Section 6 of [RFC4656] is applicable here. The process to upgrade the firmware in an MA is outside the scope of the initial LMAP work, just as is the protocol to Bootstrap the MAs. However, systems that provide remote upgrades must secure authorised access and integrity of the process. We assume that each Measurement Agent (MA) will receive its Instructions from a single organisation, which operates the Controller. These Instructions must be authenticated (to ensure that they come from the trusted Controller), checked for integrity (to ensure no one has tampered with them), and not vulnerable to replay attacks. If a malicious party can gain control of the MA, they can use it to launch denial-of-service (DoS) attacks at targets, create a platform for pervasive monitoring [RFC7258], reduce the end-user's quality of experience, and corrupt the Measurement Results that are reported to the Collector. By altering the Measurement Tasks and/or the address that Results are reported to, they can also compromise
the confidentiality of the network user and the MA environment (such as information about the location of devices or their traffic). The Instruction Messages also need to be encrypted to maintain confidentiality, as the information might be useful to an attacker. Reporting by the MA must be encrypted to maintain confidentiality, so that only the authorised Collector can decrypt the results to prevent the leakage of confidential or private information. Reporting must also be authenticated (to ensure that it comes from a trusted MA and that the MA reports to a genuine Collector) and not vulnerable to tampering (which can be ensured through integrity and replay checks). It must not be possible to fool an MA into injecting falsified data and the results must also be held and processed securely after collection and analysis. See Section 8.5.2 for additional considerations on stored data compromise, and Section 8.6 on potential mitigations for compromise. Since Collectors will be contacted repeatedly by MAs using the Report Protocol to convey their recent results, a successful attack to exhaust the communication resources would prevent a critical operation: reporting. Therefore, all LMAP Collectors should implement technical mechanisms to: o limit the number of reporting connections from a single MA (simultaneous and established in some time period). o limit the transmission rate from a single MA. o limit the memory/storage consumed by a single MA's reports. o efficiently reject reporting connections from unknown sources. o separate resources if multiple authentication strengths are used, where the resources should be separated according to each class of strength. A corrupted MA could report falsified information to the Collector. Whether this can be effectively mitigated depends on the platform on which the MA is deployed. However, where the MA is deployed on a customer-controlled device, then the reported data is to some degree inherently untrustworthy. Further, a sophisticated party could distort some Measurement Methods, perhaps by dropping or delaying packets for example. This suggests that the network operator should be cautious about relying on Measurement Results for action such as refunding fees if a service level agreement is not met. As part of the protocol design, it will be decided how LMAP operates over the underlying protocol (Section 5.5). The choice raises
various security issues, such as how to operate through a NAT and how to protect the Controller and Collector from DoS attacks. The security mechanisms described above may not be strictly necessary if the network's design ensures the LMAP components and their communications are already secured, for example potentially if they are all part of an ISP's dedicated management network. Finally, there are three other issues related to security: privacy (considered in Section 8), availability, and "gaming the system". While the loss of some MAs may not be considered critical, the unavailability of the Collector could mean that valuable business data or data critical to a regulatory process is lost. Similarly, the unavailability of a Controller could mean that the MAs do not operate a correct Measurement Schedule. A malicious party could "game the system". For example, where a regulator is running a Measurement System in order to benchmark operators, an operator could try to identify the broadband lines that the regulator was measuring and prioritise that traffic. Normally, this potential issue is handled by a code of conduct. It is outside the scope of the initial LMAP work to consider the issue. RFC6973]. Privacy and security (Section 7) are related. In some jurisdictions, privacy is called data protection. We begin with a set of assumptions related to protecting the sensitive information of individuals and organisations participating in LMAP-orchestrated measurement and data collection.
Subscriber, or have been given permission by the Subscriber to use the service. o Internet service providers: Organisations that offer Internet access service subscriptions, and thus have access to sensitive information of individuals who choose to use the service. These organisations desire to protect their Subscribers and their own sensitive information, which may be stored in the process of performing Measurement Tasks and collecting Results. o Regulators: Public authorities responsible for exercising supervision of the electronic communications sector, and which may have access to sensitive information of individuals who participate in a measurement campaign. Similarly, regulators desire to protect the participants and their own sensitive information. o Other LMAP system operators: Organisations who operate Measurement Systems or participate in measurements in some way. Although privacy is a protection extended to individuals, we discuss data protection by ISPs and other LMAP system operators in this section. These organisations have sensitive information involved in the LMAP system, and many of the same dangers and mitigations are applicable. Further, the ISPs store information on their Subscribers beyond that used in the LMAP system (for example, billing information), and there should be a benefit in considering all the needs and potential solutions coherently.
o Contents of traffic (activity, DNS queries, destinations, equipment types, account info for other services, etc.) o Status as a study volunteer and Schedule of Measurement Tasks Examples of Internet Service Provider sensitive information: o Measurement device identification (equipment ID and IP address) o Measurement Instructions (choice of measurements) o Measurement Results (some may be shared, others may be private) o Measurement Schedule (exact times) o Network topology (locations, connectivity, redundancy) o Subscriber billing information, and any of the above Subscriber information known to the provider. o Authentication credentials (such as certificates) Other organisations will have some combination of the lists above. The LMAP system would not typically expose all of the information above, but could expose a combination of items that could be correlated with other pieces collected by an attacker (as discussed in Section 8.5 on Threats). Section 11.8 of [RFC7011]), but mitigations described in the sections below were considered beyond their scope.
In contrast to Measurement Tasks conducted on user traffic, other Measurement Tasks use traffic which is created specifically for the purpose of measurement. Even if a user host generates Measurement Traffic, there is limited sensitive information about the Subscriber present and stored in the Measurement System: o IP address in use (and possibly sub-IP addresses and names) o Status as a study volunteer and Schedule of Measurement Tasks On the other hand, for a service provider, the sensitive information like Measurement Results is the same for all Measurement Tasks. From the Subscriber perspective, both types of Measurement Tasks potentially expose the description of Internet access service and specific service parameters, such as the Subscriber rate and type of access. Section 5 and some example Measurement Tasks, and it identifies specific sensitive information that must be secured during communication for each case. With the protocol-related sensitive information identified, we can better consider the threats described in the following section. From the privacy perspective, all entities participating in LMAP protocols can be considered "observers" according to the definition in [RFC6973]. Their stored information potentially poses a threat to privacy, especially if one or more of these functional entities has been compromised. Likewise, all devices on the paths used for control, reporting, and measurement are also observers. Section 5.1 provides the communication model for the Bootstrapping process. Although the specification of mechanisms for Bootstrapping the MA are beyond the scope of the initial LMAP work, designers should recognise that the Bootstrapping process is extremely powerful and could cause an MA to join a new or different LMAP system with a different Controller and Collector, or simply install new Metrics with associated Measurement Methods (for example, to record DNS queries). A Bootstrap attack could result in a breach of the LMAP system with significant sensitive information exposure depending on the
capabilities of the MA, so sufficient security protections are warranted. The Bootstrapping process provides sensitive information about the LMAP system and the organisation that operates it, such as o the MA's identifier (MA-ID) o the address that identifies the Control Channel, such as the Controller's FQDN o Security information for the Control Channel During the Bootstrap process for an MA located at a single Subscriber's service demarcation point, the MA receives an MA-ID, which is a persistent pseudonym for the Subscriber. Thus, the MA-ID is considered sensitive information because it could provide the link between Subscriber identification and Measurements Results. Also, the Bootstrap process could assign a Group-ID to the MA. The specific definition of information represented in a Group-ID is to be determined, but several examples are envisaged including use as a pseudonym for a set of Subscribers, a class of service, an access technology, or other important categories. Assignment of a Group-ID enables anonymisation sets to be formed on the basis of service type/grade/rates. Thus, the mapping between Group-ID and MA-ID is considered sensitive information. Section 5.2. The primary purpose of this exchange is to authenticate and task a Measurement Agent with Measurement Instructions, which the Measurement Agent then acts on autonomously. Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged with a capability request, then measurement-related information of interest such as the parameters, schedule, metrics, and IP addresses of measurement devices. Thus, the measurement Instruction contains sensitive information that must be secured. For example, the fact that an ISP is running additional measurements beyond the set reported externally is sensitive information, as are the additional Measurements Tasks themselves. The Measurement Schedule is also sensitive, because an attacker intending to bias the results without being detected can use this information to great advantage.
An organisation operating the Controller having no service relationship with a user who hosts the Measurement Agent *could* gain real-name mapping to a public IP address through user participation in an LMAP system (this applies to the Measurement Collection protocol, as well). Section 5.4. The primary purpose of this exchange is to authenticate and collect Measurement Results from an MA, which the MA has measured autonomously and stored. The Measurement Results are the additional sensitive information included in the Collector-MA exchange. Organisations collecting LMAP measurements have responsibility for data control. Thus, the Results and other information communicated in the Collector protocol must be secured. figures below by indicating the possible presence of a NAT, which has additional significance to the protocols and direction of initiation. The various messages are optional, depending on the nature of the Measurement Method. It may involve sending Measurement Traffic from the Measurement Peer to MA, MA to Measurement Peer, or both. Similarly, a second (or more) MAs may be involved. (Note: For simplicity, Figure 11 and the description don't show the non-LMAP functionality that is associated with the transfer of the Measurement Traffic and is located at the devices with the MA and MP.)
_________________ _________________ | | | | |Measurement Peer |=========== NAT ? ==========|Measurement Agent| |_________________| |_________________| <- (Key Negotiation & Encryption Setup) (Encrypted Channel -> Established) (Announce capabilities -> & status) <- (Select capabilities) ACK -> <- (Measurement Request (MA+MP IPAddrs,set of Metrics, Schedule)) ACK -> Measurement Traffic <> Measurement Traffic (may/may not be encrypted) (may/may not be encrypted) <- (Stop Measurement Task) Measurement Results -> (if applicable) <- ACK, Close Figure 11: Interactions between Measurement Peer and Measurement Agent This exchange primarily exposes the IP addresses of measurement devices and the inference of measurement participation from such traffic. There may be sensitive information on key points in a service provider's network included. There may also be access to measurement-related information of interest such as the Metrics, Schedule, and intermediate results carried in the Measurement Traffic (usually a set of timestamps). The Measurement Peer may be able to use traffic analysis (perhaps combined with traffic injection) to obtain interesting insights about the Subscriber. As a simple example, if the Measurement Task includes a pre-check that the end user isn't already sending traffic, the Measurement Peer may be able to deduce when the Subscriber is away on holiday. If the Measurement Traffic is unencrypted, as found in many systems today, then both timing and limited results are open to on-path observers.
Figure 12 illustrates the collection of user information of interest with the Measurement Agent performing the monitoring and storage of the Results. This particular exchange is for measurement of DNS Response Time, which most frequently uses UDP transport. (Note: For simplicity, Figure 12 and its description do not show the non-LMAP functionality that is associated with the transfer (export) of the observed Measurement Traffic beyond the measurement devices located with the MA.) _________________ ____________ | | | | | DNS Server |=========== NAT ? ==========*=======| User client| |_________________| ^ |____________| ______|_______ | | | Measurement | | Agent | |______________| <- Name Resolution Required (MA+MP IPAddrs, Desired Domain Name) Return Record -> MA: Measurement Agent MP: Measurement Peer Figure 12: LMAP deployment example, with Measurement Agent monitoring DNS response time In this particular example, the MA monitors DNS messages in order to measure the DNS response time. The Measurement Agent may be embedded in the user host, or it may be located in another device capable of observing user traffic. The MA learns the IP addresses of measurement devices and the intent to communicate with or access the services of a particular domain name, and perhaps also information on key points in a service provider's network, such as the address of one of its DNS servers.
In principle, any of the user sensitive information of interest (listed above) can be collected and stored in the monitoring scenario and so must be secured. It would also be possible for a Measurement Agent to source the DNS query itself, and then there are not many privacy concerns. RFC6973] apply to the LMAP entities and their communication and storage of "information of interest". DoS and other attacks described in the Security section represent threats as well, and these attacks are more effective when sensitive information protections have been compromised. Section 5.1.1 of [RFC6973] describes surveillance as the "observation or monitoring of an individual's communications or activities." Hence, all Measurement Methods that measure user traffic are a form of surveillance, with inherent risks. Measurement Methods that avoid periods of user transmission indirectly produce a record of times when a subscriber or authorised user has used their network access service. Measurement Methods may also utilise and store a Subscriber's currently assigned IP address when conducting measurements that are relevant to a specific Subscriber. Since the Measurement Results are timestamped, they could provide a record of IP address assignments over time. Either of the above pieces of information could be useful in correlation and identification, as described below.
Section 5.1.2 of [RFC6973] describes Stored Data Compromise as resulting from inadequate measures to secure stored data from unauthorised or inappropriate access. For LMAP systems, this includes deleting or modifying collected measurement records, as well as data theft. The primary LMAP entity subject to compromise is the repository, which stores the Measurement Results; extensive security and privacy threat mitigations are warranted. The Collector and MA also store sensitive information temporarily and need protection. The communications between the local storage of the Collector and the repository is beyond the scope of the initial LMAP work, though this communications channel will certainly need protection as will the mass storage itself. The LMAP Controller may have direct access to storage of Subscriber information (for example, location, billing, service parameters, etc.) and other information that the controlling organisation considers private and again needs protection. Note that there is tension between the desire to store all raw results in the LMAP Collector (for reproduction and custom analysis) and the need to protect the privacy of measurement participants. Many of the mitigations described in Section 8.6 are most efficient when deployed at the MA, therefore minimising the risks associated with stored results. Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as combining various pieces of information to obtain desired characteristics of an individual, and identification as using this combination to infer identity. The main risk is that the LMAP system could unwittingly provide a key piece of the correlation chain, starting with an unknown Subscriber's IP address and another piece of information. For example, a Subscriber utilised Internet access from 2000 to 2310 UTC, because the Measurement Tasks were deferred or sent a name resolution for www.example.com at 2300 UTC. If a user's access with another system already gave away sensitive information, correlation is clearly easier and can result in re-identification, even when an LMAP system conserves sensitive information to great extent.
Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as unauthorised utilisation of an individual's information for a purpose the individual did not intend, and disclosure as when such information is revealed causing another's notions of the individual to change or confidentiality to be violated. Measurement Methods that measure user traffic are a form of secondary use, and the Subscribers' permission should be obtained beforehand. It may be necessary to obtain the measured ISP's permission to conduct measurements (for example, when required by the terms and conditions of the service agreement) and notification is considered good measurement practice. For Measurement Methods that measure Measurement Traffic the Measurement Results provide some limited information about the Subscriber or ISP and could result in secondary uses. For example, the use of the Results in unauthorised marketing campaigns would qualify as secondary use. Secondary use may break national laws and regulations, and may violate an individual's expectations or desires. Section 6 of [RFC6973] and their applicability to LMAP systems. Note that each section in [RFC6973] identifies the threat categories that each technique mitigates. Section 6.1 of [RFC6973] encourages collecting and storing the minimal information needed to perform a task. LMAP Results can be useful for general reporting about performance and for specific troubleshooting. They need different levels of information detail, as explained in the paragraphs below. For general reporting, the results can be aggregated into large categories (for example, the month of March, all US subscribers West of the Mississippi River). In this case, all individual identifications (including IP address of the MA) can be excluded, and only relevant results are provided. However, this implies a filtering process to reduce the information fields, because greater detail was needed to conduct the Measurement Tasks in the first place.
For troubleshooting, so that a network operator or end user can identify a performance issue or failure, potentially all the network information (for example, IP addresses, equipment IDs, location), Measurement Schedules, service configurations, Measurement Results, and other information may assist in the process. This includes the information needed to conduct the Measurements Tasks, and represents a need where the maximum relevant information is desirable; therefore, the greatest protections should be applied. This level of detail is greater than needed for general performance monitoring. As regards Measurement Methods that measure user traffic, we note that a user may give temporary permission (to enable detailed troubleshooting), but withhold permission for them in general. Here the greatest breadth of sensitive information is potentially exposed, and the maximum privacy protection must be provided. The Collector may perform pre-storage minimisation and other mitigations (Section 8.6.4) to help preserve privacy. For MAs with access to the sensitive information of users (for example, within a home or a personal host/handset), it is desirable for the Results collection to minimise the data reported, but also to balance this desire with the needs of troubleshooting when a service subscription exists between the user and organisation operating the measurements. Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in which anonymity is achieved: "there must exist a set of individuals that appear to have the same attribute(s) as the individual." Experimental methods for anonymisation of user-identifiable data (and so particularly applicable to Measurement Methods that measure user traffic) have been identified in [RFC6235]. However, the findings of several of the same authors is that "there is increasing evidence that anonymization applied to network trace or flow data on its own is insufficient for many data protection applications as in [Bur10]." Essentially, the details of such Measurement Methods can only be accessed by closed organisations, and unknown injection attacks are always less expensive than the protections from them. However, some forms of summary may protect the user's sensitive information sufficiently well, and so each Metric must be evaluated in the light of privacy. The techniques in [RFC6235] could be applied more successfully in Measurement Methods that generate Measurement Traffic, where there are protections from injection attack. The successful attack would require breaking the integrity protection of the LMAP Reporting
Protocol and injecting Measurement Results (known fingerprint, see Section 3.2 of [RFC6973]) for inclusion with the shared and anonymised results, then fingerprinting those records to ascertain the anonymisation process. Beside anonymisation of measured Results for a specific user or provider, the value of sensitive information can be further diluted by summarising the Results over many individuals or areas served by the provider. There is an opportunity enabled by forming anonymity sets [RFC6973] based on the reference path measurement points in [RFC7398]. For example, all measurements from a Subscriber device can be identified as "mp000", instead of using the IP address or other device information. The same anonymisation applies to the Internet Service Provider, where their Internet gateway would be referred to as "mp190". Another anonymisation technique is for the MA to include its Group-ID instead of its MA-ID in its Measurement Reports, with several MAs sharing the same Group-ID. Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, are a possible mitigation to revealing one's true identity, since there is no requirement to use real names in almost all protocols. A pseudonym for a measurement device's IP address could be an LMAP-unique equipment ID. However, this would likely be a permanent handle for the device, and long-term use weakens a pseudonym's power to obscure identity. Sections 6.2 and 6.3 of [RFC6973] describe user participation and security, respectively. Where LMAP measurements involve devices on the subscriber's premises or Subscriber-owned equipment, it is essential to secure the Subscriber's permission with regard to the specific information that will be collected. The informed consent of the Subscriber (and, if different, the end user) may be needed, including the specific purpose of the measurements. The approval process could involve showing the Subscriber their measured information and results before instituting periodic collection, or before all instances of
[RFC1035] Mockapetris, P., "Domain names - implementation and specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, November 1987, <http://www.rfc-editor.org/info/rfc1035>. [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, DOI 10.17487/RFC3444, January 2003, <http://www.rfc-editor.org/info/rfc3444>. [RFC4101] Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101, DOI 10.17487/RFC4101, June 2005, <http://www.rfc-editor.org/info/rfc4101>. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, <http://www.rfc-editor.org/info/rfc4122>. [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. Zekauskas, "A One-way Active Measurement Protocol (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006, <http://www.rfc-editor.org/info/rfc4656>. [RFC5357] Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J. Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)", RFC 5357, DOI 10.17487/RFC5357, October 2008, <http://www.rfc-editor.org/info/rfc5357>. [RFC6235] Boschi, E. and B. Trammell, "IP Flow Anonymization Support", RFC 6235, DOI 10.17487/RFC6235, May 2011, <http://www.rfc-editor.org/info/rfc6235>. [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., and A. Bierman, Ed., "Network Configuration Protocol (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, <http://www.rfc-editor.org/info/rfc6241>. [RFC6419] Wasserman, M. and P. Seite, "Current Practices for Multiple-Interface Hosts", RFC 6419, DOI 10.17487/RFC6419, November 2011, <http://www.rfc-editor.org/info/rfc6419>. [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, DOI 10.17487/RFC6887, April 2013, <http://www.rfc-editor.org/info/rfc6887>.
[RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, July 2013, <http://www.rfc-editor.org/info/rfc6973>. [RFC7011] Claise, B., Ed., Trammell, B., Ed., and P. Aitken, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information", STD 77, RFC 7011, DOI 10.17487/RFC7011, September 2013, <http://www.rfc-editor.org/info/rfc7011>. [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, <http://www.rfc-editor.org/info/rfc7258>. [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J. Weil, "IPv6 Home Networking Architecture Principles", RFC 7368, DOI 10.17487/RFC7368, October 2014, <http://www.rfc-editor.org/info/rfc7368>. [RFC7398] Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and A. Morton, "A Reference Path and Measurement Points for Large-Scale Measurement of Broadband Performance", RFC 7398, DOI 10.17487/RFC7398, February 2015, <http://www.rfc-editor.org/info/rfc7398>. [RFC7536] Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen, "Large-Scale Broadband Measurement Use Cases", RFC 7536, DOI 10.17487/RFC7536, May 2015, <http://www.rfc-editor.org/info/rfc7536>. [TR-069] The Broadband Forum, "CPE WAN Management Protocol", TR-069 Amendment 5, November 2013, <https://www.broadband-forum.org/technical/download/ TR-069_Amendment-5.pdf>. [UPnP] UPnP Forum, "UPnP Device Architecture 2.0", February 2015, <http://www.iso.org/iso/home/store/catalogue_ics/ catalogue_detail_ics.htm?csnumber=57195>.
Marcelo Bagnulo Universidad Carlos III de Madrid Av. Universidad 30 Leganes, Madrid 28911 Spain Phone: 34 91 6249500 Email: email@example.com URI: http://www.it.uc3m.es Trevor Burbridge BT Adastral Park, Martlesham Heath Ipswich England Email: firstname.lastname@example.org Paul Aitken Brocade Communications Systems, Inc. 19a Canning Street, Level 3 Edinburgh, Scotland EH3 8EG United Kingdom Email: email@example.com Aamer Akhter Consultant 118 Timber Hitch Cary, NC United States Email: firstname.lastname@example.org