Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7594

A Framework for Large-Scale Measurement of Broadband Performance (LMAP)

Pages: 55
Informational
Part 3 of 3 – Pages 36 to 55
First   Prev   None

Top   ToC   RFC7594 - Page 36   prevText

7. Security Considerations

The security of the LMAP framework should protect the interests of the measurement operator(s), the network user(s), and other actors who could be impacted by a compromised measurement deployment. The Measurement System must secure the various components of the system from unauthorised access or corruption. Much of the general advice contained in Section 6 of [RFC4656] is applicable here. The process to upgrade the firmware in an MA is outside the scope of the initial LMAP work, just as is the protocol to Bootstrap the MAs. However, systems that provide remote upgrades must secure authorised access and integrity of the process. We assume that each Measurement Agent (MA) will receive its Instructions from a single organisation, which operates the Controller. These Instructions must be authenticated (to ensure that they come from the trusted Controller), checked for integrity (to ensure no one has tampered with them), and not vulnerable to replay attacks. If a malicious party can gain control of the MA, they can use it to launch denial-of-service (DoS) attacks at targets, create a platform for pervasive monitoring [RFC7258], reduce the end-user's quality of experience, and corrupt the Measurement Results that are reported to the Collector. By altering the Measurement Tasks and/or the address that Results are reported to, they can also compromise
Top   ToC   RFC7594 - Page 37
   the confidentiality of the network user and the MA environment (such
   as information about the location of devices or their traffic).  The
   Instruction Messages also need to be encrypted to maintain
   confidentiality, as the information might be useful to an attacker.

   Reporting by the MA must be encrypted to maintain confidentiality, so
   that only the authorised Collector can decrypt the results to prevent
   the leakage of confidential or private information.  Reporting must
   also be authenticated (to ensure that it comes from a trusted MA and
   that the MA reports to a genuine Collector) and not vulnerable to
   tampering (which can be ensured through integrity and replay checks).
   It must not be possible to fool an MA into injecting falsified data
   and the results must also be held and processed securely after
   collection and analysis.  See Section 8.5.2 for additional
   considerations on stored data compromise, and Section 8.6 on
   potential mitigations for compromise.

   Since Collectors will be contacted repeatedly by MAs using the Report
   Protocol to convey their recent results, a successful attack to
   exhaust the communication resources would prevent a critical
   operation: reporting.  Therefore, all LMAP Collectors should
   implement technical mechanisms to:

   o  limit the number of reporting connections from a single MA
      (simultaneous and established in some time period).

   o  limit the transmission rate from a single MA.

   o  limit the memory/storage consumed by a single MA's reports.

   o  efficiently reject reporting connections from unknown sources.

   o  separate resources if multiple authentication strengths are used,
      where the resources should be separated according to each class of
      strength.

   A corrupted MA could report falsified information to the Collector.
   Whether this can be effectively mitigated depends on the platform on
   which the MA is deployed.  However, where the MA is deployed on a
   customer-controlled device, then the reported data is to some degree
   inherently untrustworthy.  Further, a sophisticated party could
   distort some Measurement Methods, perhaps by dropping or delaying
   packets for example.  This suggests that the network operator should
   be cautious about relying on Measurement Results for action such as
   refunding fees if a service level agreement is not met.

   As part of the protocol design, it will be decided how LMAP operates
   over the underlying protocol (Section 5.5).  The choice raises
Top   ToC   RFC7594 - Page 38
   various security issues, such as how to operate through a NAT and how
   to protect the Controller and Collector from DoS attacks.

   The security mechanisms described above may not be strictly necessary
   if the network's design ensures the LMAP components and their
   communications are already secured, for example potentially if they
   are all part of an ISP's dedicated management network.

   Finally, there are three other issues related to security: privacy
   (considered in Section 8), availability, and "gaming the system".
   While the loss of some MAs may not be considered critical, the
   unavailability of the Collector could mean that valuable business
   data or data critical to a regulatory process is lost.  Similarly,
   the unavailability of a Controller could mean that the MAs do not
   operate a correct Measurement Schedule.

   A malicious party could "game the system".  For example, where a
   regulator is running a Measurement System in order to benchmark
   operators, an operator could try to identify the broadband lines that
   the regulator was measuring and prioritise that traffic.  Normally,
   this potential issue is handled by a code of conduct.  It is outside
   the scope of the initial LMAP work to consider the issue.

8. Privacy Considerations

The LMAP work considers privacy a core requirement and will ensure that by default the Control and Report Protocols operate in a privacy-sensitive manner and that privacy features are well defined. This section provides a set of privacy considerations for LMAP. This section benefits greatly from the publication of [RFC6973]. Privacy and security (Section 7) are related. In some jurisdictions, privacy is called data protection. We begin with a set of assumptions related to protecting the sensitive information of individuals and organisations participating in LMAP-orchestrated measurement and data collection.

8.1. Categories of Entities with Information of Interest

LMAP protocols need to protect the sensitive information of the following entities, including individuals and organisations who participate in measurement and collection of results. o Individual Internet users: Persons who utilise Internet access services for communications tasks, according to the terms of service of a service agreement. Such persons may be a service
Top   ToC   RFC7594 - Page 39
      Subscriber, or have been given permission by the Subscriber to use
      the service.

   o  Internet service providers: Organisations that offer Internet
      access service subscriptions, and thus have access to sensitive
      information of individuals who choose to use the service.  These
      organisations desire to protect their Subscribers and their own
      sensitive information, which may be stored in the process of
      performing Measurement Tasks and collecting Results.

   o  Regulators: Public authorities responsible for exercising
      supervision of the electronic communications sector, and which may
      have access to sensitive information of individuals who
      participate in a measurement campaign.  Similarly, regulators
      desire to protect the participants and their own sensitive
      information.

   o  Other LMAP system operators: Organisations who operate Measurement
      Systems or participate in measurements in some way.

   Although privacy is a protection extended to individuals, we discuss
   data protection by ISPs and other LMAP system operators in this
   section.  These organisations have sensitive information involved in
   the LMAP system, and many of the same dangers and mitigations are
   applicable.  Further, the ISPs store information on their Subscribers
   beyond that used in the LMAP system (for example, billing
   information), and there should be a benefit in considering all the
   needs and potential solutions coherently.

8.2. Examples of Sensitive Information

This section gives examples of sensitive information that may be measured or stored in a Measurement System, and that is to be kept private by default in the LMAP core protocols. Examples of Subscriber or authorised Internet user sensitive information: o Sub-IP-layer addresses and names (MAC address, base station ID, SSID) o IP address in use o Personal Identification (real name) o Location (street address, city) o Subscribed service parameters
Top   ToC   RFC7594 - Page 40
   o  Contents of traffic (activity, DNS queries, destinations,
      equipment types, account info for other services, etc.)

   o  Status as a study volunteer and Schedule of Measurement Tasks

   Examples of Internet Service Provider sensitive information:

   o  Measurement device identification (equipment ID and IP address)

   o  Measurement Instructions (choice of measurements)

   o  Measurement Results (some may be shared, others may be private)

   o  Measurement Schedule (exact times)

   o  Network topology (locations, connectivity, redundancy)

   o  Subscriber billing information, and any of the above Subscriber
      information known to the provider.

   o  Authentication credentials (such as certificates)

   Other organisations will have some combination of the lists above.
   The LMAP system would not typically expose all of the information
   above, but could expose a combination of items that could be
   correlated with other pieces collected by an attacker (as discussed
   in Section 8.5 on Threats).

8.3. Different Privacy Issues Raised by Different Sorts of Measurement Methods

Measurement Methods raise different privacy issues depending on whether they measure traffic created specifically for that purpose or whether they measure user traffic. Measurement Tasks conducted on user traffic store sensitive information, however briefly this storage may be. We note that some authorities make a distinction on time of storage, and information that is kept only temporarily to perform a communications function is not subject to regulation (for example, active queue management, deep packet inspection). Such Measurement Tasks could reveal all the websites a Subscriber visits and the applications and/or services they use. This issue is not specific to LMAP. For instance, IPFIX has discussed similar issues (see Section 11.8 of [RFC7011]), but mitigations described in the sections below were considered beyond their scope.
Top   ToC   RFC7594 - Page 41
   In contrast to Measurement Tasks conducted on user traffic, other
   Measurement Tasks use traffic which is created specifically for the
   purpose of measurement.  Even if a user host generates Measurement
   Traffic, there is limited sensitive information about the Subscriber
   present and stored in the Measurement System:

   o  IP address in use (and possibly sub-IP addresses and names)

   o  Status as a study volunteer and Schedule of Measurement Tasks

   On the other hand, for a service provider, the sensitive information
   like Measurement Results is the same for all Measurement Tasks.

   From the Subscriber perspective, both types of Measurement Tasks
   potentially expose the description of Internet access service and
   specific service parameters, such as the Subscriber rate and type of
   access.

8.4. Privacy Analysis of the Communication Models

This section examines each of the protocol exchanges described at a high level in Section 5 and some example Measurement Tasks, and it identifies specific sensitive information that must be secured during communication for each case. With the protocol-related sensitive information identified, we can better consider the threats described in the following section. From the privacy perspective, all entities participating in LMAP protocols can be considered "observers" according to the definition in [RFC6973]. Their stored information potentially poses a threat to privacy, especially if one or more of these functional entities has been compromised. Likewise, all devices on the paths used for control, reporting, and measurement are also observers.

8.4.1. MA Bootstrapping

Section 5.1 provides the communication model for the Bootstrapping process. Although the specification of mechanisms for Bootstrapping the MA are beyond the scope of the initial LMAP work, designers should recognise that the Bootstrapping process is extremely powerful and could cause an MA to join a new or different LMAP system with a different Controller and Collector, or simply install new Metrics with associated Measurement Methods (for example, to record DNS queries). A Bootstrap attack could result in a breach of the LMAP system with significant sensitive information exposure depending on the
Top   ToC   RFC7594 - Page 42
   capabilities of the MA, so sufficient security protections are
   warranted.

   The Bootstrapping process provides sensitive information about the
   LMAP system and the organisation that operates it, such as

   o  the MA's identifier (MA-ID)

   o  the address that identifies the Control Channel, such as the
      Controller's FQDN

   o  Security information for the Control Channel

   During the Bootstrap process for an MA located at a single
   Subscriber's service demarcation point, the MA receives an MA-ID,
   which is a persistent pseudonym for the Subscriber.  Thus, the MA-ID
   is considered sensitive information because it could provide the link
   between Subscriber identification and Measurements Results.

   Also, the Bootstrap process could assign a Group-ID to the MA.  The
   specific definition of information represented in a Group-ID is to be
   determined, but several examples are envisaged including use as a
   pseudonym for a set of Subscribers, a class of service, an access
   technology, or other important categories.  Assignment of a Group-ID
   enables anonymisation sets to be formed on the basis of service
   type/grade/rates.  Thus, the mapping between Group-ID and MA-ID is
   considered sensitive information.

8.4.2. Controller <-> Measurement Agent

The high-level communication model for interactions between the LMAP Controller and Measurement Agent is illustrated in Section 5.2. The primary purpose of this exchange is to authenticate and task a Measurement Agent with Measurement Instructions, which the Measurement Agent then acts on autonomously. Primarily, IP addresses and pseudonyms (MA-ID, Group-ID) are exchanged with a capability request, then measurement-related information of interest such as the parameters, schedule, metrics, and IP addresses of measurement devices. Thus, the measurement Instruction contains sensitive information that must be secured. For example, the fact that an ISP is running additional measurements beyond the set reported externally is sensitive information, as are the additional Measurements Tasks themselves. The Measurement Schedule is also sensitive, because an attacker intending to bias the results without being detected can use this information to great advantage.
Top   ToC   RFC7594 - Page 43
   An organisation operating the Controller having no service
   relationship with a user who hosts the Measurement Agent *could* gain
   real-name mapping to a public IP address through user participation
   in an LMAP system (this applies to the Measurement Collection
   protocol, as well).

8.4.3. Collector <-> Measurement Agent

The high-level communication model for interactions between the Measurement Agent and Collector is illustrated in Section 5.4. The primary purpose of this exchange is to authenticate and collect Measurement Results from an MA, which the MA has measured autonomously and stored. The Measurement Results are the additional sensitive information included in the Collector-MA exchange. Organisations collecting LMAP measurements have responsibility for data control. Thus, the Results and other information communicated in the Collector protocol must be secured.

8.4.4. Measurement Peer <-> Measurement Agent

A Measurement Method involving Measurement Traffic raises potential privacy issues, although the specification of the mechanisms is beyond the scope of the initial LMAP work. The high-level communications model below illustrates the various exchanges to execute such a Measurement Method and store the Results. We note the potential for additional observers in the figures below by indicating the possible presence of a NAT, which has additional significance to the protocols and direction of initiation. The various messages are optional, depending on the nature of the Measurement Method. It may involve sending Measurement Traffic from the Measurement Peer to MA, MA to Measurement Peer, or both. Similarly, a second (or more) MAs may be involved. (Note: For simplicity, Figure 11 and the description don't show the non-LMAP functionality that is associated with the transfer of the Measurement Traffic and is located at the devices with the MA and MP.)
Top   ToC   RFC7594 - Page 44
    _________________                              _________________
   |                 |                            |                 |
   |Measurement Peer |=========== NAT ? ==========|Measurement Agent|
   |_________________|                            |_________________|

                                  <-              (Key Negotiation &
                                                   Encryption Setup)
   (Encrypted Channel             ->
   Established)
   (Announce capabilities         ->
   & status)
                                  <-             (Select capabilities)
   ACK                            ->
                                  <-              (Measurement Request
                                                 (MA+MP IPAddrs,set of
                                                   Metrics, Schedule))
   ACK                            ->

   Measurement Traffic            <>              Measurement Traffic
   (may/may not be encrypted)               (may/may not be encrypted)

                                  <-           (Stop Measurement Task)

   Measurement Results            ->
   (if applicable)
                                  <-                       ACK, Close

     Figure 11: Interactions between Measurement Peer and Measurement
                                   Agent

   This exchange primarily exposes the IP addresses of measurement
   devices and the inference of measurement participation from such
   traffic.  There may be sensitive information on key points in a
   service provider's network included.  There may also be access to
   measurement-related information of interest such as the Metrics,
   Schedule, and intermediate results carried in the Measurement Traffic
   (usually a set of timestamps).

   The Measurement Peer may be able to use traffic analysis (perhaps
   combined with traffic injection) to obtain interesting insights about
   the Subscriber.  As a simple example, if the Measurement Task
   includes a pre-check that the end user isn't already sending traffic,
   the Measurement Peer may be able to deduce when the Subscriber is
   away on holiday.

   If the Measurement Traffic is unencrypted, as found in many systems
   today, then both timing and limited results are open to on-path
   observers.
Top   ToC   RFC7594 - Page 45

8.4.5. Measurement Agent

Some Measurement Methods only involve a single Measurement Agent observing existing traffic. They raise potential privacy issues, although the specification of the mechanisms is beyond the scope of the initial LMAP work. The high-level communications model shown in Figure 12 illustrates the collection of user information of interest with the Measurement Agent performing the monitoring and storage of the Results. This particular exchange is for measurement of DNS Response Time, which most frequently uses UDP transport. (Note: For simplicity, Figure 12 and its description do not show the non-LMAP functionality that is associated with the transfer (export) of the observed Measurement Traffic beyond the measurement devices located with the MA.) _________________ ____________ | | | | | DNS Server |=========== NAT ? ==========*=======| User client| |_________________| ^ |____________| ______|_______ | | | Measurement | | Agent | |______________| <- Name Resolution Required (MA+MP IPAddrs, Desired Domain Name) Return Record -> MA: Measurement Agent MP: Measurement Peer Figure 12: LMAP deployment example, with Measurement Agent monitoring DNS response time In this particular example, the MA monitors DNS messages in order to measure the DNS response time. The Measurement Agent may be embedded in the user host, or it may be located in another device capable of observing user traffic. The MA learns the IP addresses of measurement devices and the intent to communicate with or access the services of a particular domain name, and perhaps also information on key points in a service provider's network, such as the address of one of its DNS servers.
Top   ToC   RFC7594 - Page 46
   In principle, any of the user sensitive information of interest
   (listed above) can be collected and stored in the monitoring scenario
   and so must be secured.

   It would also be possible for a Measurement Agent to source the DNS
   query itself, and then there are not many privacy concerns.

8.4.6. Storage and Reporting of Measurement Results

Although the mechanisms for communicating results (beyond the initial Collector) are beyond the scope of the initial LMAP work, there are potential privacy issues related to a single organisation's storage and reporting of Measurement Results. Both storage and reporting functions can help to preserve privacy by implementing the mitigations described below.

8.5. Threats

This section indicates how each of the threats described in [RFC6973] apply to the LMAP entities and their communication and storage of "information of interest". DoS and other attacks described in the Security section represent threats as well, and these attacks are more effective when sensitive information protections have been compromised.

8.5.1. Surveillance

Section 5.1.1 of [RFC6973] describes surveillance as the "observation or monitoring of an individual's communications or activities." Hence, all Measurement Methods that measure user traffic are a form of surveillance, with inherent risks. Measurement Methods that avoid periods of user transmission indirectly produce a record of times when a subscriber or authorised user has used their network access service. Measurement Methods may also utilise and store a Subscriber's currently assigned IP address when conducting measurements that are relevant to a specific Subscriber. Since the Measurement Results are timestamped, they could provide a record of IP address assignments over time. Either of the above pieces of information could be useful in correlation and identification, as described below.
Top   ToC   RFC7594 - Page 47

8.5.2. Stored Data Compromise

Section 5.1.2 of [RFC6973] describes Stored Data Compromise as resulting from inadequate measures to secure stored data from unauthorised or inappropriate access. For LMAP systems, this includes deleting or modifying collected measurement records, as well as data theft. The primary LMAP entity subject to compromise is the repository, which stores the Measurement Results; extensive security and privacy threat mitigations are warranted. The Collector and MA also store sensitive information temporarily and need protection. The communications between the local storage of the Collector and the repository is beyond the scope of the initial LMAP work, though this communications channel will certainly need protection as will the mass storage itself. The LMAP Controller may have direct access to storage of Subscriber information (for example, location, billing, service parameters, etc.) and other information that the controlling organisation considers private and again needs protection. Note that there is tension between the desire to store all raw results in the LMAP Collector (for reproduction and custom analysis) and the need to protect the privacy of measurement participants. Many of the mitigations described in Section 8.6 are most efficient when deployed at the MA, therefore minimising the risks associated with stored results.

8.5.3. Correlation and Identification

Sections 5.2.1 and 5.2.2 of [RFC6973] describe correlation as combining various pieces of information to obtain desired characteristics of an individual, and identification as using this combination to infer identity. The main risk is that the LMAP system could unwittingly provide a key piece of the correlation chain, starting with an unknown Subscriber's IP address and another piece of information. For example, a Subscriber utilised Internet access from 2000 to 2310 UTC, because the Measurement Tasks were deferred or sent a name resolution for www.example.com at 2300 UTC. If a user's access with another system already gave away sensitive information, correlation is clearly easier and can result in re-identification, even when an LMAP system conserves sensitive information to great extent.
Top   ToC   RFC7594 - Page 48

8.5.4. Secondary Use and Disclosure

Sections 5.2.3 and 5.2.4 of [RFC6973] describe secondary use as unauthorised utilisation of an individual's information for a purpose the individual did not intend, and disclosure as when such information is revealed causing another's notions of the individual to change or confidentiality to be violated. Measurement Methods that measure user traffic are a form of secondary use, and the Subscribers' permission should be obtained beforehand. It may be necessary to obtain the measured ISP's permission to conduct measurements (for example, when required by the terms and conditions of the service agreement) and notification is considered good measurement practice. For Measurement Methods that measure Measurement Traffic the Measurement Results provide some limited information about the Subscriber or ISP and could result in secondary uses. For example, the use of the Results in unauthorised marketing campaigns would qualify as secondary use. Secondary use may break national laws and regulations, and may violate an individual's expectations or desires.

8.6. Mitigations

This section examines the mitigations listed in Section 6 of [RFC6973] and their applicability to LMAP systems. Note that each section in [RFC6973] identifies the threat categories that each technique mitigates.

8.6.1. Data Minimisation

Section 6.1 of [RFC6973] encourages collecting and storing the minimal information needed to perform a task. LMAP Results can be useful for general reporting about performance and for specific troubleshooting. They need different levels of information detail, as explained in the paragraphs below. For general reporting, the results can be aggregated into large categories (for example, the month of March, all US subscribers West of the Mississippi River). In this case, all individual identifications (including IP address of the MA) can be excluded, and only relevant results are provided. However, this implies a filtering process to reduce the information fields, because greater detail was needed to conduct the Measurement Tasks in the first place.
Top   ToC   RFC7594 - Page 49
   For troubleshooting, so that a network operator or end user can
   identify a performance issue or failure, potentially all the network
   information (for example, IP addresses, equipment IDs, location),
   Measurement Schedules, service configurations, Measurement Results,
   and other information may assist in the process.  This includes the
   information needed to conduct the Measurements Tasks, and represents
   a need where the maximum relevant information is desirable;
   therefore, the greatest protections should be applied.  This level of
   detail is greater than needed for general performance monitoring.

   As regards Measurement Methods that measure user traffic, we note
   that a user may give temporary permission (to enable detailed
   troubleshooting), but withhold permission for them in general.  Here
   the greatest breadth of sensitive information is potentially exposed,
   and the maximum privacy protection must be provided.  The Collector
   may perform pre-storage minimisation and other mitigations
   (Section 8.6.4) to help preserve privacy.

   For MAs with access to the sensitive information of users (for
   example, within a home or a personal host/handset), it is desirable
   for the Results collection to minimise the data reported, but also to
   balance this desire with the needs of troubleshooting when a service
   subscription exists between the user and organisation operating the
   measurements.

8.6.2. Anonymity

Section 6.1.1 of [RFC6973] describes an "anonymity set" as a way in which anonymity is achieved: "there must exist a set of individuals that appear to have the same attribute(s) as the individual." Experimental methods for anonymisation of user-identifiable data (and so particularly applicable to Measurement Methods that measure user traffic) have been identified in [RFC6235]. However, the findings of several of the same authors is that "there is increasing evidence that anonymization applied to network trace or flow data on its own is insufficient for many data protection applications as in [Bur10]." Essentially, the details of such Measurement Methods can only be accessed by closed organisations, and unknown injection attacks are always less expensive than the protections from them. However, some forms of summary may protect the user's sensitive information sufficiently well, and so each Metric must be evaluated in the light of privacy. The techniques in [RFC6235] could be applied more successfully in Measurement Methods that generate Measurement Traffic, where there are protections from injection attack. The successful attack would require breaking the integrity protection of the LMAP Reporting
Top   ToC   RFC7594 - Page 50
   Protocol and injecting Measurement Results (known fingerprint, see
   Section 3.2 of [RFC6973]) for inclusion with the shared and
   anonymised results, then fingerprinting those records to ascertain
   the anonymisation process.

   Beside anonymisation of measured Results for a specific user or
   provider, the value of sensitive information can be further diluted
   by summarising the Results over many individuals or areas served by
   the provider.  There is an opportunity enabled by forming anonymity
   sets [RFC6973] based on the reference path measurement points in
   [RFC7398].  For example, all measurements from a Subscriber device
   can be identified as "mp000", instead of using the IP address or
   other device information.  The same anonymisation applies to the
   Internet Service Provider, where their Internet gateway would be
   referred to as "mp190".

   Another anonymisation technique is for the MA to include its Group-ID
   instead of its MA-ID in its Measurement Reports, with several MAs
   sharing the same Group-ID.

8.6.3. Pseudonymity

Section 6.1.2 of [RFC6973] indicates that pseudonyms, or nicknames, are a possible mitigation to revealing one's true identity, since there is no requirement to use real names in almost all protocols. A pseudonym for a measurement device's IP address could be an LMAP-unique equipment ID. However, this would likely be a permanent handle for the device, and long-term use weakens a pseudonym's power to obscure identity.

8.6.4. Other Mitigations

Data can be depersonalised by blurring it, for example by adding synthetic data, data-swapping, or perturbing the values in ways that can be reversed or corrected. Sections 6.2 and 6.3 of [RFC6973] describe user participation and security, respectively. Where LMAP measurements involve devices on the subscriber's premises or Subscriber-owned equipment, it is essential to secure the Subscriber's permission with regard to the specific information that will be collected. The informed consent of the Subscriber (and, if different, the end user) may be needed, including the specific purpose of the measurements. The approval process could involve showing the Subscriber their measured information and results before instituting periodic collection, or before all instances of
Top   ToC   RFC7594 - Page 51
   collection, with the option to cancel collection temporarily or
   permanently.

   It should also be clear who is legally responsible for data
   protection (privacy); in some jurisdictions, this role is called the
   'data controller'.  It is always good practice to limit the time that
   personal information is stored.

   Although the details of verification would be impenetrable to most
   subscribers, the MA could be architected as an "app" with open source
   code, pre-download and embedded terms of use and agreement on
   measurements, and protection from code modifications usually provided
   by the app stores.  Further, the app itself could provide data
   reduction and temporary storage mitigations as appropriate and
   certified through code review.

   LMAP protocols, devices, and the information they store clearly need
   to be secure from unauthorised access.  This is the hand-off between
   privacy and security considerations (Section 7).  The data controller
   is responsible (legally) for maintaining data protections described
   in the Subscriber's agreement and agreements with other
   organisations.

   Finally, it is recommended that each entity described in Section 8.1,
   (for example, individuals, ISPs, regulators, others) assess the risks
   of LMAP data collection by conducting audits of their data protection
   methods.

9. Informative References

[Bur10] Burkhart, M., Schatzmann, D., Trammell, B., and E. Boschi, "The Role of Network Trace anonymisation Under Attack", January 2010. [IPPM-REG] Bagnulo, M., Claise, B., Eardley, P., Morton, A., and A. Akhter, "Registry for Performance Metrics", Work in Progress, draft-ietf-ippm-metric-registry-04, July 2015. [LMAP-INFO] Burbridge, T., Eardley, P., Bagnulo, M., and J. Schoenwaelder, "Information Model for Large-Scale Measurement Platforms (LMAP)", Work in Progress, draft-ietf-lmap-information-model-06, July 2015. [REST] Wikipedia, "Representational state transfer", July 2015, <https://en.wikipedia.org/w/index.php? title=Representational_state_transfer&oldid=673799183>.
Top   ToC   RFC7594 - Page 52
   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <http://www.rfc-editor.org/info/rfc1035>.

   [RFC3444]  Pras, A. and J. Schoenwaelder, "On the Difference between
              Information Models and Data Models", RFC 3444,
              DOI 10.17487/RFC3444, January 2003,
              <http://www.rfc-editor.org/info/rfc3444>.

   [RFC4101]  Rescorla, E. and IAB, "Writing Protocol Models", RFC 4101,
              DOI 10.17487/RFC4101, June 2005,
              <http://www.rfc-editor.org/info/rfc4101>.

   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
              Unique IDentifier (UUID) URN Namespace", RFC 4122,
              DOI 10.17487/RFC4122, July 2005,
              <http://www.rfc-editor.org/info/rfc4122>.

   [RFC4656]  Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M.
              Zekauskas, "A One-way Active Measurement Protocol
              (OWAMP)", RFC 4656, DOI 10.17487/RFC4656, September 2006,
              <http://www.rfc-editor.org/info/rfc4656>.

   [RFC5357]  Hedayat, K., Krzanowski, R., Morton, A., Yum, K., and J.
              Babiarz, "A Two-Way Active Measurement Protocol (TWAMP)",
              RFC 5357, DOI 10.17487/RFC5357, October 2008,
              <http://www.rfc-editor.org/info/rfc5357>.

   [RFC6235]  Boschi, E. and B. Trammell, "IP Flow Anonymization
              Support", RFC 6235, DOI 10.17487/RFC6235, May 2011,
              <http://www.rfc-editor.org/info/rfc6235>.

   [RFC6241]  Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
              and A. Bierman, Ed., "Network Configuration Protocol
              (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
              <http://www.rfc-editor.org/info/rfc6241>.

   [RFC6419]  Wasserman, M. and P. Seite, "Current Practices for
              Multiple-Interface Hosts", RFC 6419, DOI 10.17487/RFC6419,
              November 2011, <http://www.rfc-editor.org/info/rfc6419>.

   [RFC6887]  Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and
              P. Selkirk, "Port Control Protocol (PCP)", RFC 6887,
              DOI 10.17487/RFC6887, April 2013,
              <http://www.rfc-editor.org/info/rfc6887>.
Top   ToC   RFC7594 - Page 53
   [RFC6973]  Cooper, A., Tschofenig, H., Aboba, B., Peterson, J.,
              Morris, J., Hansen, M., and R. Smith, "Privacy
              Considerations for Internet Protocols", RFC 6973,
              DOI 10.17487/RFC6973, July 2013,
              <http://www.rfc-editor.org/info/rfc6973>.

   [RFC7011]  Claise, B., Ed., Trammell, B., Ed., and P. Aitken,
              "Specification of the IP Flow Information Export (IPFIX)
              Protocol for the Exchange of Flow Information", STD 77,
              RFC 7011, DOI 10.17487/RFC7011, September 2013,
              <http://www.rfc-editor.org/info/rfc7011>.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258,
              May 2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7368]  Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J.
              Weil, "IPv6 Home Networking Architecture Principles",
              RFC 7368, DOI 10.17487/RFC7368, October 2014,
              <http://www.rfc-editor.org/info/rfc7368>.

   [RFC7398]  Bagnulo, M., Burbridge, T., Crawford, S., Eardley, P., and
              A. Morton, "A Reference Path and Measurement Points for
              Large-Scale Measurement of Broadband Performance",
              RFC 7398, DOI 10.17487/RFC7398, February 2015,
              <http://www.rfc-editor.org/info/rfc7398>.

   [RFC7536]  Linsner, M., Eardley, P., Burbridge, T., and F. Sorensen,
              "Large-Scale Broadband Measurement Use Cases", RFC 7536,
              DOI 10.17487/RFC7536, May 2015,
              <http://www.rfc-editor.org/info/rfc7536>.

   [TR-069]   The Broadband Forum, "CPE WAN Management Protocol", TR-069
              Amendment 5, November 2013,
              <https://www.broadband-forum.org/technical/download/
              TR-069_Amendment-5.pdf>.

   [UPnP]     UPnP Forum, "UPnP Device Architecture 2.0", February 2015,
              <http://www.iso.org/iso/home/store/catalogue_ics/
              catalogue_detail_ics.htm?csnumber=57195>.
Top   ToC   RFC7594 - Page 54

Acknowledgments

This document originated as a merger of three individual drafts: "Terminology for Large MeAsurement Platforms (LMAP)" (July 2013), "A Framework and Inventory for a Large Scale Measurement System" (July 2013), and "A framework for large-scale measurements" (July 2013). Thanks to Juergen Schoenwaelder for his detailed review of the terminology. Thanks to Charles Cook for a very detailed review of an early draft of this document. Thanks to Barbara Stark and Ken Ko for many helpful comments about later draft versions. Thanks to numerous people for much discussion, directly and on the LMAP list (apologies to those unintentionally omitted): Alan Clark, Alissa Cooper, Andrea Soppera, Barbara Stark, Benoit Claise, Brian Trammell, Charles Cook, Dan Romascanu, Dave Thorne, Frode Soerensen, Greg Mirsky, Guangqing Deng, Jason Weil, Jean-Francois Tremblay, Jerome Benoit, Joachim Fabini, Juergen Schoenwaelder, Jukka Manner, Ken Ko, Lingli Deng, Mach Chen, Matt Mathis, Marc Ibrahim, Michael Bugenhagen, Michael Faath, Nalini Elkins, Radia Perlman, Rolf Winter, Sam Crawford, Sharam Hakimi, Steve Miller, Ted Lemon, Timothy Carey, Vaibhav Bajpai, Vero Zheng, and William Lupton. Philip Eardley, Trevor Burbridge and Marcelo Bagnulo worked in part on the Leone research project, which received funding from the European Union Seventh Framework Programme under grant agreement number 317647.

Authors' Addresses

Philip Eardley BT Adastral Park, Martlesham Heath Ipswich England Email: philip.eardley@bt.com Al Morton AT&T Labs 200 Laurel Avenue South Middletown, NJ United States Email: acmorton@att.com
Top   ToC   RFC7594 - Page 55
   Marcelo Bagnulo
   Universidad Carlos III de Madrid
   Av. Universidad 30
   Leganes, Madrid  28911
   Spain

   Phone: 34 91 6249500
   Email: marcelo@it.uc3m.es
   URI:   http://www.it.uc3m.es


   Trevor Burbridge
   BT
   Adastral Park, Martlesham Heath
   Ipswich
   England

   Email: trevor.burbridge@bt.com


   Paul Aitken
   Brocade Communications Systems, Inc.
   19a Canning Street, Level 3
   Edinburgh, Scotland  EH3 8EG
   United Kingdom

   Email: paitken@brocade.com


   Aamer Akhter
   Consultant
   118 Timber Hitch
   Cary, NC
   United States

   Email: aakhter@gmail.com