited information about the Subscriber/ISP and could
be used for Secondary Uses. For example, the use of the Results in
unauthorised marketing campaigns would qualify as Secondary Use.</t>
</section>
</section>
<section title="Mitigations">
<t>This section examines the mitigations listed in section 6 of <xref
target="RFC6973"/> and their applicability to LMAP systems. Note that
each section in <xref target="RFC6973"/> identifies the threat
categories that each technique mitigates.</t>
<section title="Data Minimisation">
<t>Section 6.1 of <xref target="RFC6973"/> encourages collecting and
storing the minimal information needed to perform a task.</t>
<t>There are two levels of information needed for LMAP results to be
useful for a specific task: troubleshooting and general results
reporting.</t>
<t>For general results, the results can be aggregated into large
categories (the month of March, all subscribers West of the
Mississippi River). In this case, all individual identifications
(including IP address of the MA) can be excluded, and only relevant
results are provided. However, this implies a filtering process to
reduce the information fields, because greater detail was needed to
conduct the Measurement Tasks in the first place.</t>
<t>For troubleshooting, so that a network operator or end user can
identify a performance issue or failure, potentially all the network
information (IP addresses, equipment IDs, location), Measurement
Schedule, service configuration, Measurement Results, and other
information may assist in the process. This includes the information
needed to conduct the Measurements Tasks, and represents a need
where the maximum relevant information is desirable, therefore the
greatest protections should be applied.</t>
<t>We note that a user may give temporary permission for Passive
Measurement Tasks to enable detailed troubleshooting, but withhold
permission for them in general. Here the greatest breadth of
sensitive information is potentially exposed, and the maximum
privacy protection must be provided.</t>
<t>For MAs with access to the sensitive information of users (e.g.,
within a home or a personal host/handset), it is desirable for the
results collection to minimise the data reported, but also to
balance this desire with the needs of troubleshooting when a service
subscription exists between the user and organisation operating the
measurements.</t>
<t>For passive measurements where the MA reports flow information to
the Collector, the Collector may perform pre-storage minimisation
and other mitigations (below) to help preserve privacy.</t>
</section>
<section title="Anonymity">
<t>Section 6.1.1 of <xref target="RFC6973"/> describes a way in
which anonymity is achieved: "there must exist a set of individuals
that appear to have the same attributes as the individual", defined
as an "anonymity set".</t>
<t>Experimental methods for anonymisation of user identifiable data
applicable to Passive Measurement Methods have been identified in
<xref target="RFC6235"/>. However, the findings of several of the
same authors is that "there is increasing evidence that
anonymisation applied to network trace or flow data on its own is
insufficient for many data protection applications as in <xref
target="Bur10"/>."</t>
<t>Essentially, the details of passive measurement tasks can only be
accessed by closed organisations, and unknown injection attacks are
always less expensive than the protections from them. However, some
forms of summary may protect the user's sensitive information
sufficiently well, and so each Metric must be evaluated in the light
of privacy.</t>
<t>The methods in <xref target="RFC6235"/> could be applied more
successfully in Active Measurement Methods, where there are
protections from injection attack. The successful attack would
require breaking the integrity protection of the LMAP Reporting
Protocol and injecting Measurement Results (known fingerprint, see
section 3.2 of <xref target="RFC6973"/>) for inclusion with the
shared and anonymised results, then fingerprinting those records to
ascertain the anonymisation process.</t>
<t>Beside anonymisation of measured Results for a specific user or
provider, the value of sensitive information can be further diluted
by summarising the results over many individuals or areas served by
the provider. There is an opportunity enabled by forming anonymity
sets <xref target="RFC6973"/> based on the reference path
measurement points in <xref target="I-D.ietf-ippm-lmap-path"/>. For
example, all measurements from the Subscriber device can be
identified as "mp000", instead of using the IP address or other
device information. The same anonymisation applies to the Internet
Service Provider, where their Internet gateway would be referred to
as "mp190".</t>
</section>
<section title="Pseudonymity">
<t>Section 6.1.2 of <xref target="RFC6973"/> indicates that
pseudonyms, or nicknames, are a possible mitigation to revealing
one's true identity, since there is no requirement to use real names
in almost all protocols.</t>
<t>A pseudonym for a measurement device's IP address could be an
LMAP-unique equipment ID. However, this would likely be a permanent
handle for the device, and long-term use weakens a pseudonym's power
to obscure identity.</t>
</section>
<section title="Other Mitigations">
<t>Data can be de-personalised by blurring it, for example by adding
synthetic data, data-swapping, or perturbing the values in ways that
can be reversed or corrected.</t>
<t>Sections 6.2 and 6.3 of <xref target="RFC6973"/> describe User
Participation and Security, respectively.</t>
<t>Where LMAP measurements involve devices on the Subscriber's
premises or Subscriber-owned equipment, it is essential to secure
the Subscriber's permission with regard to the specific information
that will be collected. The informed consent of the Subscriber (and,
if different, the end user) is needed, including the specific
purpose of the measurements. The approval process could involve
showing the Subscriber their measured information and results before
instituting periodic collection, or before all instances of
collection, with the option to cancel collection temporarily or
permanently.</t>
<t>It should also be clear who is legally responsible for data
protection (privacy); in some jurisdictions this role is called the
'data controller'. It is good practice to time limit the storage of
personal information.</t>
<t>Although the details of verification would be impenetrable to
most subscribers, the MA could be architected as an "app" with open
source-code, pre-download and embedded terms of use and agreement on
measurements, and protection from code modifications usually
provided by the app-stores. Further, the app itself could provide
data reduction and temporary storage mitigations as appropriate and
certified through code review.</t>
<t>LMAP protocols, devices, and the information they store clearly
need to be secure from unauthorised access. This is the hand-off
between privacy and security considerations (Section 7). The Data
Controller has the (legal) responsibility to maintain data
protections described in the Subscriber's agreement and agreements
with other organisations.</t>
<t/>
</section>
</section>
</section>
<section title="IANA Considerations">
<t>There are no IANA considerations in this memo.</t>
</section>
<section title="Appendix: Deployment examples">
<t>In this section we describe some deployment scenarios that are
feasible within the LMAP framework defined in this document.</t>
<t>The LMAP framework defines two types of components involved in the
actual measurement task, namely the Measurement Agent (MA) and the
Measurement Peer (MP). The fundamental difference conveyed in the
definition of these terms is that the MA has a interface with the
Controller/Collector while the MP does not. The MP is broadly defined as
a function that assists the MA in the Measurement Task but has no
interface with the Controller/Collector. There are many elements in the
network that can fall into this broad definition of MP. We believe that
the MP terminology is useful to allow us to refer an element of the
network that plays a role that is conceptually important to understand
and describe the measurement task being performed. We next illustrate
these concepts by describing several deployment scenarios.</t>
<t>A very simple example of a Measurement Peer is a web server that the
MA is downloading a web page from (such as www.example.com) in order to
perform a speed test. The web server is an MP and from its perspective,
the MA is just another customer; the MP doesn't have a specific function
for assisting measurements. This is described in the figure A1.<figure>
<artwork><![CDATA[ ^
+----------------+ Web Traffic +----------------+ IPPM
| Web Client |<------------>| MP: Web Server | Scope
| | +----------------+ |
...|................|....................................V...
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ V
Figure A1: Schematic of LMAP-based measurement system,
with Web server as Measurement Peer
]]></artwork>
</figure></t>
<t>Another case that is slightly different than this would be the one of
a ping responder. This is also an MP, with a helper function, the ping
server, which is specially deployed to assist the MAs that perform
pings. It only has the data plane interface. This example is described
in Section 2.</t>
<t>A third related example would be the case of a traceroute like
measurement. In this case, for each packet sent, the router where the
TTL expires is performing the MP function. So for a given Measurement
Task, there is one MA involved and several MPs, one per hop.</t>
<t>In figure A2 we depict the case of an OWAMP responder acting as an
MP. In this case, the helper function in addition reports results back
to the MA. So it has both a data plane and control interface with the
MA.</t>
<t/>
<figure>
<artwork><![CDATA[ +----------------+ OWAMP +----------------+ ^
| OWAMP |<--control--->| MP: | |
| control-client |>test-traffic>| OWAMP server & | IPPM
| fetch-client & |<----fetch----| session-rec'ver| Scope
| session-sender | | | |
| | +----------------+ |
...|................|....................................v...
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
IPPM
Figure A2: Schematic of LMAP-based measurement system,
with OWAMP server as Measurement Peer
]]></artwork>
</figure>
<t>However, it is also possible to use two Measurement Agents when
performing one way Measurement Tasks, as described in figure A3 below.
In this case, MA1 generates the traffic and MA2 receives the traffic and
send the reports to the Collector. Note that both MAs are instructed by
the Controller. MA1 receives an Instruction to send the traffic and MA2
receives an Instruction to measured the received traffic and send
Reports to the Collector.</t>
<t/>
<figure>
<artwork><![CDATA[ +----------------+ +----------------+ ^
| MA1 | | MA2 | IPPM
| iperf -u sender|-UDP traffic->| iperf -u recvr | Scope
| | | | v
...|................|..............|................|....v...
| LMAP interface | | LMAP interface | ^
+----------------+ +----------------+ |
^ ^ | |
Instruction | Instruction{Report} | | Report |
{task, | +-------------------+ | |
schedule} | | | |
| | v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
IPPM
Figure A3: Schematic of LMAP-based measurement system,
with two Measurement Agents cooperating to measure UDP traffic
]]></artwork>
</figure>
<t/>
<t>Next, we consider Passive Measurement Tasks. Traffic generated in one
point in the network flowing towards a given destination and the traffic
is passively observed in some point along the path. One way to implement
this is that the endpoints generating and receiving the traffic are not
instructed by the Controller; hence they are MPs. The MA is located
along the path with a passive monitor function that measures the
traffic. The MA is instructed by the Controller to monitor that
particular traffic and to send the Report to the Collector. It is
depicted in figure A4 below.</t>
<t/>
<figure>
<artwork><![CDATA[+-----+ +----------------+ +------+ ^
| MP | | Passive Monitor| | MP | IPPM
| |<--|----------------|---traffic--->| | Scope
+-----+ | | +------+ |
.......|................|.........................v...........
| LMAP interface | ^
+----------------+ |
^ | |
Instruction | | Report |
| +-----------------+ |
| | |
| v LMAP
+------------+ +------------+ Scope
| Controller | | Collector | |
+------------+ +------------+ v
Figure A4: Schematic of LMAP-based measurement system,
with a Measurement Agent passively monitoring traffic
]]></artwork>
</figure>
<t/>
<t>Finally, we should consider the case of a router or a switch along
the measurement path. This certainly performs an important role in the
measurement - if packets are not forwarded, the measurement task will
not work. Whilst it doesn't has an interface with the Controller or
Collector, and so fits into the definition of MP, usually it is not
particularly useful to highlight it as a MP.</t>
<t/>
</section>
<section title="Acknowledgments">
<t>This document is a merger of three individual drafts:
draft-eardley-lmap-terminology-02, draft-akhter-lmap-framework-00, and
draft-eardley-lmap-framework-02.</t>
<t>Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. Thanks to Charles Cook for a very detailed review of
-02.</t>
<t>Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dave Thorne, Frode Sørensen, Greg Mirsky,
Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit,
Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Michael
Bugenhagen, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller, Ted
Lemon, Timothy Carey, Vaibhav Bajpai, William Lupton.</t>
<t>Philip Eardley, Trevor Burbridge and Marcelo Bagnulo work in part on
the Leone research project, which receives funding from the European
Union Seventh Framework Programme [FP7/2007-2013] under grant agreement
number 317647.</t>
<t/>
<t/>
</section>
<section title="History">
<t>First WG version, copy of draft-folks-lmap-framework-00.</t>
<t/>
<section title="From -00 to -01">
<t><list style="symbols">
<t>new sub-section of possible use of Group-IDs for privacy</t>
<t>tweak to definition of Control protocol</t>
<t>fix typo in figure in S5.4</t>
</list></t>
</section>
<section title="From -01 to -02">
<t><list style="symbols">
<t>change to INFORMATIONAL track (previous version had typo'd
Standards track)</t>
<t>new definitions for Capabilities Information and Failure
Information</t>
<t>clarify that diagrams show LMAP-level information flows.
Underlying protocol could do other interactions, eg to get through
NAT or for Collector to pull a Report</t>
<t>add hint that after a re-boot should pause random time before
re-register (to avoid mass calling event)</t>
<t>delete the open issue "what happens if a Controller fails"
(normal methods can handle)</t>
<t>add some extra words about multiple Tasks in one Schedule</t>
<t>clarify that new Schedule replaces (rather than adds to) and
old one. Similarly for new configuration of Measurement Tasks or
Report Channels.</t>
<t>clarify suppression is temporary stop; send a new Schedule to
permanently stop Tasks</t>
<t>alter suppression so it is ACKed</t>
<t>add un-suppress message</t>
<t>expand the text on error reporting, to mention Reporting
failures (as well as failures to action or execute Measurement
Task & Schedule)</t>
<t>add some text about how to have Tasks running indefinitely</t>
<t>add that optionally a Report is not sent when there are no
Measurement Results</t>
<t>add that a Measurement Task may create more than one
Measurement Result</t>
<t>clarify /amend /expand that Reports include the "raw"
Measurement Results - any pre-processing is left for lmap2.0</t>
<t>add some cautionary words about what if the Collector
unexpectedly doesn't hear from a MA</t>
<t>add some extra words about the potential impact of Measurement
Tasks</t>
<t>clarified various aspects of the privacy section</t>
<t>updated references</t>
<t>minor tweaks</t>
</list></t>
</section>
<section title="From -02 to -03">
<t><list style="symbols">
<t>alignment with the Information Model <xref
target="I-D.burbridge-lmap-information-model"/> as this is agreed
as a WG document</t>
<t>One-off and periodic Measurement Schedules are kept separate,
so that they can be updated independently</t>
<t>Measurement Suppression in a separate sub-section. Can now
optionally include particular Measurement Tasks &/or Schedules
to suppress, and start/stop time</t>
<t>for clarity, concept of Channel split into Control, Report and
MA-to-Controller Channels</t>
<t>numerous editorial changes, mainly arising from a very detailed
review by Charles Cook</t>
<t/>
</list></t>
</section>
<section title="From -03 to -04">
<t><list style="symbols">
<t>updates following the WG Last Call, with the proposed consensus
on the various issues as detailed in
http://tools.ietf.org/agenda/89/slides/slides-89-lmap-2.pdf. In
particular:</t>
<t>tweaked definitions, especially of Measurement Agent and
Measurement Peer</t>
<t>Instruction - left to each implementation & deployment of
LMAP to decide on the granularity at which an Instruction Message
works</t>
<t>words added about overlapping Measurement Tasks (measurement
system can handle any way they choose; Report should mention if
the Task overlapped with another)</t>
<t>Suppression: no defined impact on Passive Measurement Task;
extra option to suppress on-going Active Measurement Tasks;
suppression doesn't go to Measurement Peer, since they don't
understand Instructions</t>
<t>new concept of Data Transfer Task (and therefore adjustment of
the Channel concept)</t>
<t>enhancement of Results with Subscriber's service parameters -
could be useful, don't define how but can be included in Report to
various other sections</t>
<t>various other smaller improvements, arising from the WGLC</t>
<t>Appendix added with examples of Measurement Agents and Peers in
various deployment scenarios. To help clarify what these terms
mean.</t>
<t/>
</list></t>
</section>
</section>
</middle>
<back>
<references title="Informative References">
<reference anchor="Bur10">
<front>
<title>The Role of Network Trace anonymisation Under Attack</title>
<author initials="M" surname="Burkhart">
<organization>Burkhart</organization>
</author>
<author initials="D" surname="Schatzmann">
<organization/>
</author>
<author initials="B" surname="Trammell">
<organization/>
</author>
<author initials="E" surname="Boschi">
<organization>ACM Computer Communications Review, vol. 40, no. 1,
pp. 6-11</organization>
</author>
<date month="January" year="2010"/>
</front>
</reference>
<reference anchor="Q1741">
<front>
<title>IMT-2000 references to Release 9 of GSM-evolved UMTS core
network</title>
<author fullname="ITU-T Recommendation" initials=""
surname="Q.1741.7">
<!---->
<organization abbrev="Boeing">Boeing Computer
Services</organization>
</author>
<date month="November" year="2011"/>
</front>
<seriesInfo name="" value="http://www.itu.int/rec/T-REC-Q.1741.7/en"/>
</reference>
<reference anchor="TR-069">
<front>
<title>CPE WAN Management Protocol</title>
<author fullname="Broadband Forum" initials="" surname="TR-069">
<!---->
<organization abbrev="Boeing">Boeing Computer
Services</organization>
</author>
<date month="November" year="2013"/>
</front>
<seriesInfo name=""
value="http://www.broadband-forum.org/technical/trlist.php"/>
</reference>
<reference anchor="UPnP">
<front>
<title>UPnP Device Architecture and UPnP Device Control Protocols
specifications</title>
<author fullname="UPnP Forum" initials="" surname="ISO/IEC 29341-x">
<!---->
<organization abbrev="Boeing">Boeing Computer
Services</organization>
</author>
<date month="" year="2011"/>
</front>
<seriesInfo name=""
value="http://upnp.org/sdcps-and-certification/standards/"/>
</reference>
<?rfc include='reference.RFC.1035'?>
<?rfc include='reference.RFC.4101'?>
<?rfc include='reference.RFC.4122'?>
<?rfc include='reference.RFC.5357'?>
<?rfc include='reference.I-D.ietf-lmap-use-cases'?>
<?rfc include='reference.I-D.manyfolks-ippm-metric-registry'?>
<?rfc include='reference.I-D.ietf-homenet-arch'?>
<?rfc include='reference.RFC.6419'?>
<?rfc include='reference.RFC.6887'?>
<?rfc include='reference.I-D.burbridge-lmap-information-model'?>
<?rfc include='reference.RFC.6235'?>
<?rfc include='reference.RFC.6973'?>
<?rfc include='reference.I-D.ietf-ippm-lmap-path'?>
<?rfc include='reference.RFC.4656'?>
<?rfc include='reference.RFC.5357'?>
<?rfc include='reference.RFC.3444'?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 04:05:19 |