7. Security Considerations
The security of the LMAP framework should protect the interests of
the measurement operator(s), the network user(s), and other actors
who could be impacted by a compromised measurement deployment. The
Measurement System must secure the various components of the system
from unauthorised access or corruption. Much of the general advice
contained in Section 6 of [RFC4656] is applicable here.
The process to upgrade the firmware in an MA is outside the scope of
the initial LMAP work, just as is the protocol to Bootstrap the MAs.
However, systems that provide remote upgrades must secure authorised
access and integrity of the process.
We assume that each Measurement Agent (MA) will receive its
Instructions from a single organisation, which operates the
Controller. These Instructions must be authenticated (to ensure that
they come from the trusted Controller), checked for integrity (to
ensure no one has tampered with them), and not vulnerable to replay
attacks. If a malicious party can gain control of the MA, they can
use it to launch denial-of-service (DoS) attacks at targets, create a
platform for pervasive monitoring [RFC7258], reduce the end-user's
quality of experience, and corrupt the Measurement Results that are
reported to the Collector. By altering the Measurement Tasks and/or
the address that Results are reported to, they can also compromise
the confidentiality of the network user and the MA environment (such
as information about the location of devices or their traffic). The
Instruction Messages also need to be encrypted to maintain
confidentiality, as the information might be useful to an attacker.
Reporting by the MA must be encrypted to maintain confidentiality, so
that only the authorised Collector can decrypt the results to prevent
the leakage of confidential or private information. Reporting must
also be authenticated (to ensure that it comes from a trusted MA and
that the MA reports to a genuine Collector) and not vulnerable to
tampering (which can be ensured through integrity and replay checks).
It must not be possible to fool an MA into injecting falsified data
and the results must also be held and processed securely after
collection and analysis. See Section 8.5.2 for additional
considerations on stored data compromise, and Section 8.6 on
potential mitigations for compromise.
Since Collectors will be contacted repeatedly by MAs using the Report
Protocol to convey their recent results, a successful attack to
exhaust the communication resources would prevent a critical
operation: reporting. Therefore, all LMAP Collectors should
implement technical mechanisms to:
o limit the number of reporting connections from a single MA
(simultaneous and established in some time period).
o limit the transmission rate from a single MA.
o limit the memory/storage consumed by a single MA's reports.
o efficiently reject reporting connections from unknown sources.
o separate resources if multiple authentication strengths are used,
where the resources should be separated according to each class of
A corrupted MA could report falsified information to the Collector.
Whether this can be effectively mitigated depends on the platform on
which the MA is deployed. However, where the MA is deployed on a
customer-controlled device, then the reported data is to some degree
inherently untrustworthy. Further, a sophisticated party could
distort some Measurement Methods, perhaps by dropping or delaying
packets for example. This suggests that the network operator should
be cautious about relying on Measurement Results for action such as
refunding fees if a service level agreement is not met.
As part of the protocol design, it will be decided how LMAP operates
over the underlying protocol (Section 5.5). The choice raises
various security issues, such as how to operate through a NAT and how
to protect the Controller and Collector from DoS attacks.
The security mechanisms described above may not be strictly necessary
if the network's design ensures the LMAP components and their
communications are already secured, for example potentially if they
are all part of an ISP's dedicated management network.
Finally, there are three other issues related to security: privacy
(considered in Section 8), availability, and "gaming the system".
While the loss of some MAs may not be considered critical, the
unavailability of the Collector could mean that valuable business
data or data critical to a regulatory process is lost. Similarly,
the unavailability of a Controller could mean that the MAs do not
operate a correct Measurement Schedule.
A malicious party could "game the system". For example, where a
regulator is running a Measurement System in order to benchmark
operators, an operator could try to identify the broadband lines that
the regulator was measuring and prioritise that traffic. Normally,
this potential issue is handled by a code of conduct. It is outside
the scope of the initial LMAP work to consider the issue.
8. Privacy Considerations
The LMAP work considers privacy a core requirement and will ensure
that by default the Control and Report Protocols operate in a
privacy-sensitive manner and that privacy features are well defined.
This section provides a set of privacy considerations for LMAP. This
section benefits greatly from the publication of [RFC6973]. Privacy
and security (Section 7) are related. In some jurisdictions, privacy
is called data protection.
We begin with a set of assumptions related to protecting the
sensitive information of individuals and organisations participating
in LMAP-orchestrated measurement and data collection.
8.1. Categories of Entities with Information of Interest
LMAP protocols need to protect the sensitive information of the
following entities, including individuals and organisations who
participate in measurement and collection of results.
o Individual Internet users: Persons who utilise Internet access
services for communications tasks, according to the terms of
service of a service agreement. Such persons may be a service
Subscriber, or have been given permission by the Subscriber to use
o Internet service providers: Organisations that offer Internet
access service subscriptions, and thus have access to sensitive
information of individuals who choose to use the service. These
organisations desire to protect their Subscribers and their own
sensitive information, which may be stored in the process of
performing Measurement Tasks and collecting Results.
o Regulators: Public authorities responsible for exercising
supervision of the electronic communications sector, and which may
have access to sensitive information of individuals who
participate in a measurement campaign. Similarly, regulators
desire to protect the participants and their own sensitive
o Other LMAP system operators: Organisations who operate Measurement
Systems or participate in measurements in some way.
Although privacy is a protection extended to individuals, we discuss
data protection by ISPs and other LMAP system operators in this
section. These organisations have sensitive information involved in
the LMAP system, and many of the same dangers and mitigations are
applicable. Further, the ISPs store information on their Subscribers
beyond that used in the LMAP system (for example, billing
information), and there should be a benefit in considering all the
needs and potential solutions coherently.
8.2. Examples of Sensitive Information
This section gives examples of sensitive information that may be
measured or stored in a Measurement System, and that is to be kept
private by default in the LMAP core protocols.
Examples of Subscriber or authorised Internet user sensitive
o Sub-IP-layer addresses and names (MAC address, base station ID,
o IP address in use
o Personal Identification (real name)
o Location (street address, city)
o Subscribed service parameters
o Contents of traffic (activity, DNS queries, destinations,
equipment types, account info for other services, etc.)
o Status as a study volunteer and Schedule of Measurement Tasks
Examples of Internet Service Provider sensitive information:
o Measurement device identification (equipment ID and IP address)
o Measurement Instructions (choice of measurements)
o Measurement Results (some may be shared, others may be private)
o Measurement Schedule (exact times)
o Network topology (locations, connectivity, redundancy)
o Subscriber billing information, and any of the above Subscriber
information known to the provider.
o Authentication credentials (such as certificates)
Other organisations will have some combination of the lists above.
The LMAP system would not typically expose all of the information
above, but could expose a combination of items that could be
correlated with other pieces collected by an attacker (as discussed
in Section 8.5 on Threats).
8.3. Different Privacy Issues Raised by Different Sorts of Measurement
Measurement Methods raise different privacy issues depending on
whether they measure traffic created specifically for that purpose or
whether they measure user traffic.
Measurement Tasks conducted on user traffic store sensitive
information, however briefly this storage may be. We note that some
authorities make a distinction on time of storage, and information
that is kept only temporarily to perform a communications function is
not subject to regulation (for example, active queue management, deep
packet inspection). Such Measurement Tasks could reveal all the
websites a Subscriber visits and the applications and/or services
they use. This issue is not specific to LMAP. For instance, IPFIX
has discussed similar issues (see Section 11.8 of [RFC7011]), but
mitigations described in the sections below were considered beyond
In contrast to Measurement Tasks conducted on user traffic, other
Measurement Tasks use traffic which is created specifically for the
purpose of measurement. Even if a user host generates Measurement
Traffic, there is limited sensitive information about the Subscriber
present and stored in the Measurement System:
o IP address in use (and possibly sub-IP addresses and names)
o Status as a study volunteer and Schedule of Measurement Tasks
On the other hand, for a service provider, the sensitive information
like Measurement Results is the same for all Measurement Tasks.
From the Subscriber perspective, both types of Measurement Tasks
potentially expose the description of Internet access service and
specific service parameters, such as the Subscriber rate and type of
8.4. Privacy Analysis of the Communication Models
This section examines each of the protocol exchanges described at a
high level in Section 5 and some example Measurement Tasks, and it
identifies specific sensitive information that must be secured during
communication for each case. With the protocol-related sensitive
information identified, we can better consider the threats described
in the following section.
From the privacy perspective, all entities participating in LMAP
protocols can be considered "observers" according to the definition
in [RFC6973]. Their stored information potentially poses a threat to
privacy, especially if one or more of these functional entities has
been compromised. Likewise, all devices on the paths used for
control, reporting, and measurement are also observers.
8.4.1. MA Bootstrapping
Section 5.1 provides the communication model for the Bootstrapping
Although the specification of mechanisms for Bootstrapping the MA are
beyond the scope of the initial LMAP work, designers should recognise
that the Bootstrapping process is extremely powerful and could cause
an MA to join a new or different LMAP system with a different
Controller and Collector, or simply install new Metrics with
associated Measurement Methods (for example, to record DNS queries).
A Bootstrap attack could result in a breach of the LMAP system with
significant sensitive information exposure depending on the
capabilities of the MA, so sufficient security protections are
The Bootstrapping process provides sensitive information about the
LMAP system and the organisation that operates it, such as
o the MA's identifier (MA-ID)
o the address that identifies the Control Channel, such as the
o Security information for the Control Channel
During the Bootstrap process for an MA located at a single
Subscriber's service demarcation point, the MA receives an MA-ID,
which is a persistent pseudonym for the Subscriber. Thus, the MA-ID
is considered sensitive information because it could provide the link
between Subscriber identification and Measurements Results.
Also, the Bootstrap process could assign a Group-ID to the MA. The
specific definition of information represented in a Group-ID is to be
determined, but several examples are envisaged including use as a
pseudonym for a set of Subscribers, a class of service, an access
technology, or other important categories. Assignment of a Group-ID
enables anonymisation sets to be formed on the basis of service
type/grade/rates. Thus, the mapping between Group-ID and MA-ID is
considered sensitive information.
8.4.2. Controller <-> Measurement Agent
The high-level communication model for interactions between the LMAP
Controller and Measurement Agent is illustrated in Section 5.2. The
primary purpose of this exchange is to authenticate and task a
Measurement Agent with Measurement Instructions, which the
Measurement Agent then acts on autonomously.
Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are
exchanged with a capability request, then measurement-related
information of interest such as the parameters, schedule, metrics,
and IP addresses of measurement devices. Thus, the measurement
Instruction contains sensitive information that must be secured. For
example, the fact that an ISP is running additional measurements
beyond the set reported externally is sensitive information, as are
the additional Measurements Tasks themselves. The Measurement
Schedule is also sensitive, because an attacker intending to bias the
results without being detected can use this information to great
An organisation operating the Controller having no service
relationship with a user who hosts the Measurement Agent *could* gain
real-name mapping to a public IP address through user participation
in an LMAP system (this applies to the Measurement Collection
protocol, as well).
8.4.3. Collector <-> Measurement Agent
The high-level communication model for interactions between the
Measurement Agent and Collector is illustrated in Section 5.4. The
primary purpose of this exchange is to authenticate and collect
Measurement Results from an MA, which the MA has measured
autonomously and stored.
The Measurement Results are the additional sensitive information
included in the Collector-MA exchange. Organisations collecting LMAP
measurements have responsibility for data control. Thus, the Results
and other information communicated in the Collector protocol must be
8.4.4. Measurement Peer <-> Measurement Agent
A Measurement Method involving Measurement Traffic raises potential
privacy issues, although the specification of the mechanisms is
beyond the scope of the initial LMAP work. The high-level
communications model below illustrates the various exchanges to
execute such a Measurement Method and store the Results.
We note the potential for additional observers in the figures below
by indicating the possible presence of a NAT, which has additional
significance to the protocols and direction of initiation.
The various messages are optional, depending on the nature of the
Measurement Method. It may involve sending Measurement Traffic from
the Measurement Peer to MA, MA to Measurement Peer, or both.
Similarly, a second (or more) MAs may be involved. (Note: For
simplicity, Figure 11 and the description don't show the non-LMAP
functionality that is associated with the transfer of the Measurement
Traffic and is located at the devices with the MA and MP.)
| | | |
|Measurement Peer |=========== NAT ? ==========|Measurement Agent|
<- (Key Negotiation &
(Encrypted Channel ->
(Announce capabilities ->
<- (Select capabilities)
<- (Measurement Request
(MA+MP IPAddrs,set of
Measurement Traffic <> Measurement Traffic
(may/may not be encrypted) (may/may not be encrypted)
<- (Stop Measurement Task)
Measurement Results ->
<- ACK, Close
Figure 11: Interactions between Measurement Peer and Measurement
This exchange primarily exposes the IP addresses of measurement
devices and the inference of measurement participation from such
traffic. There may be sensitive information on key points in a
service provider's network included. There may also be access to
measurement-related information of interest such as the Metrics,
Schedule, and intermediate results carried in the Measurement Traffic
(usually a set of timestamps).
The Measurement Peer may be able to use traffic analysis (perhaps
combined with traffic injection) to obtain interesting insights about
the Subscriber. As a simple example, if the Measurement Task
includes a pre-check that the end user isn't already sending traffic,
the Measurement Peer may be able to deduce when the Subscriber is
away on holiday.
If the Measurement Traffic is unencrypted, as found in many systems
today, then both timing and limited results are open to on-path
8.4.5. Measurement Agent
Some Measurement Methods only involve a single Measurement Agent
observing existing traffic. They raise potential privacy issues,
although the specification of the mechanisms is beyond the scope of
the initial LMAP work.
The high-level communications model shown in Figure 12 illustrates
the collection of user information of interest with the Measurement
Agent performing the monitoring and storage of the Results. This
particular exchange is for measurement of DNS Response Time, which
most frequently uses UDP transport. (Note: For simplicity, Figure 12
and its description do not show the non-LMAP functionality that is
associated with the transfer (export) of the observed Measurement
Traffic beyond the measurement devices located with the MA.)
| | | |
| DNS Server |=========== NAT ? ==========*=======| User client|
|_________________| ^ |____________|
| Measurement |
| Agent |
<- Name Resolution Required
Desired Domain Name)
Return Record ->
MA: Measurement Agent
MP: Measurement Peer
Figure 12: LMAP deployment example, with Measurement Agent monitoring
DNS response time
In this particular example, the MA monitors DNS messages in order to
measure the DNS response time. The Measurement Agent may be embedded
in the user host, or it may be located in another device capable of
observing user traffic. The MA learns the IP addresses of
measurement devices and the intent to communicate with or access the
services of a particular domain name, and perhaps also information on
key points in a service provider's network, such as the address of
one of its DNS servers.
In principle, any of the user sensitive information of interest
(listed above) can be collected and stored in the monitoring scenario
and so must be secured.
It would also be possible for a Measurement Agent to source the DNS
query itself, and then there are not many privacy concerns.
8.4.6. Storage and Reporting of Measurement Results
Although the mechanisms for communicating results (beyond the initial
Collector) are beyond the scope of the initial LMAP work, there are
potential privacy issues related to a single organisation's storage
and reporting of Measurement Results. Both storage and reporting
functions can help to preserve privacy by implementing the
mitigations described below.
This section indicates how each of the threats described in [RFC6973]
apply to the LMAP entities and their communication and storage of
"information of interest". DoS and other attacks described in the
Security section represent threats as well, and these attacks are
more effective when sensitive information protections have been
Section 5.1.1 of [RFC6973] describes surveillance as the "observation
or monitoring of an individual's communications or activities."
Hence, all Measurement Methods that measure user traffic are a form
of surveillance, with inherent risks.
Measurement Methods that avoid periods of user transmission
indirectly produce a record of times when a subscriber or authorised
user has used their network access service.
Measurement Methods may also utilise and store a Subscriber's
currently assigned IP address when conducting measurements that are
relevant to a specific Subscriber. Since the Measurement Results are
timestamped, they could provide a record of IP address assignments
Either of the above pieces of information could be useful in
correlation and identification, as described below.
8.5.2. Stored Data Compromise
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as
resulting from inadequate measures to secure stored data from
unauthorised or inappropriate access. For LMAP systems, this
includes deleting or modifying collected measurement records, as well
as data theft.
The primary LMAP entity subject to compromise is the repository,
which stores the Measurement Results; extensive security and privacy
threat mitigations are warranted. The Collector and MA also store
sensitive information temporarily and need protection. The
communications between the local storage of the Collector and the
repository is beyond the scope of the initial LMAP work, though this
communications channel will certainly need protection as will the
mass storage itself.
The LMAP Controller may have direct access to storage of Subscriber
information (for example, location, billing, service parameters,
etc.) and other information that the controlling organisation
considers private and again needs protection.
Note that there is tension between the desire to store all raw
results in the LMAP Collector (for reproduction and custom analysis)
and the need to protect the privacy of measurement participants.
Many of the mitigations described in Section 8.6 are most efficient
when deployed at the MA, therefore minimising the risks associated
with stored results.
8.5.3. Correlation and Identification
Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as
combining various pieces of information to obtain desired
characteristics of an individual, and identification as using this
combination to infer identity.
The main risk is that the LMAP system could unwittingly provide a key
piece of the correlation chain, starting with an unknown Subscriber's
IP address and another piece of information. For example, a
Subscriber utilised Internet access from 2000 to 2310 UTC, because
the Measurement Tasks were deferred or sent a name resolution for
www.example.com at 2300 UTC.
If a user's access with another system already gave away sensitive
information, correlation is clearly easier and can result in
re-identification, even when an LMAP system conserves sensitive
information to great extent.
8.5.4. Secondary Use and Disclosure
Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as
unauthorised utilisation of an individual's information for a purpose
the individual did not intend, and disclosure as when such
information is revealed causing another's notions of the individual
to change or confidentiality to be violated.
Measurement Methods that measure user traffic are a form of secondary
use, and the Subscribers' permission should be obtained beforehand.
It may be necessary to obtain the measured ISP's permission to
conduct measurements (for example, when required by the terms and
conditions of the service agreement) and notification is considered
good measurement practice.
For Measurement Methods that measure Measurement Traffic the
Measurement Results provide some limited information about the
Subscriber or ISP and could result in secondary uses. For example,
the use of the Results in unauthorised marketing campaigns would
qualify as secondary use. Secondary use may break national laws and
regulations, and may violate an individual's expectations or desires.
This section examines the mitigations listed in Section 6 of
[RFC6973] and their applicability to LMAP systems. Note that each
section in [RFC6973] identifies the threat categories that each
8.6.1. Data Minimisation
Section 6.1 of [RFC6973] encourages collecting and storing the
minimal information needed to perform a task.
LMAP Results can be useful for general reporting about performance
and for specific troubleshooting. They need different levels of
information detail, as explained in the paragraphs below.
For general reporting, the results can be aggregated into large
categories (for example, the month of March, all US subscribers West
of the Mississippi River). In this case, all individual
identifications (including IP address of the MA) can be excluded, and
only relevant results are provided. However, this implies a
filtering process to reduce the information fields, because greater
detail was needed to conduct the Measurement Tasks in the first
For troubleshooting, so that a network operator or end user can
identify a performance issue or failure, potentially all the network
information (for example, IP addresses, equipment IDs, location),
Measurement Schedules, service configurations, Measurement Results,
and other information may assist in the process. This includes the
information needed to conduct the Measurements Tasks, and represents
a need where the maximum relevant information is desirable;
therefore, the greatest protections should be applied. This level of
detail is greater than needed for general performance monitoring.
As regards Measurement Methods that measure user traffic, we note
that a user may give temporary permission (to enable detailed
troubleshooting), but withhold permission for them in general. Here
the greatest breadth of sensitive information is potentially exposed,
and the maximum privacy protection must be provided. The Collector
may perform pre-storage minimisation and other mitigations
(Section 8.6.4) to help preserve privacy.
For MAs with access to the sensitive information of users (for
example, within a home or a personal host/handset), it is desirable
for the Results collection to minimise the data reported, but also to
balance this desire with the needs of troubleshooting when a service
subscription exists between the user and organisation operating the
Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in
which anonymity is achieved: "there must exist a set of individuals
that appear to have the same attribute(s) as the individual."
Experimental methods for anonymisation of user-identifiable data (and
so particularly applicable to Measurement Methods that measure user
traffic) have been identified in [RFC6235]. However, the findings of
several of the same authors is that "there is increasing evidence
that anonymization applied to network trace or flow data on its own
is insufficient for many data protection applications as in [Bur10]."
Essentially, the details of such Measurement Methods can only be
accessed by closed organisations, and unknown injection attacks are
always less expensive than the protections from them. However, some
forms of summary may protect the user's sensitive information
sufficiently well, and so each Metric must be evaluated in the light
The techniques in [RFC6235] could be applied more successfully in
Measurement Methods that generate Measurement Traffic, where there
are protections from injection attack. The successful attack would
require breaking the integrity protection of the LMAP Reporting
Protocol and injecting Measurement Results (known fingerprint, see
Section 3.2 of [RFC6973]) for inclusion with the shared and
anonymised results, then fingerprinting those records to ascertain
the anonymisation process.
Beside anonymisation of measured Results for a specific user or
provider, the value of sensitive information can be further diluted
by summarising the Results over many individuals or areas served by
the provider. There is an opportunity enabled by forming anonymity
sets [RFC6973] based on the reference path measurement points in
[RFC7398]. For example, all measurements from a Subscriber device
can be identified as "mp000", instead of using the IP address or
other device information. The same anonymisation applies to the
Internet Service Provider, where their Internet gateway would be
referred to as "mp190".
Another anonymisation technique is for the MA to include its Group-ID
instead of its MA-ID in its Measurement Reports, with several MAs
sharing the same Group-ID.
Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames,
are a possible mitigation to revealing one's true identity, since
there is no requirement to use real names in almost all protocols.
A pseudonym for a measurement device's IP address could be an
LMAP-unique equipment ID. However, this would likely be a permanent
handle for the device, and long-term use weakens a pseudonym's power
to obscure identity.
8.6.4. Other Mitigations
Data can be depersonalised by blurring it, for example by adding
synthetic data, data-swapping, or perturbing the values in ways that
can be reversed or corrected.
Sections 6.2 and 6.3 of [RFC6973] describe user participation and
Where LMAP measurements involve devices on the subscriber's premises
or Subscriber-owned equipment, it is essential to secure the
Subscriber's permission with regard to the specific information that
will be collected. The informed consent of the Subscriber (and, if
different, the end user) may be needed, including the specific
purpose of the measurements. The approval process could involve
showing the Subscriber their measured information and results before
instituting periodic collection, or before all instances of
collection, with the option to cancel collection temporarily or
It should also be clear who is legally responsible for data
protection (privacy); in some jurisdictions, this role is called the
'data controller'. It is always good practice to limit the time that
personal information is stored.
Although the details of verification would be impenetrable to most
subscribers, the MA could be architected as an "app" with open source
measurements, and protection from code modifications usually provided
by the app stores. Further, the app itself could provide data
reduction and temporary storage mitigations as appropriate and
certified through code review.
LMAP protocols, devices, and the information they store clearly need
to be secure from unauthorised access. This is the hand-off between
privacy and security considerations (Section 7). The data controller
is responsible (legally) for maintaining data protections described
in the Subscriber's agreement and agreements with other
Finally, it is recommended that each entity described in Section 8.1,
(for example, individuals, ISPs, regulators, others) assess the risks
of LMAP data collection by conducting audits of their data protection
9. Informative References
[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi,
"The Role of Network Trace anonymisation Under Attack",
[IPPM-REG] Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A.
Akhter, "Registry for Performance Metrics", Work in
Progress, draft-ietf-ippm-metric-registry-04, July 2015.
Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAP)", Work in Progress,
draft-ietf-lmap-information-model-06, July 2015.
[REST] Wikipedia, "Representational state transfer", July 2015,
This document originated as a merger of three individual drafts:
"Terminology for Large MeAsurement Platforms (LMAP)" (July 2013), "A
Framework and Inventory for a Large Scale Measurement System" (July
2013), and "A framework for large-scale measurements" (July 2013).
Thanks to Juergen Schoenwaelder for his detailed review of the
terminology. Thanks to Charles Cook for a very detailed review of an
early draft of this document. Thanks to Barbara Stark and Ken Ko for
many helpful comments about later draft versions.
Thanks to numerous people for much discussion, directly and on the
LMAP list (apologies to those unintentionally omitted): Alan Clark,
Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian
Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen,
Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay,
Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner,
Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael
Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter,
Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey,
Vaibhav Bajpai, Vero Zheng, and William Lupton.
Philip Eardley, Trevor Burbridge and Marcelo Bagnulo worked in part
on the Leone research project, which received funding from the
European Union Seventh Framework Programme under grant agreement
Adastral Park, Martlesham Heath
200 Laurel Avenue South
Universidad Carlos III de Madrid
Av. Universidad 30
Leganes, Madrid 28911
Phone: 34 91 6249500
Adastral Park, Martlesham Heath
Brocade Communications Systems, Inc.
19a Canning Street, Level 3
Edinburgh, Scotland EH3 8EG
118 Timber Hitch