Network Working Group                                      D. Harrington
Internet-Draft                                   Huawei Technologies USA
Intended status: BCP                                    October 27, 2008                                       March 9, 2009
Expires: April 30, September 10, 2009

 Guidelines for Considering Operations and Management of New Protocols
             draft-ietf-opsawg-operations-and-management-05
                        and Protocol Extensions
             draft-ietf-opsawg-operations-and-management-06

Status of This Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of which he BCP 78 and BCP 79.  This document may contain material
   from IETF Documents or she is aware
   have been IETF Contributions published or will made publicly
   available before November 10, 2008.  The person(s) controlling the
   copyright in some of this material may not have granted the IETF
   Trust the right to allow modifications of such material outside the
   IETF Standards Process.  Without obtaining an adequate license from
   the person(s) controlling the copyright in such materials, this
   document may not be disclosed, modified outside the IETF Standards Process, and any
   derivative works of which he or she becomes
   aware will it may not be disclosed, in accordance with Section 6 of BCP 79. created outside the IETF Standards
   Process, except to format it for publication as an RFC or to
   translate it into languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 30, September 10, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   New protocols or protocol extensions are best designed with due
   consideration of functionality needed to operate and manage the
   protocol.
   protocols.  Retrofitting operations and management is sub-optimal.
   The purpose of this document is to provide guidance to authors and
   reviewers of documents defining new protocols or protocol extensions,
   about covering aspects of operations and management that should be
   considered.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3  4
     1.1.  Terminology  Designing for Operations and Management  . . . . . . . . .  4
     1.2.  This Document  . . . . . . . . . . . . . .  4
   2.  Design for Operations and Management . . . . . . . .  4
     1.3.  Motivation . . . . .  4
     2.1.  IETF Management Framework . . . . . . . . . . . . . . . .  5
   3.  Operational Considerations . . .  5
     1.4.  Background . . . . . . . . . . . . . . .  6
     3.1.  Operations Model . . . . . . . . .  6
     1.5.  Available Management Technologies  . . . . . . . . . . . .  6
     3.2.  Installation and Initial Setup  7
     1.6.  Terminology  . . . . . . . . . . . . . .  7
     3.3.  Migration Path . . . . . . . . .  7
   2.  Operational Considerations - How Will the New Protocol Fit
       Into the Current Environment?  . . . . . . . . . . . . .  8
     3.4.  Requirements on Other Protocols and Functional
           Components . . .  7
     2.1.  Operations Model . . . . . . . . . . . . . . . . . . . . .  8
     3.5.  Impact on Network Operation
     2.2.  Installation and Initial Setup . . . . . . . . . . . . . .  8
     2.3.  Migration Path . . . . . . .  9
     3.6.  Verifying Correct Operation . . . . . . . . . . . . . . .  9
   4.  Management Considerations
     2.4.  Requirements on Other Protocols and Functional
           Components . . . . . . . . . . . . . . . . . . . . . . . . 10
     4.1.  Interoperability
     2.5.  Impact on Network Operation  . . . . . . . . . . . . . . . 10
     2.6.  Verifying Correct Operation  . . . . . . 11
     4.2.  Management Information . . . . . . . . . 11
   3.  Management Considerations - How Will The Protocol be
       Managed? . . . . . . . . . . 13
     4.3.  Fault Management . . . . . . . . . . . . . . . . . 11
     3.1.  Interoperability . . . . 14
       4.3.1.  Liveness Detection and Monitoring . . . . . . . . . . 15
       4.3.2.  Fault Determination . . . . . . . 13
     3.2.  Management Information . . . . . . . . . . . . 15
       4.3.3.  Fault Isolation . . . . . . 16
       3.2.1.  Information Model Design . . . . . . . . . . . . . 16
     4.4.  Configuration . . 17
     3.3.  Fault Management . . . . . . . . . . . . . . . . . 16
       4.4.1.  Verifying Correct Operation . . . . 17
       3.3.1.  Liveness Detection and Monitoring  . . . . . . . . . . 18
       4.4.2.  Control of Function and Policy
       3.3.2.  Fault Determination  . . . . . . . . . . . . . . . 18
     4.5.  Accounting Management . . 18
       3.3.3.  Root Cause Analysis  . . . . . . . . . . . . . . . . . 18
     4.6.  Performance Management
       3.3.4.  Fault Isolation  . . . . . . . . . . . . . . . . . . . 19
     4.7.  Security
     3.4.  Configuration Management . . . . . . . . . . . . . . . . . 19
       3.4.1.  Verifying Correct Operation  . . . . . . . . 20
   5.  Documentation Guidelines . . . . . 20
       3.4.2.  Control of Function and Policy . . . . . . . . . . . . 21
     3.5.  Accounting Management  . . 22
     5.1.  Recommended Discussions . . . . . . . . . . . . . . . . 21
     3.6.  Performance Management . 22
     5.2.  Null Manageability Considerations Sections . . . . . . . . 22
     5.3.  Placement of Operations and Manageability
           Considerations Sections . . . . . . . . . 21
       3.6.1.  Monitoring the Protocol  . . . . . . . . . 23
   6.  IANA Considerations . . . . . . 22
       3.6.2.  Monitoring the Device  . . . . . . . . . . . . . . . . 23
   7.  Security Considerations
       3.6.3.  Monitoring the Network . . . . . . . . . . . . . . . . 23
       3.6.4.  Monitoring the Service . . . . . 23
   8.  Acknowledgements . . . . . . . . . . . 23
     3.7.  Security Management  . . . . . . . . . . . . . . . . . . . 23
   9.  Informative References
   4.  Documentation Guidelines . . . . . . . . . . . . . . . . . . . 25
     4.1.  Recommended Discussions  . . . . 24
   Appendix A.  Operations and Management Review Checklist . . . . . 27
     A.1.  Operational Considerations . . . . . . . . 25
     4.2.  Null Manageability Considerations Sections . . . . . . . . 27
     A.2.  Management 25
     4.3.  Placement of Operations and Manageability
           Considerations Sections  . . . . . . . . . . . . . . . . 28
     A.3.  Documentation . 26
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 29
   Appendix B.  Change Log 26
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 26
   7.  Acknowledgements . . 29

1.  Introduction

   Often when new protocols or protocol extensions are developed, . . . . . . . . . . . . . . . . . . . . . 27
   8.  Informative References . . . . . . . . . . . . . . . . . . . . 27
   Appendix A.  Operations and Management Review Checklist  . . . . . 30
     A.1.  Operational Considerations . . . . . . . . . . . . . . . . 31
     A.2.  Management Considerations  . . . . . . . . . . . . . . . . 33
     A.3.  Documentation  . . . . . . . . . . . . . . . . . . . . . . 34
   Appendix B.  Change Log  . . . . . . . . . . . . . . . . . . . . . 34

1.  Introduction

   Often when new protocols or protocol extensions are developed, not
   enough consideration is given to how the protocol will be deployed,
   operated and managed.  Retrofitting operations and management
   mechanisms is often hard and architecturally unpleasant, and certain
   protocol design choices may make deployment, operations, and
   management particularly hard.  Since the ease of operations and
   management may impact the success of IETF protocols, this document
   provides guidelines to help protocol designers and working groups
   consider the operations and management functionality needed by their
   new IETF protocol or protocol extension at an earlier phase.

   This document suggests

1.1.  Designing for Operations and Management

   The operational environment and manageability of the protocol should
   be considered from the start when new protocols are designed.

   Protocol designers should consider which operations and management
   needs are relevant to their protocol, document how those needs could
   be addressed, and then recommend appropriate suggest standard management protocols and data
   models that could be used to address the relevant operations and
   management those needs.  This is similar to
   a WG considering working group (WG) that considers which security threats are
   relevant to their protocol, documents how threats should be
   mitigated, and then recommending suggests appropriate standard security protocols to that
   could mitigate the relevant threats.

   The purpose of this document is to provide guidance about what to
   consider when thinking about the management

   When a WG considers operation and deployment of management functionality for a new
   protocol, and the document should contain enough information to
   understand how the protocol will be deployed and managed, but the WG
   should expect that considerations for operations and management may
   need to be updated in the future, after further operational
   experience has been gained.

1.2.  This Document

   This document makes a distinction between "Operational
   Considerations" and "Management Considerations", although the two are
   closely related.  The section on manageability is focused on
   management technology such as how to utilize management protocols and
   how to design management data models.  The operational considerations
   apply to operating the protocol within a network, even if there were
   no management protocol actively being used.

   The purpose of this document is to provide guidance about what to
   consider when thinking about the management and deployment of a new
   protocol, and to provide guidance about documenting the
   considerations.  The following guidelines are designed to help
   writers provide a reasonably consistent format for such
   documentation.  Separate manageability and operational considerations
   sections are desirable in many cases, but their structure and
   location is a decision that can be made from case to case.

   We want to avoid seeming to

   This document does not impose a solution by putting in place a
   strict terminology - for example implying solution, or imply that a formal data model,
   model is needed, or even imply that using a specific management protocol
   is mandatory.  If protocol designers conclude that its the technology can
   be managed solely by using proprietary CLIs, command line interfaces
   (CLIs), and no structured or standardized data model needs to be in
   place, this might be fine, but it is a decision that should be
   explicit in a manageability discussion, that this is how the protocol
   will need to be operated and managed.  Protocol designers should
   avoid having manageability pushed for a later/never later phase of the
   development of the standard.

   Making

   Any decision to make a Management Considerations section a mandatory
   publication requirement for IETF documents is the responsibility of
   the IESG, or specific area directors, or working groups, and this
   document avoids recommending any mandatory publication requirements.
   For a complex protocol, a completely separate draft on operations and
   management might be appropriate, or even a completely separate WG
   effort.

   This document discusses the importance of considering operations and
   management.  Section 1 introduces the subject and section 2 describes
   the IETF Management Framework.  Section 3 discusses operational
   functionality to consider.  Section 4 discusses
   management
   functionality to consider.

   This document sets by setting forth a list of subjective guidelines and a list checklist of objective criteria by
   questions to consider, which a protocol designer or reviewer can use
   to evaluate whether the protocol that he/she has developed addresses and documentation address common
   operations and management needs.  Operations and management are
   highly dependent on their environment, so most guidelines are
   subjective rather than objective.

   We provide some objective criteria to promote interoperability
   through

1.3.  Motivation

   For years the use of standard management interfaces, such as "did you
   design counters in a MIB module for monitoring packets in/out IETF community has used the IETF Standard Management
   Framework, including the Simple Network Management Protocol
   [RFC3410], the Structure of an
   interface?"  The Interfaces Group Management Informatiion [RFC2578], and
   MIB [RFC2863], "did you write an
   XML-based data model models for configuring your protocol with Netconf?"
   NETCONF Configuration Protocol [RFC4741], and "did you standardize
   syslog message content managing new protocols.  As the Internet has
   evolved, operators have found the reliance on one protocol and structured data elements one
   schema language for reporting
   events that might occur when operating your protocol?"
   [I-D.ietf-syslog-protocol] and "did you consider appropriate
   notifications in case managing all aspects of failure situations??

1.1.  Terminology

   This document deliberately does not use the (capitalized) keywords
   described in RFC 2119 [RFC2119].  RFC 2119 states the keywords must
   only be used where it is actually required for interoperation or to
   limit behavior which has potential for causing harm (e.g., limiting
   retransmissions).  For example, they must not be used Internet inadequate.
   The IESG policy to try require working groups to
   impose write a particular method on implementers where the method is not
   required MIB module to
   provide manageability for interoperability.  This document new protocols is being replaced by a set of guidelines
   based on current practices policy
   that is more open to using a variety of protocol designers management protocols and operators. data
   models designed to achieve different goals.

   This document does not describe requirements, so the key words from
   RFC2119 have no place here.

   o  "new protocol" includes new protocols, protocol extensions, data
      models, or other functionality being designed.

   o  "protocol designer" represents individuals and working groups
      involved in the development of new protocols.

2.  Design for Operations and Management

   "Design provides some initial guidelines for considering
   operations and management" means management in an IETF Management Framework that the operational
   environment and manageability
   consists of the protocol should be considered
   from the start when new multiple protocols are designed.

   When a WG considers operation and management functionality multiple data modeling languages,
   with an eye toward being flexible while also striving for
   interoperability.

1.4.  Background

   There have been a
   protocol, the document should contain enough information to
   understand how the protocol will be deployed significant number of efforts, meetings, and managed, but the WG
   should expect
   documents that considerations for are related to Internet operations and management may
   need management.
   Some of them are mentioned here, to be updated in help protocol designers find
   documentation of previous efforts.  Hopefully, providing these
   references will help the future, after further operational
   experience has been gained.

2.1. IETF Management Framework

   For years avoid rehashing old discussions and
   reinventing old solutions.

   In 1988, the IETF has stressed IAB published IAB Recommendations for the use Development of the IETF Standard
   Internet Network Management Framework Standards [RFC1052] which recommended a
   solution that, where possible, deliberately separates modeling
   languages, data models, and MIB modules [RFC2578] for managing new
   protocols.  The IETF designed these to permit multiple the protocols that carry data.  The goal
   is to
   utilize the MIB allow standardized information and data [RFC1052], but it became a common
   misunderstanding that a MIB module could only models to be used with the SNMP
   protocol (described in [RFC3410] and associated documents). by
   different protocols.

   In 2001, OPS Area design teams were created to document requirements
   related to configuration of IP-based networks.  One output was
   "Requirements for Configuration Management of IP-based Networks"
   [RFC3139].

   In 2003, the Internet Architecture Board (IAB) held a workshop on
   Network Management [RFC3535] that discussed the strengths and
   weaknesses of some IETF network management protocols, and compared
   them to operational needs, especially configuration.

   One issue discussed was the user-unfriendliness of the binary format
   of SNMP and COPS Usage for Policy Provisioning (COPS-PR) [RFC3084],
   and it was recommended that the IETF explore an XML-based Structure
   of Management Information, and an XML-based protocol for
   configuration.

   Another conclusion was that the tools for event/alarm correlation and
   for root cause analysis and logging are not sufficient, and that
   there is a need to support a human interface and a programmatic
   interface.  The IETF decided to standardize aspects of the de facto
   standard for system logging security and programmatic support.

   In 2006, the IETF discussed whether the Management Framework should
   be updated to accommodate multiple IETF schema languages for
   describing the structure of management information, and multiple IETF
   standard protocols for doing network management.

1.5.  Available Management Technologies

   The IETF has a number of standard management technologies available.
   These include SNMP, SYSLOG, RADIUS, DIAMETER, NETCONF, IPFIX, and
   others.  These protocol standards, pointers to the documents that
   define them, and standard information and data models for specific
   functionality, are described in "Survey of IETF Network Management
   Standards" [I-D.ietf-opsawg-survey-management]

1.6.  Terminology

   This document provides some initial guidelines deliberately does not use the (capitalized) keywords
   described in RFC 2119 [RFC2119].  RFC 2119 states the keywords must
   only be used where it is actually required for considering
   operations interoperation or to
   limit behavior which has potential for causing harm (e.g., limiting
   retransmissions).  For example, they must not be used to try to
   impose a particular method on implementers where the method is not
   required for interoperability.  This document is a set of guidelines
   based on current practices of protocol designers and management in operators.  This
   document does not describe requirements, so the key words from
   RFC2119 have no place here.

   o  CLI: Command Line Interface

   o  Data model: A mapping of the contents of an IETF Management Framework information model into
      a form that
   consists is specific to a particular type of data store or
      repository.

   o  Information model: An abstraction and representation of the
      entities in a managed environment, their properties, attributes
      and operations, and the way that they relate to each other.  It is
      independent of multiple protocols and multiple any specific repository, software usage, protocol,
      or platform.

   o  "new protocol" includes new protocols, protocol extensions, data
      models, with an eye
   toward or other functionality being flexible while also striving for interoperability.

3. designed.

   o  "protocol designer" represents individuals and working groups
      involved in the development of new protocols.

2.  Operational Considerations - How Will the New Protocol Fit Into the
    Current Environment?

   Designers of a new protocol should carefully consider the operational
   aspects.  To ensure that a protocol will be practical to deploy in
   the real world, it is not enough to merely define it very precisely
   in a well-written document.  Operational aspects will have a serious
   impact on the actual success of a protocol.  Such aspects include bad
   interactions with existing solutions, a difficult upgrade path,
   difficulty of debugging problems, difficulty configuring from a
   central database, or a complicated state diagram that operations
   staff will find difficult to understand.

   BGP flap damping [RFC2439] is an example.  It was designed to block
   high frequency route flaps, however the design did not consider the
   existence of BGP path exploration/slow convergence.  In real
   operations, path exploration caused false flap damping, resulting in
   loss of reachability.  As a result, most places turned flap damping
   off.  Some Regional Internet Registries even issued an official
   recommendation for turning it off.

3.1.

2.1.  Operations Model

   Protocol designers can analyze the operational environment and mode
   of work in which the new protocol or extension will work.  Such an
   exercise need not be reflected directly by text in their document,
   but could help in visualizing the operational model related to the
   applicability of the protocol in the Internet environments where it
   will be deployed.  The operational model should take into account
   factors such as:

   o  what type of management entities will be involved (agents, network
      management systems)?

   o  what

   A key question is how the possible architecture (client-server, manager-agent,
      poll-driven or event-driven, autoconfiguration, two levels or
      hierarchical)?

   o  what are protocol can operate "out of the management operations - initial configuration,
      dynamic configuration, alarm and exception reporting, logging,
      performance monitoring, performance reporting, debugging?

   o  how are these operations performed - locally, remotely, atomic
      operation, scripts?  Are they performed immediately or time
      scheduled or event triggered?

   o  what box".  If
   implementers are free to select their own defaults, the typical user interfaces - Command line (CLI) or
      graphical user interface (GUI)?
   Protocol designers should consider how the new protocol will be
   managed in different deployment scales.  It might be sensible
   needs to use
   a local management interface operate well with any choice of values.  If there are
   sensible defaults, these need to manage the new protocol on a single
   device, but in a large network, remote management using a centralized
   server and/or using distributed management functionality might make
   more sense.  Auto-configuration and default parameters might be
   possible for some new protocols. stated.

   There may be a need to support a human interface, e.g., for
   troubleshooting, and a programmatic interface, e.g., for automated
   monitoring and root cause analysis.  It might be important that the
   internal method routines used by the  The application programming
   interfaces and the human interfaces should be the same human interfaces might benefit from being similar
   to ensure that
   data exchanged between the information exposed by these two interfaces is always consistent.
   Mixing methods leads
   consistent when presented to inconsistency, so identifying an operator.  Identifying consistent
   methods of retrieving information determining information, such as what gets counted in a
   specific counter, is relevant.

   Protocol designers should consider what management operations are
   expected to be performed as a result of the deployment of the
   protocol - such as whether write operations will be allowed on
   routers and on hosts, or whether notifications for alarms or other
   events will be expected.

3.2.

2.2.  Installation and Initial Setup

   Anything that can be configured can be misconfigured.  "Architectural
   Principles of the Internet" [RFC1958] Section 3.8 states: "Avoid
   options and parameters whenever possible.  Any options and parameters
   should be configured or negotiated dynamically rather than manually."
   To simplify configuration, protocol designers should consider
   specifying reasonable defaults, including default modes and
   parameters.  For example, it could be helpful or necessary to specify
   default values for modes, timers, default state of logical control
   variables, default transports, and so on.  Even if default values are
   used, it must be possible to retrieve all the actual values or at
   least an indication that known default values are being used.

   Protocol designers should consider how to enable operators to
   concentrate on the configuration of the network as a whole rather
   than on individual devices.  Of course, how one accomplishes this is
   the hard part.

   It is desirable to discuss the background of chosen default values,
   or perhaps why a range of values makes sense.  In many cases, as
   technology changes, the values in an RFC might make less and less
   sense.  It is very useful to understand whether defaults are based on
   best current practice and are expected to change as technologies
   advance or whether they have a more universal value that should not
   be changed lightly.  For example, the default interface speed might
   be expected to change over time due to increased speeds in the
   network, and cryptographical algorithms might be expected to change
   over time as older algoithms algorithms are "broken".

   it is extremely important to set a sensible default value for all
   parameters

      the

   The default value should stay on the conservative side rather than on
   the "optimizing performance" side. (example: the initial RTT and
   RTTvar values of a TCP connection)

      for

   For those parameters that are speed-dependent, instead of using a
   constant, try to set the default value as a function of the link
   speed or some other relevant factors.  This would help reduce the
   chance of problems caused by technology advancement.

3.3.

2.3.  Migration Path

   If the new protocol is a new version of an existing one, or if it is
   replacing another technology, the protocol designer should consider
   how deployments should transition to the new protocol.  This should
   include co-existence with previously deployed protocols and/or
   previous versions of the same protocol, incompatibilities between
   versions, translation between versions, and side-effects that might
   occur.  Are older protocols or versions disabled or do they co-exist
   in the network with the new protocol?

3.4.

   Many protocols benefit from being incrementally deployable -
   operators may deploy aspects of a protocol before deploying the
   protocol fully.

2.4.  Requirements on Other Protocols and Functional Components

   Protocol designers should consider the requirements that the new
   protocol might put on other protocols and functional components, and
   should also document the requirements from other protocols and
   functional elements that have been considered in designing the new
   protocol.

   These considerations should generally remain illustrative to avoid
   creating restrictions or dependencies, or potentially impacting the
   behavior of existing protocols, or restricting the extensibility of
   other protocols, or assuming other protocols will not be extended in
   certain ways.  If restrictions or dependencies exist, they should be
   stated.

   For example, the design of Resource ReSerVation Protocol (RSVP)
   [RFC2205] required each router to look at the RSVP PATH message, and
   if the router understood RSVP, to add its own address to the message
   to enable automatically tunneling through non-RSVP routers.  But in
   reality routers cannot look at an otherwise normal IP packet, and
   potentially take it off the fast path!  The initial designers
   overlooked that a new "deep packet inspection" requirement was being
   put on the functional components of a router.  The "router alert"
   option was finally developed to solve this problem for RSVP and other
   protocols that require the router to take some packets off the fast
   forwarding path.

3.5.

2.5.  Impact on Network Operation

   The introduction of a new protocol or extensions to an existing
   protocol may have an impact on the operation of existing networks.
   Protocol designers should outline such impacts (which may be
   positive) including scaling concerns and interactions with other
   protocols.  For example, a new protocol that doubles the number of
   active, reachable addresses in use within a network might need to be
   considered in the light of the impact on the scalability of the IGPs
   interior gateway protocols operating within the network.

   A protocol could send active monitoring packets on the wire.  If we
   don't pay attention, we might get very good accuracy, but at the cost
   of using all the available bandwidth.

   The protocol designer should consider the potential impact on the
   behavior of other protocols in the network and on the traffic levels
   and traffic patterns that might change, including specific types of
   traffic such as multicast.  Also consider the need to install new
   components that are added to the network as result of the changes in
   the operational model, such as servers performing auto-configuration
   operations.

   The protocol designer should consider also the impact on
   infrastructure applications like DNS [RFC1034], the registries, or
   the size of routing tables.  For example, Simple Mail Transfer
   Protocol (SMTP) [RFC2821] [RFC5321] servers use a reverse DNS lookup to filter
   out incoming connection requests.  When Berkeley installed a new spam
   filter, their mail server stopped functioning because of the DNS
   cache resolver overload.

   The impact on performance may also be noted - increased delay or
   jitter in real-time traffic applications, or response time in client-
   server applications when encryption or filtering are applied.

   It is important to minimize the impact caused by configuration
   changes.  Given configuration A and configuration B, it should be
   possible to generate the operations necessary to get from A to B with
   minimal state changes and effects on network and systems.

3.6.

2.6.  Verifying Correct Operation

   The protocol designer should consider techniques for testing the
   effect that the protocol has had on the network by sending data
   through the network and observing its behavior (aka active
   monitoring).  Protocol designers should consider how the correct end-
   to-end operation of the new protocol in the network can be tested
   actively and passively, and how the correct data or forwarding plane
   function of each network element can be verified to be working
   properly with the new protocol.  Which metrics are of interest?

   Having simple protocol status and health indicators on network
   devices is a recommended means to check correct operation.

4.

3.  Management Considerations - How Will The Protocol be Managed?

   The considerations of manageability should start from describing the
   operational
   operations model, which includes identifying the entities to be
   managed, how the respective managed protocol is supposed to be installed,
   configured and monitored, who are the managers and what type of
   management interfaces and protocols they would use. monitored.

   Considerations for management should include a discussion of what
   needs to be managed, and how to achieve various management tasks.
   Where are the managers and what type of management interfaces and
   protocols will they need?  The "write a MIB module" approach to
   considering management often focuses on monitoring a protocol
   endpoint on a single device.  A MIB module document typically only
   considers monitoring properties observable at one end, while the
   document does not really cover managing the *protocol* (the
   coordination of multiple ends), and does not even come near managing
   the *service* (which includes a lot of stuff that is very far away
   from the box).  This is exactly what operators hate - you need to be
   able to manage both ends.  As [RFC3535] says, MIB modules can often
   be characterized as a list of
   ingredients without list of ingredients without a recipe.

   The management model should take into account factors such as:

   o  what type of management entities will be involved (agents, network
      management systems)?

   o  what is the possible architecture (client-server, manager-agent,
      poll-driven or event-driven, autoconfiguration, two levels or
      hierarchical)?

   o  what are the management operations - initial configuration,
      dynamic configuration, alarm and exception reporting, logging,
      performance monitoring, performance reporting, debugging?

   o  how are these operations performed - locally, remotely, atomic
      operation, scripts?  Are they performed immediately or time
      scheduled or event triggered?

   Protocol designers should consider how the new protocol will be
   managed in different deployment scales.  It might be sensible to use
   a local management interface to manage the new protocol on a single
   device, but in a large network, remote management using a recipe. centralized
   server and/or using distributed management functionality might make
   more sense.  Auto-configuration and default parameters might be
   possible for some new protocols.

   Management needs to be considered not only from the perspective of a
   device, but also from the perspective of network and service
   management perspectives.  A service might be network and operational
   functionality derived from the implementation and deployment of a new
   protocol.  Often an individual network element is not aware of the
   service being delivered.

   WGs should consider how to configure multiple related/co-operating
   devices and how to back off if one of those configurations fails or
   causes trouble.  NETCONF [RFC4741] addresses this in a generic manner
   by allowing an operator to lock the configuration on multiple
   devices, perform the configuration settings/changes, check that they
   are OK (undo if not) and then unlock the devices.

   Techniques for debugging protocol interactions in a network must be
   part of the network management discussion.  Implementation source
   code should be debugged before ever being added to a network, so
   asserts and memory dumps do not normally belong in management data
   models.  However, debugging on-the-wire interactions is a protocol
   issue: while the messages can be seen by sniffing, it is enormously
   helpful if a protocol has hooks to specification supports features that make
   debugging of network interactions easy, and/or is designed and behaviors easier.  There could
   be alerts issued when messages are received, or when there are state
   transitions in such a
   way that debugging the protocol behaviors is easy.  Hand-waving this away state machine.  However, the state
   machine is often not something part of the on-the-wire protocol; the state
   machine explains how the protocol works so that operators like ... an implementer can
   decide, in an implementation-specific manner, how to react to a
   received event.

   In a client/server protocol, it may be more important to instrument
   the server end of a protocol than the client end.

4.1. end, since the
   performance of the server might impact more nodes than the
   performance of a specific client.

3.1.  Interoperability

   Just as when deploying protocols that will inter-connect devices, our
   primary goal in considering management should be interoperability,
   whether across devices from different vendors, across models from the
   same vendor, or across different releases of the same product.
   Management interoperability refers to allowing information sharing
   and operations between multiple devices and multiple management
   applications, often from different vendors.  Interoperability allows
   for the use of 3rd party applications and the outsourcing of
   management services.

   Some product designers and protocol designers assume that if a device
   can be managed individually using a command line interface or a web
   page interface, that such a solution is enough.  But when equipment
   from multiple vendors is combined into a large network, scalability
   of management becomes a problem.  It is important to have consistency
   in the management interfaces so network-wide operational processes
   can be automated.  For example, a single switch might be easily
   managed using an interactive web interface when installed in a single
   office small business, but when, say, a fast food company installs
   similar switches from multiple vendors in hundreds or thousands of
   individual branches and wants to automate monitoring them from a
   central location, monitoring vendor-and-model-specific web pages
   would be difficult to automate.

   Getting everybody to agree on a single syntax and an associated
   protocol to do all management has proven to be difficult.  So
   management systems tend to speak whatever the boxes support, whether
   the IETF likes this or not.  The IETF is moving from support for one
   schema language for modeling the structure of management information
   (Structure of Management Information Version 2 (SMIv2) [RFC2578]) and
   one simple network management protocol (Simple Network Management
   Protocol (SNMP) [RFC3410]) towards support for additional schema
   languages and additional management protocols suited to different
   purposes.  Other Standard Development Organizations (e.g.  DMTF, TMF)
   also define schemas and protocols for management and these may be
   more suitable than IETF schemas and protocols in some cases.  Some of
   the alternatives being considered include

      XML Schema Definition [W3C.REC-xmlschema-0-20010502]

      and others

   and

      NETCONF Configuration Protocol [RFC4741]

      IP Flow Information Export (IPFIX) Protocol [RFC5101]) for usage
      accounting

      The syslog Protocol [I-D.ietf-syslog-protocol] for logging

      and others

   Interoperability needs to be considered on the syntactic level and
   the semantic level.  While it can be irritating and time-consuming,
   application designers including operators who write their own scripts
   can make their processing conditional to accommodate syntactic
   differences across vendors or models or releases of product.

   Semantic differences are much harder to deal with on the manager side
   - once you have the data, its meaning is a function of the managed
   entity.  For example, if a single counter provided by vendor A counts
   three types of error conditions, while the corresponding counter
   provided by vendor B counts seven types of error conditions, these
   counters cannot be compared effectively - they are not interoperable
   counters.

   Information models are helpful to try to focus interoperability on
   the semantic level - they establish standards for what information
   should be gathered, and how gathered information might be used
   regardless of which management interface carries the data or which
   vendor produces the product.  The use of an information model might
   help improve the ability of operators to correlate messages in
   different protocols where the data overlaps, such as a SYSLOG message
   and an SNMP notification about the same event.  An information model
   might identify which error conditions should be counted separately,
   and which error conditions can be counted together in a single
   counter.  Then, whether the counter is gathered via SNMP or a CLI
   command or a SYSLOG message, the counter will have similar the same meaning.

   Protocol designers should consider which information might be useful
   for managing the new protocol or protocol extensions.

                IM                --> conceptual/abstract model
                 |                    for designers and operators
      +----------+---------+
      |          |         |
      DM        DM         DM     --> concrete/detailed model
                                      for implementers

   Information Models and Data Models

                                 Figure 1

   On the Difference between Information Models and Data Models
   [RFC3444] may be useful in determining what information to consider
   regarding information models, as compared to data models.

   Information models should come from the protocol WGs and include
   lists of events, counters and configuration parameters that are
   relevant.  There are a number of information models contained in
   protocol WG RFCs.  Some examples:

   o  [RFC3060] - Policy Core Information Model version 1

   o  [RFC3290] - An Informal Management Model for DiffServ Routers

   o  [RFC3460] - Policy Core Information Model Extensions

   o  [RFC3585] - IPsec Configuration Policy Information Model

   o  [RFC3644] - Policy Quality of Service Information Model

   o  [RFC3670] - Information Model for Describing Network Device QoS
      Datapath Mechanisms

   o  [RFC3805] - Printer MIB v2 (contains contains both an IM and a DM

   Management protocol standards and management data model standards
   often contain compliance clauses to ensure interoperability.
   Manageability considerations should include discussion of which level
   of compliance is expected to be supported for interoperability.

4.2.

3.2.  Management Information

   Languages used to describe an information model can influence the
   nature of the model.  Using a particular data modeling language, such
   as the SMIv2, influence the model to use certain types of structures,
   such as two-dimensional tables.  This document recommends using
   English text (the official language for IETF specifications) to
   describe an information model.  A sample data model could be
   developed to demonstrate the information model.

   A management information model should include a discussion of what is
   manageable, which aspects of the protocol need to be configured, what
   types of operations are allowed, what protocol-specific events might
   occur, which events can be counted, and for which events should an
   operator be notified.

   Operators find it important to be able to make a clear distinction
   between configuration data, operational state, and statistics.  They
   need to determine which parameters were administrative administratively configured
   and which parameters have changed since configuration as the result
   of mechanisms such as routing protocols or network management
   protocols.  It is important to be able to separately fetch current
   configuration data, information, initial configuration information,
   operational state data, information, and statistics from devices, and to be
   able to compare current state to initial state, and to compare data
   information between devices.  So when deciding what information
   should exist, do not conflate multiple information elements into a
   single element.

   What is typically difficult to work through are relationships between
   abstract objects.  Ideally an information model would describe the
   relationships between the objects and concepts in the information
   model.

   Is there always just one instance of this object or can there be
   multiple instances?  Does this object relate to exactly one other
   object or may it relate to multiple?  When is it possible to change a
   relationship?

   Do objects (such as rows in tables) share fate?  For example, if a
   row in table A must exist before a related row in table B can be
   created, what happens to the row in table B if the related row related row in
   table A is deleted?  Does the existence of relationships between
   objects have an impact on fate sharing?

3.2.1.  Information Model Design

   This document recommends keeping the information model as simple as
   possible by applying the following criteria:

   1.  Start with a small set of essential objects and add only as
       further objects are needed.

   2.  Require that objects be essential for management.

   3.  Consider evidence of current use and/or utility.

   4.  Limit the total number of objects.

   5.  Exclude objects that are simply derivable from others in
   table this or
       other information models.

   6.  Avoid causing critical sections to be heavily instrumented.  A
       guideline is deleted?  Does the existence of relationships between
   objects have an impact on fate sharing?

4.3. one counter per critical section per layer.

3.3.  Fault Management

   The protocol designer should document the basic faults and health
   indicators that need to be instrumented for the new protocol, and the
   alarms and events that must be propagated to management applications
   or exposed through a data model.

   The protocol designer should consider how faults fault information will be
   propagated.  Will it be done using asynchronous notifications or
   polling of health indicators?

   If notifications are used to alert operators to certain conditions,
   then the protocol designer should discuss mechanisms to throttle
   notifications to prevent congestion and duplications of event
   notifications.  Will there be a hierarchy of faults, and will the
   fault reporting be done by each fault in the hierarchy, or will only
   the lowest fault be reported and the higher levels be suppressed?
   should
   Should there be aggregated status indicators based on concatenation
   of propagated faults from a given domain or device?

   SNMP notifications and SYSLOG messages can alert an operator when an
   aspect of the new protocol fails or encounters an error or failure
   condition, and SNMP is frequently used as a heartbeat monitor.
   Should the event reporting provide gyaranteed guaranteed accurate delivery of
   the event information within a given (high) margin of confidence?
   Can we poll the latest events in the box?

4.3.1.

3.3.1.  Liveness Detection and Monitoring

   Liveness detection and monitoring applies both to the control plane
   and the data plane.  Mechanisms for detecting faults in the control
   plane or for monitoring its liveness are usually built into the
   control plane protocols or inherited from underlying data plane or
   forwarding plane protocols.  These mechanisms do not typically
   require additional management capabilities.  However, when a system
   detects a control plane fault, there is often a requirement to
   coordinate recovery action through management applications or at
   least to record the fact in an event log.

   Where the protocol is responsible for establishing data or user plane
   connectivity, liveness detection and monitoring usually need to be
   achieved through other mechanisms.  In some cases, these mechanisms
   already exist within other protocols responsible for maintaining
   lower layer connectivity, but it will often be the case that new
   procedures are required to detect failures in the data path and to
   report rapidly, allowing remedial action to be taken.

   Protocol designers should always build in basic testing features
   (e.g.  ICMP echo, UDP/TCP echo service, NULL RPC calls) that can be
   used to test for liveness, with an option to enable and disable them.

4.3.2.

3.3.2.  Fault Determination

   It can be helpful to describe how faults can be pinpointed using
   management information.  For example, counters might record instances
   of error conditions.  Some faults might be able to be pinpointed by
   comparing the outputs of one device and the inputs of another device
   looking for anomalies.

   How do you distinguish between faulty messages and good messages?

   Would some threshold-based mechanisms, such as RMON events/alarms or
   the EVENT-MIB, be useable to help determine error conditions?  Are
   SNMP notifications for all events needed, or are there some
   "standard" notifications that could be used? or can the right relevant counters that can
   be polled as needed?

4.3.3.

3.3.3.  Root Cause Analysis

   Root cause analysis is about working out where in the network the
   fault is.  For example, if end-to-end data delivery is failing
   (reported by a notification), root cause analysis can help find the
   failed link or node in the end-to-end path.

3.3.4.  Fault Isolation

   It might be useful to isolate or quarantine faults, such as isolating
   a system device that emits malformed messages that are necessary to
   coordinate connections properly.
   Spanning tree comes to mind.  This might be able to be done by
   configuring next-hop devices to drop the faulty messages to prevent
   them from entering the rest of the network.

4.4.

3.4.  Configuration Management

   A protocol desoigners designer should document what the basic configuration
   parameters that need to be instrumented for a new protocol, as well
   as default values and modes of operation.

   What information should be maintained across reboots of the device,
   or restarts of the management system?

   "Requirements for Configuration Management of IP-based Networks"
   [RFC3139] discusses requirements for configuration management.  This
   document includes management,
   including discussion of different levels of management,
   including high-level-policies, high-level-
   policies, network-wide configuration data, and device-local
   configuration.

   A number of efforts have existed in the IETF to develop policy-based
   management.  "Terminology for Policy-Based Management" [RFC3198] was
   written to standardize the terminology across these efforts.  Some of
   the efforts resulted in proposals  Network configuration is not just multi-device push
   or pull.  It is knowing that the configurations being pushed are NOT RECOMMENDED, so a
   protocol designer should check
   semantically compatible.  Is the current recommendation status
   before depending circuit between them configured
   compatibly on a specific protocol suggestion.

   It both ends? is highly desirable that text processing tools such as diff, and
   version management tools such as RCS or CVS or SVN, can be used to
   process configurations.  This approach simplifies comparing the
   current operational state to is-is metric the initial configuration.  It is
   commonplace to compare configuration changes to e.g., last day, last
   week, last month, etc. -- having configuration in a text, and human-
   understandable format is very valuable same? ... now do
   that for various reasons such as
   change control (or verification), configuration consistency checks,
   etc.

   With structured text such as XML, simple text diffs may be found 1,000 devices.

   A number of efforts have existed in the IETF to
   be inadequate and more sophisticated tools may be needed develop policy-based
   management.  "Terminology for Policy-Based Management" [RFC3198] was
   written to make any
   useful comparison of versions.

   To simplify such configuration comparisons, devices standardize the terminology across these efforts.

   Implementations should not arbitrarily reorder data such modify configuration data.  In
   some cases (such as access control lists. Access Control Lists) the order of data items is
   significant and comprises part of the configured data.  If a protocol
   designer defines mechanisms for configuration, it would be desirable
   to standardize the order of elements for consistency of configuration
   and of reporting across vendors, and across releases from vendors.

   There are two parts to this: 1.  An NMS system could optimize ACLs access
   control lists (ACLs) for performance reasons 2.  Unless the device/NMS device/
   NMS systems has correct rules/a lot of experience, reordering ACLs
   can lead to a huge security issue.

   Network wide configurations are ideally may be stored in central master databases
   and transformed into formats that can be pushed to devices, either by
   generating sequences of CLI commands or complete configuration files
   that are pushed to devices.  There is no common database schema for
   network configuration, although the models used by various operators
   are probably very similar.  It is  Many operators consider it desirable to
   extract, document, and standardize the common parts of these network
   wide configuration database schemas.  A protocol designer should
   consider how to standardize the common parts of configuring the new
   protocol, while recognizing the that vendors will likely may also have proprietary
   aspects of their configurations.

   It is important to distinguish between the distribution of
   configurations and the activation of a certain configuration.
   Devices should be able to hold multiple configurations.  NETCONF
   [RFC4741], for example, differentiates between the "running"
   configuration and "candidate" configurations.

   It is important to enable operators to concentrate on the
   configuration of the network as a whole rather than individual
   devices.  Support for configuration transactions across a number of
   devices would could significantly simplify network configuration
   management.  The ability to distribute configurations to multiple
   devices, or modify "candidate candidate configurations on multiple devices, and
   then activate them in a near-simultaneous manner might help.
   Protocol designers can consider how it would make sense for their
   protocol to be configured across multiple devices.  Configuration-
   templates might also be helpful.

   Consensus of the 2002 IAB Workshop [RFC3535] was that textual
   configuration files should be able to contain international
   characters.  Human-
   readable  Human-readable strings should utilize UTF-8, and
   protocol elements should be in case insensitive ASCII.

   A mechanism to dump and restore configurations is a primitive
   operation needed by operators.  Standards for pulling and pushing
   configurations from/to devices are desirable.

   Given configuration A and configuration B, it should be possible to
   generate the operations necessary to get from A to B with minimal
   state changes and effects on network and systems.  It is important to
   minimize the impact caused by configuration changes.

   Many protocol specifications include timers that are used as part of
   operation of the protocol.  These timers may need should have default values
   suggested in the protocol specification and do may not need to be
   otherwise configurable.

4.4.1.

3.4.1.  Verifying Correct Operation

   An important function that should be provided is guidance on how to
   verify the correct operation of a protocol.  A protocol designer
   could suggest techniques for testing the impact of the protocol on
   the network before it is deployed, and techniques for testing the
   effect that the protocol has had on the network after being deployed.

   Protocol designers should consider how to test the correct end-to-end
   operation of the network, and how to verify the correct data or
   forwarding plane function of each network element.  This may be
   achieved through status and statistical information from network
   devices.

4.4.2.

3.4.2.  Control of Function and Policy

   A protocol designer should consider the configurable items that exist
   for the control of function via the protocol elements described in
   the protocol specification.  For example, Sometimes sometimes the protocol
   requires that timers can be configured by the operator to ensure
   specific policy-based behavior by the implementation.

4.5.

3.5.  Accounting Management

   A protocol designer should consider whether it would be appropriate
   to collect usage information related to this protocol, and if so,
   what usage information would be appropriate to collect? collect.

   "Introduction to Accounting Management" [RFC2975] discusses a number
   of factors relevant to monitoring usage of protocols for purposes of
   capacity and trend analysis, cost allocation, auditing, and billing.
   This
   The document also discusses how Remote Authentication Dial In User
   Service (RADIUS) [RFC2865], Terminal Access Controller Access Control
   System (TACACS) [RFC1492], SNMP, IPFIX, and Packet Sampling (PSAMP)
   Protocol [I-D.ietf-psamp-protocol] some existing protocols can be used
   for these purposes.  These factors should be considered when
   designing a protocol whose usage might need to be monitored, or when
   recommending a protocol to do usage accounting.

4.6.

3.6.  Performance Management

   Consider

   From a manageability point of view it is important to determine how
   well a network deploying the protocol or technology defined in the
   document is doing.  In order to do this the network operators need to
   consider information that would be useful when trying to determine the
   performance characteristics of a deployed system using the target
   protocol.

   There are several parts to

   The Benchmarking Methodology WG (BMWG) has defined recommendations
   for the measurement of the performance management to be considered:
   protocol monitoring, characteristics of various
   internetworking technologies in a laboratory environment, including
   the systems or services monitoring, and device monitoring (the
   impact that are built from these technologies.  Each
   recommendation describes the class of equipment, system, or service
   being addressed; discuss the new protocol/service activation on performance characteristics that are
   pertinent to that class; clearly identify a set of metrics that aid
   in the device).

   From a manageability point description of view it is important those characteristics; specify the
   methodologies required to determine how
   well a network deploying collect said metrics; and lastly, present
   the protocol requirements for the common, unambiguous reporting of
   benchmarking results.

   Performance metrics may be useful in multiple environments, and for
   different protocols.  The IP Performance Monitoring (IPPM) WG or technology
   Benchmarking (BMWG) WG may have already defined in metrics that would be
   useful for the
   document is doing. new protocol.  In order to do this the network operators some cases, new metrics need to
   consider information that be
   defined.  It would be useful to determine if the
   performance characteristics of a deployed system using protocol documentation identified
   the target
   protocol.

   Consider scalability, need for such as whether new metrics.  For performance will be affected by
   the number of protocol connections.  If so, then monitoring, it might be useful
   to provide information about the maximum number of table entries that
   should be expected is
   often important to be modeled, how many entries an implementation
   can support, the current number of instances, and report the expected
   behavior when time spent in a state rather than the
   current instances exceed the capacity state.  Snapshots are of the
   implementation.  This should be considered in a data-modeling
   independent manner - what makes managed-protocol sense, not what
   makes management-protocol-sense.  If it is not managed-protocol-
   dependent, then it should be left less value for the management-protocol data
   modelers performance
   monitoring.

   There are several parts to decide.  For example, VLAN identifiers have a range of
   1..4095 because of the VLAN standards.  A MIB implementing a VLAN
   table should be able performance management to support 4096 entries because the content
   being modeled requires it.

   Any recommendation in the document should be data-modeling language
   independent.  The considered:
   protocol document should make clear monitoring, device monitoring (the impact of the limitations
   implicit within new
   protocol/service activation on the protocol device), network monitoring, and
   service monitoring (the impact of service activation on the behavior when limits are
   exceeded.

   Consider network).

3.6.1.  Monitoring the capability Protocol

   Certain properties of determining the operational activity, such
   as protocols are useful to monitor.  The number of
   protocol packets received, the number of message in packets sent, and the messages out, the number
   of
   received messages rejected due packets dropped are usually very helpful to format problems, operators.

   Packet drops should be reflected in counter variable(s) somewhere
   that can be inspected - both from the expected
   behaviors when a malformed message security point of view and from
   the troubleshooting point of view.

   Counter definitions should be unambiguous about what is received. included in
   the count, and what is not included in the count.

   Consider the expected behaviors for counters - what is a reasonable
   maximum value for expected usage? should  Should they stop counting at the
   maximum value and retain the maximum value, or should they rollover?
   How can users determine if a rollover has occurred, and how can users
   determine if more than one rollover has occurred?

   Consider whether multiple management applications will share a
   counter; if so, then no one management application should be allowed
   to reset the value to zero since this will impact other applications.

   Could events, such as hot-swapping a blade in a chassis, cause
   discontinuities in information? counter?  Does this make any difference in
   evaluating the performance of a protocol?

   For performance monitoring,

   The protocol document should make clear the limitations implicit
   within the protocol and the behavior when limits are exceeded.  This
   should be considered in a data-modeling independent manner - what
   makes managed-protocol sense, not what makes management-protocol-
   sense.  If constraints are not managed-protocol-dependent, then it is often important
   should be left for the management-protocol data modelers to report decide.
   For example, VLAN identifiers have a range of 1..4095 because of the
   VLAN standards.  A MIB implementing a VLAN table should be able to
   support 4096 entries because the content being modeled requires it.

3.6.2.  Monitoring the Device

   Consider whether device performance will be affected by the number of
   protocol entities being instantiated on the device.  Designers of an
   information model should include information, accessible at runtime,
   about the maximum number of instances an implementation can support,
   the current number of instances, and the time
   spent in a state rather than expected behavior when the
   current state.  Snapshots are instances exceed the capacity of
   less value for performance monitoring.

   The Benchmarking Methodology WG (bmwg) has defined recommendations
   for the measurement implementation or the
   capacity of the performance characteristics device.

   Designers of various
   internetworking technologies in an information model should model information,
   accessible at runtime, about the maximum number of protocol entity
   instances an implementation can support on a laboratory environment, including device, the systems or services that are built from these technologies.  Each
   recommendation describes current
   number of instances, and the class expected behavior when the current
   instances exceed the capacity of equipment, system, or service
   being addressed; discuss the device.

3.6.3.  Monitoring the Network

   Consider whether network performance characteristics that are
   pertinent to that class; clearly identify a set will be affected by the number
   of metrics that aid
   in protocol entities being deployed.

   Consider the description capability of those characteristics; specify determining the
   methodologies required to collect said metrics; operational activity, such
   as the number of messages in and lastly, present the requirements for messages out, the common, unambiguous reporting number of
   benchmarking results.
   received messages rejected due to format problems, the expected
   behaviors when a malformed message is received.

   What are the principal performance factors that need to be looked at
   when measuring the operational performance of the protocol
   implementations? network built using
   the protocol?  Is it important to measure setup times? throughput?
   quality versus throughput? interruptions? end-to-end throughput? end-
   to-end quality?
   connectivity? hop-to-hop connectivity? network throughput?  In many cases

3.6.4.  Monitoring the performance
   metrics Service

   What are generic and already defined by work done in the IPPM WG,
   or BMWG for example, but in some cases new metrics principal performance factors that need to be
   defined.  It would be useful if looked at
   when measuring the document would identify performance of a service using the need
   for such new metrics.

4.7. protocol?  Is
   it important to measure application-specific throughput? client-
   server associations? end-to-end application quality? service
   interruptions? user experience?

3.7.  Security Management

   Protocol designers should consider how to monitor and to manage
   security aspects and vulnerabilities of the new protocol.

   There will be security considerations related to the new protocol.
   To make it possible for operators to be aware of security-related
   events, it is recommended that system logs should record events, such
   as failed logins, but the logs must be secured.

   Should a system automatically notify operators of every event
   occurrence, or should an operator-defined threshold control when a
   notification is sent to an operator?

   Should certain statistics be collected about the operation of the new
   protocol that might be useful for detecting attacks, such as the
   receipt of malformed messages, or messages out of order, or messages
   with invalid timestamps?  If such statistics are collected, is it
   important to count them separately for each sender to help identify
   the source of attacks?

   Manageability considerations that are security-oriented might include
   discussion of the security implications when no monitoring is in
   place, the regulatory implications of absence of audit-trail or logs
   in enterprises, exceeding the capacity of logs, and security
   exposures present in chosen / recommended management mechanisms.

   Consider security threats that may be introduced by management
   operations.  For example CAPWAP breaks the structure of monolithic
   Access Points (AP) into Access Controllers and Wireless Termination
   Points (WTP).  By using a management interface, internal information
   that was previously not accessible is now exposed over the network
   and to management applications and may become a source of potential
   security threats.

   The granularity of access control needed on management interfaces
   needs to match operational needs.  Typical requirements are a role-
   based access control model and the principle of least privilege,
   where a user can be given only the minimum access necessary to
   perform a required task.

   It must be possible

   Some operators wish to do consistency checks of access control lists
   across devices.  Protocol designers should consider information
   models to promote comparisons across devices and across vendors to
   permit checking the consistency of security configurations.

   Protocol designers should consider how to provide a secure transport,
   authentication, identity, and access control which integrates well
   with existing key and credential management infrastructure.  It is a
   good idea to start with defining the threat model for the protocol,
   and from that deducing what is required.

   Protocol designers should consider how access control lists are
   maintained and updated.

   Standard SNMP notifications or SYSLOG messages
   [I-D.ietf-syslog-protocol] might already exist, or can be defined, to
   alert operators to the conditions identified in the security
   considerations for the new protocol.  For example, you can log all
   the commands entered by the operator using syslog (giving you some
   degree of audit trail), or you can see who has logged on/off using
   SSH from where, failed SSH logins can be logged using syslog, etc.

   An analysis of existing counters might help operators recognize the
   conditions identified in the security considerations for the new
   protocol before they can impact the network.

   RADIUS and DIAMETER can provide authentication and authorization.  A
   protocol designer should consider which attributes would be
   appropriate for their protocol.

   Different management protocols use different assumptions about
   message security and data access controls.  A protocol designer that
   recommends using different protocols should consider how security
   will be applied in a balanced manner across multiple management
   interfaces.  SNMP access
   control is authority levels and policy are data-oriented,
   while CLI access control is authority levels and policy are usually command (task)
   oriented.  Depending on the management function, sometimes
   data-oriented data-
   oriented or task-oriented access control makes approaches make more sense.  Protocol
   designers should consider both data-oriented and task-
   oriented access control.

5. task-oriented
   authority levels and policy.

4.  Documentation Guidelines

   This document is focused on what to think about, and how to document
   the considerations of the protocol designer.

5.1.

4.1.  Recommended Discussions

   A Manageability Considerations section should include discussion of
   the management and operations topics raised in this document, and
   when one or more of these topics is not relevant, it would be useful
   to contain a simple statement explaining why the topic is not
   relevant for the new protocol.  Of course, additional relevant topics
   should be included as well.

   Existing protocols and data models can provide the management
   functions identified in the previous section.  Protocol designers
   should consider how using existing protocols and data models might
   impact network operations.

5.2.

4.2.  Null Manageability Considerations Sections

   A protocol designer may seriously consider the manageability
   requirements of a new protocol, and determine that no management
   functionality is needed by the new protocol.  It would be helpful to
   those who may update or write extensions to the protocol in the
   future or to those deploying the new protocol to know the thinking of
   the working regarding the manageability of the protocol at the time
   of its design.

   If there are no new manageability or deployment considerations, it is
   recommended that a Manageability Considerations section contain a
   simple statement such as "There are no new manageability requirements
   introduced by this document," and a brief explanation of why that is
   the case.  The presence of such a Manageability Considerations
   section would indicate to the reader that due consideration has been
   given to manageability and operations.

   In the case where the new protocol is an extension, and the base
   protocol discusses all the relevant operational and manageability
   considerations, it would be helpful to point out the considerations
   section in the base document.

5.3.

4.3.  Placement of Operations and Manageability Considerations Sections

   If a protocol designer develops a Manageability Considerations
   section for a new protocol, it is recommended that the section be
   placed immediately before the Security Considerations section.
   Reviewers interested in such sections could find it easily, and this
   placement could simplify the development of tools to detect the
   presence of such a section.

6.

5.  IANA Considerations

   This document does not introduce any new codepoints or name spaces
   for registration with IANA.

   Note to RFC Editor: this section may be removed on publication as an
   RFC.

7.

6.  Security Considerations

   This document is informational and provides guidelines for
   considering manageability and operations.  It introduces no new
   security concerns.

8.

   The provision of a management portal to a network device provides a
   doorway through which an attack on the device may be launched.
   Making the protocol under development be manageable through a
   management protocol creates a vulnerability to a new source of
   attacks.  Only management protocols with adequate security apparatus,
   such as authentication, message integrity checking, and authorization
   should be used.

   A standard description of the manageable knobs and whistles on a
   protocol makes it easier for an attacker to understand what they may
   try to control and how to tweak it.

   A well-designed protocol is usually more stable and secure.  A
   protocol that can be managed and inspected offers the operator a
   better chance of spotting and quarantining any attacks.  Conversely
   making a protocol easy to inspect is a risk if the wrong person
   inspects it.

   If security events cause logs and or notifications/alerts, a
   concerted attack might be able to be mounted by causing an excess of
   these events.  In other words, the security management mechanisms
   could constitute a security vulnerability.  The management of
   security aspects is important (see Section 3.7).

7.  Acknowledgements

   This document started from an earlier document edited by Adrian
   Farrel, which itself was based on work exploring the need for
   Manageability Considerations sections in all Internet-Drafts produced
   within the Routing Area of the IETF.  That earlier work was produced
   by Avri Doria, Loa Andersson, and Adrian Farrel, with valuable
   feedback provided by Pekka Savola and Bert Wijnen.

   Some of the discussion about designing for manageability came from
   private discussions between Dan Romascanu, Bert Wijnen, Juergen
   Schoenwaelder, Andy Bierman, and David Harrington.

   Thanks to reviewers who helped fashion this document, including
   Adrian Farrell, David Kessens, Dan Romascanu, Ron Bonica, Bert
   Wijnen, Lixia Zhang, Ralf Wolter, Benoit Claise, Brian Carpenter,
   Harald Alvestrand, Juergen Schoenwaelder, and Pekka Savola

9. Savola.

8.  Informative References

   [I-D.ietf-psamp-protocol]       Claise, B., "Packet Sampling (PSAMP)
                                   Protocol Specifications",
                                   draft-ietf-psamp-protocol-09

   [I-D.ietf-opsawg-survey-management]  Harrington, D., "Survey of IETF
                                        Network Management Standards", d
                                        raft-ietf-opsawg-survey-
                                        management-00 (work in
                                        progress), December 2007. March 2009.

   [I-D.ietf-syslog-protocol]           Gerhards, R., "The syslog
                                        Protocol",
                                        draft-ietf-syslog-protocol-23
                                        (work in progress),
                                        September 2007.

   [RFC1034]                            Mockapetris, P., "Domain names -
                                        concepts and facilities",
                                        STD 13, RFC 1034, November 1987.

   [RFC1052]                            Cerf, V., "IAB recommendations
                                        for the development of Internet
                                        network management standards",
                                        RFC 1052, April 1988.

   [RFC1492]                       Finseth, C., "An Access Control
                                   Protocol, Sometimes Called TACACS",

   [RFC1958]                            Carpenter, B., "Architectural
                                        Principles of the Internet",
                                        RFC 1492, July 1993. 1958, June 1996.

   [RFC2119]                            Bradner, S., "Key words for use
                                        in RFCs to Indicate Requirement
                                        Levels", BCP 14, RFC 2119,
                                        March 1997.

   [RFC2205]                            Braden, B., Zhang, L., Berson,
                                        S., Herzog, S., and S. Jamin,
                                        "Resource ReSerVation Protocol
                                        (RSVP) -- Version 1 Functional
                                        Specification", RFC 2205,
                                        September 1997.

   [RFC2439]                            Villamizar, C., Chandra, R., and
                                        R. Govindan, "BGP Route Flap
                                        Damping", RFC 2439,
                                        November 1998.

   [RFC2578]                            McCloghrie, K., Ed., Perkins,
                                        D., Ed., and J. Schoenwaelder,
                                        Ed., "Structure of Management
                                        Information Version 2 (SMIv2)",
                                        STD 58, RFC 2578,
                                   April 1999.

   [RFC2821]                       Klensin, J., "Simple Mail Transfer
                                   Protocol", RFC 2821, April 2001.

   [RFC2863]                       McCloghrie, K. and F. Kastenholz,
                                   "The Interfaces Group MIB", RFC 2863,
                                   June 2000.

   [RFC2865]                       Rigney, C., Willens, S., Rubens, A.,
                                   and W. Simpson, "Remote
                                   Authentication Dial In User Service
                                   (RADIUS)", RFC 2865, June 2000. April 1999.

   [RFC2975]                            Aboba, B., Arkko, J., and D.
                                        Harrington, "Introduction to
                                        Accounting Management",
                                        RFC 2975, October 2000.

   [RFC3060]                            Moore, B., Ellesson, E.,
                                        Strassner, J., and A.
                                        Westerinen, "Policy Core
                                        Information Model -- Version 1
                                        Specification", RFC 3060,
                                        February 2001.

   [RFC3084]                            Chan, K., Seligson, J., Durham,
                                        D., Gai, S., McCloghrie, K.,
                                        Herzog, S., Reichmeyer, F.,
                                        Yavatkar, R., and A. Smith,
                                        "COPS Usage for Policy
                                        Provisioning (COPS-PR)",
                                        RFC 3084, March 2001.

   [RFC3139]                            Sanchez, L., McCloghrie, K., and
                                        J. Saperia, "Requirements for
                                        Configuration Management of IP-based IP-
                                        based Networks", RFC 3139,
                                        June 2001.

   [RFC3198]                            Westerinen, A., Schnizlein, J.,
                                        Strassner, J., Scherling, M.,
                                        Quinn, B., Herzog, S., Huynh,
                                        A., Carlson, M., Perry, J., and
                                        S. Waldbusser, "Terminology for
                                        Policy-Based Management",
                                        RFC 3198, November 2001.

   [RFC3290]                            Bernet, Y., Blake, S., Grossman,
                                        D., and A. Smith, "An Informal
                                        Management Model for Diffserv
                                        Routers", RFC 3290, May 2002.

   [RFC3410]                            Case, J., Mundy, R., Partain,
                                        D., and B. Stewart,
                                        "Introduction and Applicability
                                        Statements for Internet-Standard
                                        Management Framework", RFC 3410,
                                        December 2002.

   [RFC3444]                            Pras, A. and J. Schoenwaelder,
                                        "On the Difference between
                                        Information Models and Data
                                        Models", RFC 3444, January 2003.

   [RFC3460]                            Moore, B., "Policy Core
                                        Information Model (PCIM)
                                        Extensions", RFC 3460,
                                        January 2003.

   [RFC3535]                            Schoenwaelder, J., "Overview of
                                        the 2002 IAB Network Management
                                        Workshop", RFC 3535, May 2003.

   [RFC3585]                            Jason, J., Rafalow, L., and E.
                                        Vyncke, "IPsec Configuration
                                        Policy Information Model",
                                        RFC 3585, August 2003.

   [RFC3644]                            Snir, Y., Ramberg, Y.,
                                        Strassner, J., Cohen, R., and B.
                                        Moore, "Policy Quality of
                                        Service (QoS) Information
                                        Model", RFC 3644, November 2003.

   [RFC3670]                            Moore, B., Durham, D.,
                                        Strassner, J., Westerinen, A.,
                                        and W. Weiss, "Information Model
                                        for Describing Network Device
                                        QoS Datapath Mechanisms",
                                        RFC 3670, January 2004.

   [RFC3805]                            Bergman, R., Lewis, H., and I.
                                        McDonald, "Printer MIB v2",
                                        RFC 3805, June 2004.

   [RFC4741]                            Enns, R., "NETCONF Configuration
                                        Protocol", RFC 4741,
                                        December 2006.

   [RFC5101]                            Claise, B., "Specification of
                                        the IP Flow Information Export
                                        (IPFIX) Protocol for the
                                        Exchange of IP Traffic Flow
                                        Information", RFC 5101,
                                        January 2008.

   [RFC5321]                            Klensin, J., "Simple Mail
                                        Transfer Protocol", RFC 5321,
                                        October 2008.

   [W3C.REC-xmlschema-0-20010502]       Fallside, D., "XML Schema Part
                                        0: Primer", World Wide Web
                                        Consortium FirstEdition REC-xmlschema-0-
                                   20010502, REC-
                                        xmlschema-0-20010502, May 2001, <http://
                                   www.w3.org/TR/2001/
                                        <http://www.w3.org/TR/2001/
                                        REC-xmlschema-0-20010502>.

Appendix A.  Operations and Management Review Checklist

   This appendix provides a quick checklist of issues that protocol
   designers should expect operations and management expert reviewers to
   look for when reviewing a document being proposed for consideration
   as a protocol standard.

A.1.  Operational Considerations

   Has the operations model been discussed? see section 3.1. Section 2.1

      Does the document include a description of the operational model -
      how is this protocol or technology going to be deployed and
      managed?

      Is the proposed specification deployable?  If not, how could it be
      improved?

      Does the solution scale well? well from the operational and management
      perspective?  Does the proposed approach have any scaling issues
      that could affect usability for large scale operation?

      Are there any coexistence issues?

   Has installation and initial setup been discussed? see section 3.2 Section 2.2

      Is the solution sufficiently configurable?

         are

      Are configuration parameters clearly identified?

         are

      Are configuration parameters normalized?

         does

      Does each configuration parameter have a reasonable default value?

      Will configuration be pushed to a device by a configuration
      manager, or pulled by a device from a configuration server?

      How will the devices and managers find and authenticate each
      other?

   Has the migration path been discussed? see section 3.3. Section 2.3

      Are there any backward compatibility issues?

   Have the Requirements on Other Protocols and Functional Components
   been discussed? see section 3.4. Section 2.4.

      What protocol operations are expected to be performed relative to
      the new protocol or technology, and what protocols and data models
      are expected to be in place or recommended to ensure for
      interoperable management?
   Has the Impact on Network Operation been discussed? see section
      3.5. Section 2.5

      Will the new protocol significantly increase traffic load on
      existing networks?

      Will the proposed management for the new protocol significantly
      increase traffic load on existing networks?

      How will the new protocol impact the behavior of other protocols
      in the network?  Will it impact performance (e.g. jitter) of
      certain types of applications running in the same network?

      Does the new protocol need supporting services (e.g.  DNS or AAA)
      added to an existing network?

   Have suggestions for verifying correct operation been discussed? see section 3.6.

      Have suggestions for verifying correct operation
   Section 2.6

      How can one test end-to-end connectivity and throughput?

      Which metrics are of interest?

      Will testing have an impact on the protocol or the network?

   Has management interoperability been discussed? see section 4.1. Section 3.1

      Is a standard protocol needed for interoperable management?

      Is a standard information or data model needed to make properties
      comparable across devices from different vendors?

   Are there fault or threshold conditions that should be reported? see
   Section 3.3

      Does specific management information have time utility?

      Should the information be reported by notifications? polling?
      event-driven polling?

      Is notification throttling discussed?

      Is there support for saving state that could be used for root-
      cause analysis?

   Is configuration discussed? see Section 3.4

      Are configuration defaults, and default modes of operation
      considered?
      Is there discussion of what information should be preserved across
      reboots of the device or the management system?  Can devices
      realistically preserve this information through hard reboots where
      physical configuration might change (e.g. cards might be swapped
      while a chassis is powered down)?

A.2.  Management Considerations

   Do you anticipate any manageability issues with the specification?

      Is Management interoperability discussed? see section 4.1.

         will Section 3.1

         Will it use centralized or distributed management?

         will

         Will it require remote and/or local management applications?

         Are textual or graphical user interfaces required?

         Is textual or binary format for management information
         preferred?

      Is Management Information discussed? see section 4.2. Section 3.2

         What is the minimal set of management (configuration, faults,
         performance monitoring) objects that need to be instrumented in
         order to manage the new protocol?

      Is Fault Management discussed? see section 4.3. Section 3.3

         Is Liveness Detection and Monitoring discussed?

         Does the solution have failure modes that are difficult to
         diagnose or correct?  Are faults and alarms reported and
         logged?

      Is Configuration Management discussed? see section 4.4.

         is Section 3.4

         Is protocol state information exposed to the user?  How? are
         significant state transitions logged?
      Is Accounting Management discussed? see section 4.5. Section 3.5

      Is Performance Management discussed? see section 4.6. Section 3.6

         Does the protocol have an impact on network traffic and network
         devices?  Can performance be measured?

         Is protocol performance information exposed to the user?

      Is Security Management discussed? see section 4.7. Section 3.7

         Does the specification discuss hwo how to manage aspects of
         security, such as access controls, managing key distribution,
         etc.

A.3.  Documentation

   Is an operational considerations and/or manageability section part of
   the document?

   Does the proposed protocol have a significant operational impact on
   the Internet.  If it does, and the document under review targets
   standards track, is their enough Internet?

   Is there proof of implementation and/or operational experience to grant Proposed Standard status? experience?

Appendix B.  Change Log

   -- Note to RFC Editor: Please remove this section upon publication as
   an RFC

   Changes from opsawg-05 to opsawg-06

      Spelling and grammar corrections

      Addressed comments from WGLC.

      Editorial comments

      Addressed most comments from Randy Bush, Bert Wijnen, Adrian
      Farrel,

      Removed IETF Management Framework section.

      Added discussion of standard protocols.

   Changes from opsawg-04 to opsawg-05

      added bullets for appendix checklist

      aligned checklist order and guidelines order

      resolved all DISCUSS and TODO issues.

   Changes from opsawg-03 to opsawg-04

      improved wording in Introduction

      added a number of DISCUSS points raised during WG reviews

      added more wording on service management

      updated references and copyrights

   Changes from opsawg-02 to opsawg-03

   From reviews by Lixia Zhang and feedback from WG Chairs' Lunch.

      added discussion of impact on the Internet to checklist

      spell check

      added examples

      added discussion of default values

      added discussion of database-driven configuration

      fixed some references

      expanded the checklist

   Changes from opsawg-01 to opsawg-02

      moved survey of protocols and data models to separate document

      changed "working group" to "protocol designer" throughout, as
      applicable.

      modified wording from negative to positive spin in places.

      updated based on comments from Ralf Wolter and David Kessens

   Changes from opsawg-00 to opsawg-01

      moved Proposed Standard data models to appendix

      moved advice out of data model survey and into considerations
      section

      addressed comments from Adrian and Dan

      modified the Introduction and Section 2 in response to many
      comments.

      expanded radius and syslog discussion, added psamp and VCCV,
      modified ipfix,

   Changes from harrington-01 to opsawg-00

      added text regarding operational models to be managed.

      Added checklist appendix (to be filled in after consensus is
      reached on main text )

   Changes from harrington-00 to harrington-01

      modified unclear text in "Design for Operations and Management"

      Expanded discussion of counters

      Removed some redundant text

      Added ACLs to Security Management

      Expanded discussion of the status of COPS-PR, SPPI, and PIBs.

      Expanded comparison of RADIUS and Diameter.

      Added placeholders for EPP and XCAP protocols.

      Added Change Log and Open Issues

Author's Address

   David Harrington
   Huawei Technologies USA
   1700 Alma Dr, Suite 100
   Plano, TX  75075
   USA

   Phone: +1 603 436 8634
   Fax:
   EMail: dharrington@huawei.com
   URI:

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.