tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7594

 
 
 

A Framework for Large-Scale Measurement of Broadband Performance (LMAP)

Part 3 of 3, p. 36 to 55
Prev RFC Part

 


prevText      Top      Up      ToC       Page 36 
7.  Security Considerations

   The security of the LMAP framework should protect the interests of
   the measurement operator(s), the network user(s), and other actors
   who could be impacted by a compromised measurement deployment.  The
   Measurement System must secure the various components of the system
   from unauthorised access or corruption.  Much of the general advice
   contained in Section 6 of [RFC4656] is applicable here.

   The process to upgrade the firmware in an MA is outside the scope of
   the initial LMAP work, just as is the protocol to Bootstrap the MAs.
   However, systems that provide remote upgrades must secure authorised
   access and integrity of the process.

   We assume that each Measurement Agent (MA) will receive its
   Instructions from a single organisation, which operates the
   Controller.  These Instructions must be authenticated (to ensure that
   they come from the trusted Controller), checked for integrity (to
   ensure no one has tampered with them), and not vulnerable to replay
   attacks.  If a malicious party can gain control of the MA, they can
   use it to launch denial-of-service (DoS) attacks at targets, create a
   platform for pervasive monitoring [RFC7258], reduce the end-user's
   quality of experience, and corrupt the Measurement Results that are
   reported to the Collector.  By altering the Measurement Tasks and/or
   the address that Results are reported to, they can also compromise

Top      Up      ToC       Page 37 
   the confidentiality of the network user and the MA environment (such
   as information about the location of devices or their traffic).  The
   Instruction Messages also need to be encrypted to maintain
   confidentiality, as the information might be useful to an attacker.

   Reporting by the MA must be encrypted to maintain confidentiality, so
   that only the authorised Collector can decrypt the results to prevent
   the leakage of confidential or private information.  Reporting must
   also be authenticated (to ensure that it comes from a trusted MA and
   that the MA reports to a genuine Collector) and not vulnerable to
   tampering (which can be ensured through integrity and replay checks).
   It must not be possible to fool an MA into injecting falsified data
   and the results must also be held and processed securely after
   collection and analysis.  See Section 8.5.2 for additional
   considerations on stored data compromise, and Section 8.6 on
   potential mitigations for compromise.

   Since Collectors will be contacted repeatedly by MAs using the Report
   Protocol to convey their recent results, a successful attack to
   exhaust the communication resources would prevent a critical
   operation: reporting.  Therefore, all LMAP Collectors should
   implement technical mechanisms to:

   o  limit the number of reporting connections from a single MA
      (simultaneous and established in some time period).

   o  limit the transmission rate from a single MA.

   o  limit the memory/storage consumed by a single MA's reports.

   o  efficiently reject reporting connections from unknown sources.

   o  separate resources if multiple authentication strengths are used,
      where the resources should be separated according to each class of
      strength.

   A corrupted MA could report falsified information to the Collector.
   Whether this can be effectively mitigated depends on the platform on
   which the MA is deployed.  However, where the MA is deployed on a
   customer-controlled device, then the reported data is to some degree
   inherently untrustworthy.  Further, a sophisticated party could
   distort some Measurement Methods, perhaps by dropping or delaying
   packets for example.  This suggests that the network operator should
   be cautious about relying on Measurement Results for action such as
   refunding fees if a service level agreement is not met.

   As part of the protocol design, it will be decided how LMAP operates
   over the underlying protocol (Section 5.5).  The choice raises

Top      Up      ToC       Page 38 
   various security issues, such as how to operate through a NAT and how
   to protect the Controller and Collector from DoS attacks.

   The security mechanisms described above may not be strictly necessary
   if the network's design ensures the LMAP components and their
   communications are already secured, for example potentially if they
   are all part of an ISP's dedicated management network.

   Finally, there are three other issues related to security: privacy
   (considered in Section 8), availability, and "gaming the system".
   While the loss of some MAs may not be considered critical, the
   unavailability of the Collector could mean that valuable business
   data or data critical to a regulatory process is lost.  Similarly,
   the unavailability of a Controller could mean that the MAs do not
   operate a correct Measurement Schedule.

   A malicious party could "game the system".  For example, where a
   regulator is running a Measurement System in order to benchmark
   operators, an operator could try to identify the broadband lines that
   the regulator was measuring and prioritise that traffic.  Normally,
   this potential issue is handled by a code of conduct.  It is outside
   the scope of the initial LMAP work to consider the issue.

8.  Privacy Considerations

   The LMAP work considers privacy a core requirement and will ensure
   that by default the Control and Report Protocols operate in a
   privacy-sensitive manner and that privacy features are well defined.

   This section provides a set of privacy considerations for LMAP.  This
   section benefits greatly from the publication of [RFC6973].  Privacy
   and security (Section 7) are related.  In some jurisdictions, privacy
   is called data protection.

   We begin with a set of assumptions related to protecting the
   sensitive information of individuals and organisations participating
   in LMAP-orchestrated measurement and data collection.

8.1.  Categories of Entities with Information of Interest

   LMAP protocols need to protect the sensitive information of the
   following entities, including individuals and organisations who
   participate in measurement and collection of results.

   o  Individual Internet users: Persons who utilise Internet access
      services for communications tasks, according to the terms of
      service of a service agreement.  Such persons may be a service

Top      Up      ToC       Page 39 
      Subscriber, or have been given permission by the Subscriber to use
      the service.

   o  Internet service providers: Organisations that offer Internet
      access service subscriptions, and thus have access to sensitive
      information of individuals who choose to use the service.  These
      organisations desire to protect their Subscribers and their own
      sensitive information, which may be stored in the process of
      performing Measurement Tasks and collecting Results.

   o  Regulators: Public authorities responsible for exercising
      supervision of the electronic communications sector, and which may
      have access to sensitive information of individuals who
      participate in a measurement campaign.  Similarly, regulators
      desire to protect the participants and their own sensitive
      information.

   o  Other LMAP system operators: Organisations who operate Measurement
      Systems or participate in measurements in some way.

   Although privacy is a protection extended to individuals, we discuss
   data protection by ISPs and other LMAP system operators in this
   section.  These organisations have sensitive information involved in
   the LMAP system, and many of the same dangers and mitigations are
   applicable.  Further, the ISPs store information on their Subscribers
   beyond that used in the LMAP system (for example, billing
   information), and there should be a benefit in considering all the
   needs and potential solutions coherently.

8.2.  Examples of Sensitive Information

   This section gives examples of sensitive information that may be
   measured or stored in a Measurement System, and that is to be kept
   private by default in the LMAP core protocols.

   Examples of Subscriber or authorised Internet user sensitive
   information:

   o  Sub-IP-layer addresses and names (MAC address, base station ID,
      SSID)

   o  IP address in use

   o  Personal Identification (real name)

   o  Location (street address, city)

   o  Subscribed service parameters

Top      Up      ToC       Page 40 
   o  Contents of traffic (activity, DNS queries, destinations,
      equipment types, account info for other services, etc.)

   o  Status as a study volunteer and Schedule of Measurement Tasks

   Examples of Internet Service Provider sensitive information:

   o  Measurement device identification (equipment ID and IP address)

   o  Measurement Instructions (choice of measurements)

   o  Measurement Results (some may be shared, others may be private)

   o  Measurement Schedule (exact times)

   o  Network topology (locations, connectivity, redundancy)

   o  Subscriber billing information, and any of the above Subscriber
      information known to the provider.

   o  Authentication credentials (such as certificates)

   Other organisations will have some combination of the lists above.
   The LMAP system would not typically expose all of the information
   above, but could expose a combination of items that could be
   correlated with other pieces collected by an attacker (as discussed
   in Section 8.5 on Threats).

8.3.  Different Privacy Issues Raised by Different Sorts of Measurement
      Methods

   Measurement Methods raise different privacy issues depending on
   whether they measure traffic created specifically for that purpose or
   whether they measure user traffic.

   Measurement Tasks conducted on user traffic store sensitive
   information, however briefly this storage may be.  We note that some
   authorities make a distinction on time of storage, and information
   that is kept only temporarily to perform a communications function is
   not subject to regulation (for example, active queue management, deep
   packet inspection).  Such Measurement Tasks could reveal all the
   websites a Subscriber visits and the applications and/or services
   they use.  This issue is not specific to LMAP.  For instance, IPFIX
   has discussed similar issues (see Section 11.8 of [RFC7011]), but
   mitigations described in the sections below were considered beyond
   their scope.

Top      Up      ToC       Page 41 
   In contrast to Measurement Tasks conducted on user traffic, other
   Measurement Tasks use traffic which is created specifically for the
   purpose of measurement.  Even if a user host generates Measurement
   Traffic, there is limited sensitive information about the Subscriber
   present and stored in the Measurement System:

   o  IP address in use (and possibly sub-IP addresses and names)

   o  Status as a study volunteer and Schedule of Measurement Tasks

   On the other hand, for a service provider, the sensitive information
   like Measurement Results is the same for all Measurement Tasks.

   From the Subscriber perspective, both types of Measurement Tasks
   potentially expose the description of Internet access service and
   specific service parameters, such as the Subscriber rate and type of
   access.

8.4.  Privacy Analysis of the Communication Models

   This section examines each of the protocol exchanges described at a
   high level in Section 5 and some example Measurement Tasks, and it
   identifies specific sensitive information that must be secured during
   communication for each case.  With the protocol-related sensitive
   information identified, we can better consider the threats described
   in the following section.

   From the privacy perspective, all entities participating in LMAP
   protocols can be considered "observers" according to the definition
   in [RFC6973].  Their stored information potentially poses a threat to
   privacy, especially if one or more of these functional entities has
   been compromised.  Likewise, all devices on the paths used for
   control, reporting, and measurement are also observers.

8.4.1.  MA Bootstrapping

   Section 5.1 provides the communication model for the Bootstrapping
   process.

   Although the specification of mechanisms for Bootstrapping the MA are
   beyond the scope of the initial LMAP work, designers should recognise
   that the Bootstrapping process is extremely powerful and could cause
   an MA to join a new or different LMAP system with a different
   Controller and Collector, or simply install new Metrics with
   associated Measurement Methods (for example, to record DNS queries).
   A Bootstrap attack could result in a breach of the LMAP system with
   significant sensitive information exposure depending on the

Top      Up      ToC       Page 42 
   capabilities of the MA, so sufficient security protections are
   warranted.

   The Bootstrapping process provides sensitive information about the
   LMAP system and the organisation that operates it, such as

   o  the MA's identifier (MA-ID)

   o  the address that identifies the Control Channel, such as the
      Controller's FQDN

   o  Security information for the Control Channel

   During the Bootstrap process for an MA located at a single
   Subscriber's service demarcation point, the MA receives an MA-ID,
   which is a persistent pseudonym for the Subscriber.  Thus, the MA-ID
   is considered sensitive information because it could provide the link
   between Subscriber identification and Measurements Results.

   Also, the Bootstrap process could assign a Group-ID to the MA.  The
   specific definition of information represented in a Group-ID is to be
   determined, but several examples are envisaged including use as a
   pseudonym for a set of Subscribers, a class of service, an access
   technology, or other important categories.  Assignment of a Group-ID
   enables anonymisation sets to be formed on the basis of service
   type/grade/rates.  Thus, the mapping between Group-ID and MA-ID is
   considered sensitive information.

8.4.2.  Controller <-> Measurement Agent

   The high-level communication model for interactions between the LMAP
   Controller and Measurement Agent is illustrated in Section 5.2.  The
   primary purpose of this exchange is to authenticate and task a
   Measurement Agent with Measurement Instructions, which the
   Measurement Agent then acts on autonomously.

   Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are
   exchanged with a capability request, then measurement-related
   information of interest such as the parameters, schedule, metrics,
   and IP addresses of measurement devices.  Thus, the measurement
   Instruction contains sensitive information that must be secured.  For
   example, the fact that an ISP is running additional measurements
   beyond the set reported externally is sensitive information, as are
   the additional Measurements Tasks themselves.  The Measurement
   Schedule is also sensitive, because an attacker intending to bias the
   results without being detected can use this information to great
   advantage.

Top      Up      ToC       Page 43 
   An organisation operating the Controller having no service
   relationship with a user who hosts the Measurement Agent *could* gain
   real-name mapping to a public IP address through user participation
   in an LMAP system (this applies to the Measurement Collection
   protocol, as well).

8.4.3.  Collector <-> Measurement Agent

   The high-level communication model for interactions between the
   Measurement Agent and Collector is illustrated in Section 5.4.  The
   primary purpose of this exchange is to authenticate and collect
   Measurement Results from an MA, which the MA has measured
   autonomously and stored.

   The Measurement Results are the additional sensitive information
   included in the Collector-MA exchange.  Organisations collecting LMAP
   measurements have responsibility for data control.  Thus, the Results
   and other information communicated in the Collector protocol must be
   secured.

8.4.4.  Measurement Peer <-> Measurement Agent

   A Measurement Method involving Measurement Traffic raises potential
   privacy issues, although the specification of the mechanisms is
   beyond the scope of the initial LMAP work.  The high-level
   communications model below illustrates the various exchanges to
   execute such a Measurement Method and store the Results.

   We note the potential for additional observers in the figures below
   by indicating the possible presence of a NAT, which has additional
   significance to the protocols and direction of initiation.

   The various messages are optional, depending on the nature of the
   Measurement Method.  It may involve sending Measurement Traffic from
   the Measurement Peer to MA, MA to Measurement Peer, or both.
   Similarly, a second (or more) MAs may be involved.  (Note: For
   simplicity, Figure 11 and the description don't show the non-LMAP
   functionality that is associated with the transfer of the Measurement
   Traffic and is located at the devices with the MA and MP.)

Top      Up      ToC       Page 44 
    _________________                              _________________
   |                 |                            |                 |
   |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
   |_________________|                            |_________________|

                                  <-              (Key Negotiation &
                                                   Encryption Setup)
   (Encrypted Channel             ->
   Established)
   (Announce capabilities         ->
   & status)
                                  <-             (Select capabilities)
   ACK                            ->
                                  <-              (Measurement Request
                                                 (MA+MP IPAddrs,set of
                                                   Metrics, Schedule))
   ACK                            ->

   Measurement Traffic            <>              Measurement Traffic
   (may/may not be encrypted)               (may/may not be encrypted)

                                  <-           (Stop Measurement Task)

   Measurement Results            ->
   (if applicable)
                                  <-                       ACK, Close

     Figure 11: Interactions between Measurement Peer and Measurement
                                   Agent

   This exchange primarily exposes the IP addresses of measurement
   devices and the inference of measurement participation from such
   traffic.  There may be sensitive information on key points in a
   service provider's network included.  There may also be access to
   measurement-related information of interest such as the Metrics,
   Schedule, and intermediate results carried in the Measurement Traffic
   (usually a set of timestamps).

   The Measurement Peer may be able to use traffic analysis (perhaps
   combined with traffic injection) to obtain interesting insights about
   the Subscriber.  As a simple example, if the Measurement Task
   includes a pre-check that the end user isn't already sending traffic,
   the Measurement Peer may be able to deduce when the Subscriber is
   away on holiday.

   If the Measurement Traffic is unencrypted, as found in many systems
   today, then both timing and limited results are open to on-path
   observers.

Top      Up      ToC       Page 45 
8.4.5.  Measurement Agent

   Some Measurement Methods only involve a single Measurement Agent
   observing existing traffic.  They raise potential privacy issues,
   although the specification of the mechanisms is beyond the scope of
   the initial LMAP work.

   The high-level communications model shown in Figure 12 illustrates
   the collection of user information of interest with the Measurement
   Agent performing the monitoring and storage of the Results.  This
   particular exchange is for measurement of DNS Response Time, which
   most frequently uses UDP transport.  (Note: For simplicity, Figure 12
   and its description do not show the non-LMAP functionality that is
   associated with the transfer (export) of the observed Measurement
   Traffic beyond the measurement devices located with the MA.)

  _________________                                      ____________
 |                 |                                    |            |
 |  DNS Server     |=========== NAT ? ==========*=======| User client|
 |_________________|                            ^       |____________|
                                          ______|_______
                                         |              |
                                         |  Measurement |
                                         |    Agent     |
                                         |______________|

                                <-              Name Resolution Required
                                               (MA+MP IPAddrs,
                                                Desired Domain Name)
 Return Record                  ->

 MA: Measurement Agent
 MP: Measurement Peer

   Figure 12: LMAP deployment example, with Measurement Agent monitoring
                             DNS response time

   In this particular example, the MA monitors DNS messages in order to
   measure the DNS response time.  The Measurement Agent may be embedded
   in the user host, or it may be located in another device capable of
   observing user traffic.  The MA learns the IP addresses of
   measurement devices and the intent to communicate with or access the
   services of a particular domain name, and perhaps also information on
   key points in a service provider's network, such as the address of
   one of its DNS servers.

Top      Up      ToC       Page 46 
   In principle, any of the user sensitive information of interest
   (listed above) can be collected and stored in the monitoring scenario
   and so must be secured.

   It would also be possible for a Measurement Agent to source the DNS
   query itself, and then there are not many privacy concerns.

8.4.6.  Storage and Reporting of Measurement Results

   Although the mechanisms for communicating results (beyond the initial
   Collector) are beyond the scope of the initial LMAP work, there are
   potential privacy issues related to a single organisation's storage
   and reporting of Measurement Results.  Both storage and reporting
   functions can help to preserve privacy by implementing the
   mitigations described below.

8.5.  Threats

   This section indicates how each of the threats described in [RFC6973]
   apply to the LMAP entities and their communication and storage of
   "information of interest".  DoS and other attacks described in the
   Security section represent threats as well, and these attacks are
   more effective when sensitive information protections have been
   compromised.

8.5.1.  Surveillance

   Section 5.1.1 of [RFC6973] describes surveillance as the "observation
   or monitoring of an individual's communications or activities."
   Hence, all Measurement Methods that measure user traffic are a form
   of surveillance, with inherent risks.

   Measurement Methods that avoid periods of user transmission
   indirectly produce a record of times when a subscriber or authorised
   user has used their network access service.

   Measurement Methods may also utilise and store a Subscriber's
   currently assigned IP address when conducting measurements that are
   relevant to a specific Subscriber.  Since the Measurement Results are
   timestamped, they could provide a record of IP address assignments
   over time.

   Either of the above pieces of information could be useful in
   correlation and identification, as described below.

Top      Up      ToC       Page 47 
8.5.2.  Stored Data Compromise

   Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
   resulting from inadequate measures to secure stored data from
   unauthorised or inappropriate access.  For LMAP systems, this
   includes deleting or modifying collected measurement records, as well
   as data theft.

   The primary LMAP entity subject to compromise is the repository,
   which stores the Measurement Results; extensive security and privacy
   threat mitigations are warranted.  The Collector and MA also store
   sensitive information temporarily and need protection.  The
   communications between the local storage of the Collector and the
   repository is beyond the scope of the initial LMAP work, though this
   communications channel will certainly need protection as will the
   mass storage itself.

   The LMAP Controller may have direct access to storage of Subscriber
   information (for example, location, billing, service parameters,
   etc.) and other information that the controlling organisation
   considers private and again needs protection.

   Note that there is tension between the desire to store all raw
   results in the LMAP Collector (for reproduction and custom analysis)
   and the need to protect the privacy of measurement participants.
   Many of the mitigations described in Section 8.6 are most efficient
   when deployed at the MA, therefore minimising the risks associated
   with stored results.

8.5.3.  Correlation and Identification

   Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as
   combining various pieces of information to obtain desired
   characteristics of an individual, and identification as using this
   combination to infer identity.

   The main risk is that the LMAP system could unwittingly provide a key
   piece of the correlation chain, starting with an unknown Subscriber's
   IP address and another piece of information.  For example, a
   Subscriber utilised Internet access from 2000 to 2310 UTC, because
   the Measurement Tasks were deferred or sent a name resolution for
   www.example.com at 2300 UTC.

   If a user's access with another system already gave away sensitive
   information, correlation is clearly easier and can result in
   re-identification, even when an LMAP system conserves sensitive
   information to great extent.

Top      Up      ToC       Page 48 
8.5.4.  Secondary Use and Disclosure

   Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as
   unauthorised utilisation of an individual's information for a purpose
   the individual did not intend, and disclosure as when such
   information is revealed causing another's notions of the individual
   to change or confidentiality to be violated.

   Measurement Methods that measure user traffic are a form of secondary
   use, and the Subscribers' permission should be obtained beforehand.
   It may be necessary to obtain the measured ISP's permission to
   conduct measurements (for example, when required by the terms and
   conditions of the service agreement) and notification is considered
   good measurement practice.

   For Measurement Methods that measure Measurement Traffic the
   Measurement Results provide some limited information about the
   Subscriber or ISP and could result in secondary uses.  For example,
   the use of the Results in unauthorised marketing campaigns would
   qualify as secondary use.  Secondary use may break national laws and
   regulations, and may violate an individual's expectations or desires.

8.6.  Mitigations

   This section examines the mitigations listed in Section 6 of
   [RFC6973] and their applicability to LMAP systems.  Note that each
   section in [RFC6973] identifies the threat categories that each
   technique mitigates.

8.6.1.  Data Minimisation

   Section 6.1 of [RFC6973] encourages collecting and storing the
   minimal information needed to perform a task.

   LMAP Results can be useful for general reporting about performance
   and for specific troubleshooting.  They need different levels of
   information detail, as explained in the paragraphs below.

   For general reporting, the results can be aggregated into large
   categories (for example, the month of March, all US subscribers West
   of the Mississippi River).  In this case, all individual
   identifications (including IP address of the MA) can be excluded, and
   only relevant results are provided.  However, this implies a
   filtering process to reduce the information fields, because greater
   detail was needed to conduct the Measurement Tasks in the first
   place.

Top      Up      ToC       Page 49 
   For troubleshooting, so that a network operator or end user can
   identify a performance issue or failure, potentially all the network
   information (for example, IP addresses, equipment IDs, location),
   Measurement Schedules, service configurations, Measurement Results,
   and other information may assist in the process.  This includes the
   information needed to conduct the Measurements Tasks, and represents
   a need where the maximum relevant information is desirable;
   therefore, the greatest protections should be applied.  This level of
   detail is greater than needed for general performance monitoring.

   As regards Measurement Methods that measure user traffic, we note
   that a user may give temporary permission (to enable detailed
   troubleshooting), but withhold permission for them in general.  Here
   the greatest breadth of sensitive information is potentially exposed,
   and the maximum privacy protection must be provided.  The Collector
   may perform pre-storage minimisation and other mitigations
   (Section 8.6.4) to help preserve privacy.

   For MAs with access to the sensitive information of users (for
   example, within a home or a personal host/handset), it is desirable
   for the Results collection to minimise the data reported, but also to
   balance this desire with the needs of troubleshooting when a service
   subscription exists between the user and organisation operating the
   measurements.

8.6.2.  Anonymity

   Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in
   which anonymity is achieved: "there must exist a set of individuals
   that appear to have the same attribute(s) as the individual."

   Experimental methods for anonymisation of user-identifiable data (and
   so particularly applicable to Measurement Methods that measure user
   traffic) have been identified in [RFC6235].  However, the findings of
   several of the same authors is that "there is increasing evidence
   that anonymization applied to network trace or flow data on its own
   is insufficient for many data protection applications as in [Bur10]."
   Essentially, the details of such Measurement Methods can only be
   accessed by closed organisations, and unknown injection attacks are
   always less expensive than the protections from them.  However, some
   forms of summary may protect the user's sensitive information
   sufficiently well, and so each Metric must be evaluated in the light
   of privacy.

   The techniques in [RFC6235] could be applied more successfully in
   Measurement Methods that generate Measurement Traffic, where there
   are protections from injection attack.  The successful attack would
   require breaking the integrity protection of the LMAP Reporting

Top      Up      ToC       Page 50 
   Protocol and injecting Measurement Results (known fingerprint, see
   Section 3.2 of [RFC6973]) for inclusion with the shared and
   anonymised results, then fingerprinting those records to ascertain
   the anonymisation process.

   Beside anonymisation of measured Results for a specific user or
   provider, the value of sensitive information can be further diluted
   by summarising the Results over many individuals or areas served by
   the provider.  There is an opportunity enabled by forming anonymity
   sets [RFC6973] based on the reference path measurement points in
   [RFC7398].  For example, all measurements from a Subscriber device
   can be identified as "mp000", instead of using the IP address or
   other device information.  The same anonymisation applies to the
   Internet Service Provider, where their Internet gateway would be
   referred to as "mp190".

   Another anonymisation technique is for the MA to include its Group-ID
   instead of its MA-ID in its Measurement Reports, with several MAs
   sharing the same Group-ID.

8.6.3.  Pseudonymity

   Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
   are a possible mitigation to revealing one's true identity, since
   there is no requirement to use real names in almost all protocols.

   A pseudonym for a measurement device's IP address could be an
   LMAP-unique equipment ID.  However, this would likely be a permanent
   handle for the device, and long-term use weakens a pseudonym's power
   to obscure identity.

8.6.4.  Other Mitigations

   Data can be depersonalised by blurring it, for example by adding
   synthetic data, data-swapping, or perturbing the values in ways that
   can be reversed or corrected.

   Sections 6.2 and 6.3 of [RFC6973] describe user participation and
   security, respectively.

   Where LMAP measurements involve devices on the subscriber's premises
   or Subscriber-owned equipment, it is essential to secure the
   Subscriber's permission with regard to the specific information that
   will be collected.  The informed consent of the Subscriber (and, if
   different, the end user) may be needed, including the specific
   purpose of the measurements.  The approval process could involve
   showing the Subscriber their measured information and results before
   instituting periodic collection, or before all instances of

Top      Up      ToC       Page 51 
   collection, with the option to cancel collection temporarily or
   permanently.

   It should also be clear who is legally responsible for data
   protection (privacy); in some jurisdictions, this role is called the
   'data controller'.  It is always good practice to limit the time that
   personal information is stored.

   Although the details of verification would be impenetrable to most
   subscribers, the MA could be architected as an "app" with open source
   code, pre-download and embedded terms of use and agreement on
   measurements, and protection from code modifications usually provided
   by the app stores.  Further, the app itself could provide data
   reduction and temporary storage mitigations as appropriate and
   certified through code review.

   LMAP protocols, devices, and the information they store clearly need
   to be secure from unauthorised access.  This is the hand-off between
   privacy and security considerations (Section 7).  The data controller
   is responsible (legally) for maintaining data protections described
   in the Subscriber's agreement and agreements with other
   organisations.

   Finally, it is recommended that each entity described in Section 8.1,
   (for example, individuals, ISPs, regulators, others) assess the risks
   of LMAP data collection by conducting audits of their data protection
   methods.

9.  Informative References

   [Bur10]    Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
              "The Role of Network Trace anonymisation Under Attack",
              January 2010.

   [IPPM-REG] Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A.
              Akhter, "Registry for Performance Metrics", Work in
              Progress, draft-ietf-ippm-metric-registry-04, July 2015.

   [LMAP-INFO]
              Burbridge, T., Eardley, P., Bagnulo, M., and J.
              Schoenwaelder, "Information Model for Large-Scale
              Measurement Platforms (LMAP)", Work in Progress,
              draft-ietf-lmap-information-model-06, July 2015.

   [REST]     Wikipedia, "Representational state transfer", July 2015,
              <https://en.wikipedia.org/w/index.php?
              title=Representational_state_transfer&oldid=673799183>.

Top      Up      ToC       Page 52 
   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <http://www.rfc-editor.org/info/rfc1035>.

   [RFC3444]  Pras, A. and J. Schoenwaelder, "On the Difference between
              Information Models and Data Models", RFC 3444,
              DOI 10.17487/RFC3444, January 2003,
              <http://www.rfc-editor.org/info/rfc3444>.

   [RFC4101]  Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
              DOI 10.17487/RFC4101, June 2005,
              <http://www.rfc-editor.org/info/rfc4101>.

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122,
              DOI 10.17487/RFC4122, July 2005,
              <http://www.rfc-editor.org/info/rfc4122>.

   [RFC4656]  Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
              Zekauskas, "A One-way Active Measurement Protocol
              (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
              <http://www.rfc-editor.org/info/rfc4656>.

   [RFC5357]  Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
              Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
              RFC 5357, DOI 10.17487/RFC5357, October 2008,
              <http://www.rfc-editor.org/info/rfc5357>.

   [RFC6235]  Boschi, E. and B. Trammell, "IP Flow Anonymization
              Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
              <http://www.rfc-editor.org/info/rfc6235>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <http://www.rfc-editor.org/info/rfc6241>.

   [RFC6419]  Wasserman, M. and P. Seite, "Current Practices for
              Multiple-Interface Hosts", RFC 6419, DOI 10.17487/RFC6419,
              November 2011, <http://www.rfc-editor.org/info/rfc6419>.

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,
              <http://www.rfc-editor.org/info/rfc6887>.

Top      Up      ToC       Page 53 
   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973,
              DOI 10.17487/RFC6973, July 2013,
              <http://www.rfc-editor.org/info/rfc6973>.

   [RFC7011]  Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
              "Specification of the IP Flow Information Export (IPFIX)
              Protocol for the Exchange of Flow Information", STD 77,
              RFC 7011, DOI 10.17487/RFC7011, September 2013,
              <http://www.rfc-editor.org/info/rfc7011>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258,
              May 2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7368]  Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
              Weil, "IPv6 Home Networking Architecture Principles",
              RFC 7368, DOI 10.17487/RFC7368, October 2014,
              <http://www.rfc-editor.org/info/rfc7368>.

   [RFC7398]  Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
              A. Morton, "A Reference Path and Measurement Points for
              Large-Scale Measurement of Broadband Performance",
              RFC 7398, DOI 10.17487/RFC7398, February 2015,
              <http://www.rfc-editor.org/info/rfc7398>.

   [RFC7536]  Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
              "Large-Scale Broadband Measurement Use Cases", RFC 7536,
              DOI 10.17487/RFC7536, May 2015,
              <http://www.rfc-editor.org/info/rfc7536>.

   [TR-069]   The Broadband Forum, "CPE WAN Management Protocol", TR-069
              Amendment 5, November 2013,
              <https://www.broadband-forum.org/technical/download/
              TR-069_Amendment-5.pdf>.

   [UPnP]     UPnP Forum, "UPnP Device Architecture 2.0", February 2015,
              <http://www.iso.org/iso/home/store/catalogue_ics/
              catalogue_detail_ics.htm?csnumber=57195>.

Top      Up      ToC       Page 54 
Acknowledgments

   This document originated as a merger of three individual drafts:
   "Terminology for Large MeAsurement Platforms (LMAP)" (July 2013), "A
   Framework and Inventory for a Large Scale Measurement System" (July
   2013), and "A framework for large-scale measurements" (July 2013).

   Thanks to Juergen Schoenwaelder for his detailed review of the
   terminology.  Thanks to Charles Cook for a very detailed review of an
   early draft of this document.  Thanks to Barbara Stark and Ken Ko for
   many helpful comments about later draft versions.

   Thanks to numerous people for much discussion, directly and on the
   LMAP list (apologies to those unintentionally omitted): Alan Clark,
   Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
   Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen,
   Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay,
   Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner,
   Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael
   Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter,
   Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey,
   Vaibhav Bajpai, Vero Zheng, and William Lupton.

   Philip Eardley, Trevor Burbridge and Marcelo Bagnulo worked in part
   on the Leone research project, which received funding from the
   European Union Seventh Framework Programme under grant agreement
   number 317647.

Authors' Addresses

   Philip Eardley
   BT
   Adastral Park, Martlesham Heath
   Ipswich
   England

   Email: philip.eardley@bt.com


   Al Morton
   AT&T Labs
   200 Laurel Avenue South
   Middletown, NJ
   United States

   Email: acmorton@att.com

Top      Up      ToC       Page 55 
   Marcelo Bagnulo
   Universidad Carlos III de Madrid
   Av. Universidad 30
   Leganes, Madrid  28911
   Spain

   Phone: 34 91 6249500
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es


   Trevor Burbridge
   BT
   Adastral Park, Martlesham Heath
   Ipswich
   England

   Email: trevor.burbridge@bt.com


   Paul Aitken
   Brocade Communications Systems, Inc.
   19a Canning Street, Level 3
   Edinburgh, Scotland  EH3 8EG
   United Kingdom

   Email: paitken@brocade.com


   Aamer Akhter
   Consultant
   118 Timber Hitch
   Cary, NC
   United States

   Email: aakhter@gmail.com