Network Working Group D. Harrington Internet-Draft Huawei Technologies USA Intended status: BCP
October 27, 2008March 9, 2009 Expires: April 30,September 10, 2009 Guidelines for Considering Operations and Management of New Protocols draft-ietf-opsawg-operations-and-management-05and Protocol Extensions draft-ietf-opsawg-operations-and-management-06 Status of This Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claimsThis Internet-Draft is submitted to IETF in full conformance with the provisions of which heBCP 78 and BCP 79. This document may contain material from IETF Documents or she is aware have beenIETF Contributions published or willmade publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be disclosed,modified outside the IETF Standards Process, and anyderivative works of which he or she becomes aware willit may not be disclosed, in accordance with Section 6 of BCP 79.created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 30,September 10, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract New protocols or protocol extensions are best designed with due consideration of functionality needed to operate and manage the protocol.protocols. Retrofitting operations and management is sub-optimal. The purpose of this document is to provide guidance to authors and reviewers of documents defining new protocols or protocol extensions, about covering aspects of operations and management that should be considered. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 34 1.1. TerminologyDesigning for Operations and Management . . . . . . . . . 4 1.2. This Document . . . . . . . . . . . . . . 4 2. Design for Operations and Management. . . . . . . . 4 1.3. Motivation . . . . . 4 2.1. IETF Management Framework. . . . . . . . . . . . . . . . 5 3. Operational Considerations. . . 5 1.4. Background . . . . . . . . . . . . . . . 6 3.1. Operations Model. . . . . . . . . 6 1.5. Available Management Technologies . . . . . . . . . . . . 6 3.2. Installation and Initial Setup7 1.6. Terminology . . . . . . . . . . . . . . 7 3.3. Migration Path. . . . . . . . . 7 2. Operational Considerations - How Will the New Protocol Fit Into the Current Environment? . . . . . . . . . . . . . 8 3.4. Requirements on Other Protocols and Functional Components. . . 7 2.1. Operations Model . . . . . . . . . . . . . . . . . . . . . 8 3.5. Impact on Network Operation2.2. Installation and Initial Setup . . . . . . . . . . . . . . 8 2.3. Migration Path . . . . . . . 9 3.6. Verifying Correct Operation. . . . . . . . . . . . . . . 9 4. Management Considerations2.4. Requirements on Other Protocols and Functional Components . . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Interoperability2.5. Impact on Network Operation . . . . . . . . . . . . . . . 10 2.6. Verifying Correct Operation . . . . . . 11 4.2. Management Information. . . . . . . . . 11 3. Management Considerations - How Will The Protocol be Managed? . . . . . . . . . . 13 4.3. Fault Management. . . . . . . . . . . . . . . . . 11 3.1. Interoperability . . . . 14 4.3.1. Liveness Detection and Monitoring. . . . . . . . . . 15 4.3.2. Fault Determination. . . . . . . 13 3.2. Management Information . . . . . . . . . . . . 15 4.3.3. Fault Isolation. . . . . . 16 3.2.1. Information Model Design . . . . . . . . . . . . . 16 4.4. Configuration. . 17 3.3. Fault Management . . . . . . . . . . . . . . . . . 16 4.4.1. Verifying Correct Operation. . . . 17 3.3.1. Liveness Detection and Monitoring . . . . . . . . . . 18 4.4.2. Control of Function and Policy3.3.2. Fault Determination . . . . . . . . . . . . . . . 18 4.5. Accounting Management. . 18 3.3.3. Root Cause Analysis . . . . . . . . . . . . . . . . . 18 4.6. Performance Management3.3.4. Fault Isolation . . . . . . . . . . . . . . . . . . . 19 4.7. Security3.4. Configuration Management . . . . . . . . . . . . . . . . . 19 3.4.1. Verifying Correct Operation . . . . . . . . 20 5. Documentation Guidelines. . . . . 20 3.4.2. Control of Function and Policy . . . . . . . . . . . . 21 3.5. Accounting Management . . 22 5.1. Recommended Discussions. . . . . . . . . . . . . . . . 21 3.6. Performance Management . 22 5.2. Null Manageability Considerations Sections. . . . . . . . 22 5.3. Placement of Operations and Manageability Considerations Sections. . . . . . . . . 21 3.6.1. Monitoring the Protocol . . . . . . . . . 23 6. IANA Considerations. . . . . . 22 3.6.2. Monitoring the Device . . . . . . . . . . . . . . . . 23 7. Security Considerations3.6.3. Monitoring the Network . . . . . . . . . . . . . . . . 23 3.6.4. Monitoring the Service . . . . . 23 8. Acknowledgements. . . . . . . . . . . 23 3.7. Security Management . . . . . . . . . . . . . . . . . . . 23 9. Informative References4. Documentation Guidelines . . . . . . . . . . . . . . . . . . . 25 4.1. Recommended Discussions . . . . 24 Appendix A. Operations and Management Review Checklist. . . . . 27 A.1. Operational Considerations. . . . . . . . 25 4.2. Null Manageability Considerations Sections . . . . . . . . 27 A.2. Management25 4.3. Placement of Operations and Manageability Considerations Sections . . . . . . . . . . . . . . . . 28 A.3. Documentation. 26 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 Appendix B. Change Log26 6. Security Considerations . . . . . . . . . . . . . . . . . . . 26 7. Acknowledgements . . 29 1. Introduction Often when new protocols or protocol extensions are developed,. . . . . . . . . . . . . . . . . . . . . 27 8. Informative References . . . . . . . . . . . . . . . . . . . . 27 Appendix A. Operations and Management Review Checklist . . . . . 30 A.1. Operational Considerations . . . . . . . . . . . . . . . . 31 A.2. Management Considerations . . . . . . . . . . . . . . . . 33 A.3. Documentation . . . . . . . . . . . . . . . . . . . . . . 34 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction Often when new protocols or protocol extensions are developed, not enough consideration is given to how the protocol will be deployed, operated and managed. Retrofitting operations and management mechanisms is often hard and architecturally unpleasant, and certain protocol design choices may make deployment, operations, and management particularly hard. Since the ease of operations and management may impact the success of IETF protocols, this document provides guidelines to help protocol designers and working groups consider the operations and management functionality needed by their new IETF protocol or protocol extension at an earlier phase. This document suggests1.1. Designing for Operations and Management The operational environment and manageability of the protocol should be considered from the start when new protocols are designed. Protocol designers should consider which operations and management needs are relevant to their protocol, document how those needs could be addressed, and then recommend appropriatesuggest standard management protocols and data models that could be used to address the relevant operations and managementthose needs. This is similar to a WG consideringworking group (WG) that considers which security threats are relevant to their protocol, documents how threats should be mitigated, and then recommendingsuggests appropriate standard securityprotocols tothat could mitigate the relevantthreats. The purpose of this document is to provide guidance about what to consider when thinking about the managementWhen a WG considers operation and deployment ofmanagement functionality for a newprotocol, andthe document should contain enough information to understand how the protocol will be deployed and managed, but the WG should expect that considerations for operations and management may need to be updated in the future, after further operational experience has been gained. 1.2. This Document This document makes a distinction between "Operational Considerations" and "Management Considerations", although the two are closely related. The section on manageability is focused on management technology such as how to utilize management protocols and how to design management data models. The operational considerations apply to operating the protocol within a network, even if there were no management protocol actively being used. The purpose of this document is to provide guidance about what to consider when thinking about the management and deployment of a new protocol, and to provide guidance about documenting the considerations. The following guidelines are designed to help writers provide a reasonably consistent format for such documentation. Separate manageability and operational considerations sections are desirable in many cases, but their structure and location is a decision that can be made from case to case. We want to avoid seeming toThis document does not impose a solution by putting in place a strict terminology - for example implyingsolution, or imply that a formal data model,model is needed, or evenimply that using a specific management protocol is mandatory. If protocol designers conclude that itsthe technology can be managed solely by using proprietary CLIs,command line interfaces (CLIs), and no structured or standardized data model needs to be in place, this might be fine, but it is a decision that should be explicit in a manageability discussion, that this is how the protocol will need to be operated and managed. Protocol designers should avoid having manageability pushed for a later/neverlater phase of the development of the standard. MakingAny decision to make a Management Considerations section a mandatory publication requirement for IETF documents is the responsibility of the IESG, or specific area directors, or working groups, and this document avoids recommending any mandatory publication requirements. For a complex protocol, a completely separate draft on operations and management might be appropriate, or even a completely separate WG effort. This document discusses the importance of considering operations and management. Section 1 introduces the subject and section 2 describes the IETF Management Framework. Section 3 discusses operational functionality to consider. Section 4 discussesmanagement functionality to consider. This document setsby setting forth a list of subjectiveguidelines and a listchecklist of objective criteria byquestions to consider, which a protocol designer or reviewer can use to evaluate whether the protocol that he/she has developed addressesand documentation address common operations and management needs. Operations and management are highly dependent on their environment, so most guidelines are subjective rather than objective. We provide some objective criteria to promote interoperability through1.3. Motivation For years the use of standard management interfaces, such as "did you design counters in a MIB module for monitoring packets in/outIETF community has used the IETF Standard Management Framework, including the Simple Network Management Protocol [RFC3410], the Structure of an interface?" The Interfaces GroupManagement Informatiion [RFC2578], and MIB [RFC2863], "did you write an XML-baseddata modelmodels for configuring your protocol with Netconf?" NETCONF Configuration Protocol [RFC4741], and "did you standardize syslog message contentmanaging new protocols. As the Internet has evolved, operators have found the reliance on one protocol and structured data elementsone schema language for reporting events that might occur when operating your protocol?" [I-D.ietf-syslog-protocol] and "did you consider appropriate notifications in casemanaging all aspects of failure situations?? 1.1. Terminology This document deliberately does not usethe (capitalized) keywords described in RFC 2119 [RFC2119]. RFC 2119 states the keywords must only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions). For example, they must not be usedInternet inadequate. The IESG policy to tryrequire working groups to imposewrite a particular method on implementers where the method is not requiredMIB module to provide manageability for interoperability. This documentnew protocols is being replaced by a set of guidelines based on current practicespolicy that is more open to using a variety of protocol designersmanagement protocols and operators.data models designed to achieve different goals. This document does not describe requirements, so the key words from RFC2119 have no place here. o "new protocol" includes new protocols, protocol extensions, data models, or other functionality being designed. o "protocol designer" represents individuals and working groups involved in the development of new protocols. 2. Design for Operations and Management "Designprovides some initial guidelines for considering operations and management" meansmanagement in an IETF Management Framework that the operational environment and manageabilityconsists of the protocol should be considered from the start when newmultiple protocols are designed. When a WG considers operationand management functionalitymultiple data modeling languages, with an eye toward being flexible while also striving for interoperability. 1.4. Background There have been a protocol, the document should contain enough information to understand how the protocol will be deployedsignificant number of efforts, meetings, and managed, but the WG should expectdocuments that considerations forare related to Internet operations and management may needmanagement. Some of them are mentioned here, to be updated inhelp protocol designers find documentation of previous efforts. Hopefully, providing these references will help the future, after further operational experience has been gained. 2.1.IETF Management Framework For yearsavoid rehashing old discussions and reinventing old solutions. In 1988, the IETF has stressedIAB published IAB Recommendations for the useDevelopment of the IETF StandardInternet Network Management FrameworkStandards [RFC1052] which recommended a solution that, where possible, deliberately separates modeling languages, data models, and MIB modules [RFC2578] for managing new protocols. The IETF designed these to permit multiplethe protocols that carry data. The goal is to utilize the MIBallow standardized information and data [RFC1052], but it became a common misunderstanding that a MIB module could onlymodels to be used with the SNMP protocol (described in [RFC3410] and associated documents).by different protocols. In 2001, OPS Area design teams were created to document requirements related to configuration of IP-based networks. One output was "Requirements for Configuration Management of IP-based Networks" [RFC3139]. In 2003, the Internet Architecture Board (IAB) held a workshop on Network Management [RFC3535] that discussed the strengths and weaknesses of some IETF network management protocols, and compared them to operational needs, especially configuration. One issue discussed was the user-unfriendliness of the binary format of SNMP and COPS Usage for Policy Provisioning (COPS-PR) [RFC3084], and it was recommended that the IETF explore an XML-based Structure of Management Information, and an XML-based protocol for configuration. Another conclusion was that the tools for event/alarm correlation and for root cause analysis and logging are not sufficient, and that there is a need to support a human interface and a programmatic interface. The IETF decided to standardize aspects of the de facto standard for system logging security and programmatic support. In 2006, the IETF discussed whether the Management Framework should be updated to accommodate multiple IETF schema languages for describing the structure of management information, and multiple IETF standard protocols for doing network management. 1.5. Available Management Technologies The IETF has a number of standard management technologies available. These include SNMP, SYSLOG, RADIUS, DIAMETER, NETCONF, IPFIX, and others. These protocol standards, pointers to the documents that define them, and standard information and data models for specific functionality, are described in "Survey of IETF Network Management Standards" [I-D.ietf-opsawg-survey-management] 1.6. Terminology This document provides some initial guidelinesdeliberately does not use the (capitalized) keywords described in RFC 2119 [RFC2119]. RFC 2119 states the keywords must only be used where it is actually required for considering operationsinteroperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions). For example, they must not be used to try to impose a particular method on implementers where the method is not required for interoperability. This document is a set of guidelines based on current practices of protocol designers and management inoperators. This document does not describe requirements, so the key words from RFC2119 have no place here. o CLI: Command Line Interface o Data model: A mapping of the contents of an IETF Management Frameworkinformation model into a form that consistsis specific to a particular type of data store or repository. o Information model: An abstraction and representation of the entities in a managed environment, their properties, attributes and operations, and the way that they relate to each other. It is independent of multiple protocols and multipleany specific repository, software usage, protocol, or platform. o "new protocol" includes new protocols, protocol extensions, data models, with an eye towardor other functionality being flexible while also striving for interoperability. 3.designed. o "protocol designer" represents individuals and working groups involved in the development of new protocols. 2. Operational Considerations - How Will the New Protocol Fit Into the Current Environment? Designers of a new protocol should carefully consider the operational aspects. To ensure that a protocol will be practical to deploy in the real world, it is not enough to merely define it very precisely in a well-written document. Operational aspects will have a serious impact on the actual success of a protocol. Such aspects include bad interactions with existing solutions, a difficult upgrade path, difficulty of debugging problems, difficulty configuring from a central database, or a complicated state diagram that operations staff will find difficult to understand. BGP flap damping [RFC2439] is an example. It was designed to block high frequency route flaps, however the design did not consider the existence of BGP path exploration/slow convergence. In real operations, path exploration caused false flap damping, resulting in loss of reachability. As a result, most places turned flap damping off. Some Regional Internet Registries evenissued an official recommendation for turning it off. 220.127.116.11. Operations Model Protocol designers can analyze the operational environment and mode of work in which the new protocol or extension will work. Such an exercise need not be reflected directly by text in their document, but could help in visualizing the operational model related to the applicability of the protocol in the Internet environments where it will be deployed. The operational model should take into account factors such as: o what type of management entities will be involved (agents, network management systems)? o whatA key question is how the possible architecture (client-server, manager-agent, poll-driven or event-driven, autoconfiguration, two levels or hierarchical)? o what areprotocol can operate "out of the management operations - initial configuration, dynamic configuration, alarm and exception reporting, logging, performance monitoring, performance reporting, debugging? o how are these operations performed - locally, remotely, atomic operation, scripts? Are they performed immediately or time scheduled or event triggered? o whatbox". If implementers are free to select their own defaults, the typical user interfaces - Command line (CLI) or graphical user interface (GUI)? Protocol designers should consider how the newprotocol will be managed in different deployment scales. It might be sensibleneeds to use a local management interfaceoperate well with any choice of values. If there are sensible defaults, these need to manage the new protocol on a single device, but in a large network, remote management using a centralized server and/or using distributed management functionality might make more sense. Auto-configuration and default parameters mightbe possible for some new protocols.stated. There may be a need to support a human interface, e.g., for troubleshooting, and a programmatic interface, e.g., for automated monitoring and root cause analysis. It might be important that the internal method routines used by theThe application programming interfaces and the human interfaces should be the samehuman interfaces might benefit from being similar to ensure that data exchanged betweenthe information exposed by these two interfaces is always consistent. Mixing methods leadsconsistent when presented to inconsistency, so identifyingan operator. Identifying consistent methods of retrieving informationdetermining information, such as what gets counted in a specific counter, is relevant. Protocol designers should consider what management operations are expected to be performed as a result of the deployment of the protocol - such as whether write operations will be allowed on routers and on hosts, or whether notifications for alarms or other events will be expected. 18.104.22.168. Installation and Initial Setup Anything that can be configured can be misconfigured. "Architectural Principles of the Internet" [RFC1958] Section 3.8 states: "Avoid options and parameters whenever possible. Any options and parameters should be configured or negotiated dynamically rather than manually." To simplify configuration, protocol designers should consider specifying reasonable defaults, including default modes and parameters. For example, it could be helpful or necessary to specify default values for modes, timers, default state of logical control variables, default transports, and so on. Even if default values are used, it must be possible to retrieve all the actual values or at least an indication that known default values are being used. Protocol designers should consider how to enable operators to concentrate on the configuration of the network as a whole rather than on individual devices. Of course, how one accomplishes this is the hard part. It is desirable to discuss the background of chosen default values, or perhaps why a range of values makes sense. In many cases, as technology changes, the values in an RFC might make less and less sense. It is very useful to understand whether defaults are based on best current practice and are expected to change as technologies advance or whether they have a more universal value that should not be changed lightly. For example, the default interface speed might be expected to change over time due to increased speeds in the network, and cryptographical algorithms might be expected to change over time as older algoithmsalgorithms are "broken". it is extremely important to set a sensible default value for all parameters theThe default value should stay on the conservative side rather than on the "optimizing performance" side. (example: the initial RTT and RTTvar values of a TCP connection) forFor those parameters that are speed-dependent, instead of using a constant, try to set the default value as a function of the link speed or some other relevant factors. This would help reduce the chance of problems caused by technology advancement. 22.214.171.124. Migration Path If the new protocol is a new version of an existing one, or if it is replacing another technology, the protocol designer should consider how deployments should transition to the new protocol. This should include co-existence with previously deployed protocols and/or previous versions of the same protocol, incompatibilities between versions, translation between versions, and side-effects that might occur. Are older protocols or versions disabled or do they co-exist in the network with the new protocol? 3.4.Many protocols benefit from being incrementally deployable - operators may deploy aspects of a protocol before deploying the protocol fully. 2.4. Requirements on Other Protocols and Functional Components Protocol designers should consider the requirements that the new protocol might put on other protocols and functional components, and should also document the requirements from other protocols and functional elements that have been considered in designing the new protocol. These considerations should generally remain illustrative to avoid creating restrictions or dependencies, or potentially impacting the behavior of existing protocols, or restricting the extensibility of other protocols, or assuming other protocols will not be extended in certain ways. If restrictions or dependencies exist, they should be stated. For example, the design of Resource ReSerVation Protocol (RSVP) [RFC2205] required each router to look at the RSVP PATH message, and if the router understood RSVP, to add its own address to the message to enable automatically tunneling through non-RSVP routers. But in reality routers cannot look at an otherwise normal IP packet, and potentially take it off the fast path! The initial designers overlooked that a new "deep packet inspection" requirement was being put on the functional components of a router. The "router alert" option was finally developed to solve this problem for RSVP and other protocols that require the router to take some packets off the fast forwarding path. 126.96.36.199. Impact on Network Operation The introduction of a new protocol or extensions to an existing protocol may have an impact on the operation of existing networks. Protocol designers should outline such impacts (which may be positive) including scaling concerns and interactions with other protocols. For example, a new protocol that doubles the number of active, reachable addresses in use within a network might need to be considered in the light of the impact on the scalability of the IGPsinterior gateway protocols operating within the network. A protocol could send active monitoring packets on the wire. If we don't pay attention, we might get very good accuracy, but at the cost of using all the available bandwidth. The protocol designer should consider the potential impact on the behavior of other protocols in the network and on the traffic levels and traffic patterns that might change, including specific types of traffic such as multicast. Also consider the need to install new components that are added to the network as result of the changes in the operational model, such as servers performing auto-configuration operations. The protocol designer should consider also the impact on infrastructure applications like DNS [RFC1034], the registries, or the size of routing tables. For example, Simple Mail Transfer Protocol (SMTP) [RFC2821][RFC5321] servers use a reverse DNS lookup to filter out incoming connection requests. When Berkeley installed a new spam filter, their mail server stopped functioning because of the DNS cache resolver overload. The impact on performance may also be noted - increased delay or jitter in real-time traffic applications, or response time in client- server applications when encryption or filtering are applied. It is important to minimize the impact caused by configuration changes. Given configuration A and configuration B, it should be possible to generate the operations necessary to get from A to B with minimal state changes and effects on network and systems. 188.8.131.52. Verifying Correct Operation The protocol designer should consider techniques for testing the effect that the protocol has had on the network by sending data through the network and observing its behavior (aka active monitoring). Protocol designers should consider how the correct end- to-end operation of the new protocol in the network can be tested actively and passively, and how the correct data or forwarding plane function of each network element can be verified to be working properly with the new protocol. Which metrics are of interest? Having simple protocol status and health indicators on network devices is a recommended means to check correct operation. 4.3. Management Considerations - How Will The Protocol be Managed? The considerations of manageability should start from describing the operationaloperations model, which includes identifying the entities to be managed, how the respectivemanaged protocol is supposed to be installed, configured and monitored, who are the managers and what type of management interfaces and protocols they would use.monitored. Considerations for management should include a discussion of what needs to be managed, and how to achieve various management tasks. Where are the managers and what type of management interfaces and protocols will they need? The "write a MIB module" approach to considering management often focuses on monitoring a protocol endpoint on a single device. A MIB module document typically only considers monitoring properties observable at one end, while the document does not really cover managing the *protocol* (the coordination of multiple ends), and does not even come near managing the *service* (which includes a lot of stuff that is very far away from the box). This is exactly what operators hate - you need to be able to manage both ends. As [RFC3535] says, MIB modules can often be characterized as a list of ingredients withoutlist of ingredients without a recipe. The management model should take into account factors such as: o what type of management entities will be involved (agents, network management systems)? o what is the possible architecture (client-server, manager-agent, poll-driven or event-driven, autoconfiguration, two levels or hierarchical)? o what are the management operations - initial configuration, dynamic configuration, alarm and exception reporting, logging, performance monitoring, performance reporting, debugging? o how are these operations performed - locally, remotely, atomic operation, scripts? Are they performed immediately or time scheduled or event triggered? Protocol designers should consider how the new protocol will be managed in different deployment scales. It might be sensible to use a local management interface to manage the new protocol on a single device, but in a large network, remote management using a recipe.centralized server and/or using distributed management functionality might make more sense. Auto-configuration and default parameters might be possible for some new protocols. Management needs to be considered not only from the perspective of a device, but also from the perspective of network and service management perspectives. A service might be network and operational functionality derived from the implementation and deployment of a new protocol. Often an individual network element is not aware of the service being delivered. WGs should consider how to configure multiple related/co-operating devices and how to back off if one of those configurations fails or causes trouble. NETCONF [RFC4741] addresses this in a generic manner by allowing an operator to lock the configuration on multiple devices, perform the configuration settings/changes, check that they are OK (undo if not) and then unlock the devices. Techniques for debugging protocol interactions in a network must be part of the network management discussion. Implementation source code should be debugged before ever being added to a network, so asserts and memory dumps do not normally belong in management data models. However, debugging on-the-wire interactions is a protocol issue: while the messages can be seen by sniffing, it is enormously helpful if a protocol has hooks tospecification supports features that make debugging of network interactions easy, and/or is designedand behaviors easier. There could be alerts issued when messages are received, or when there are state transitions in such a way that debuggingthe protocol behaviors is easy. Hand-waving this awaystate machine. However, the state machine is often not somethingpart of the on-the-wire protocol; the state machine explains how the protocol works so that operators like ...an implementer can decide, in an implementation-specific manner, how to react to a received event. In a client/server protocol, it may be more important to instrument the server end of a protocol than the client end. 4.1.end, since the performance of the server might impact more nodes than the performance of a specific client. 3.1. Interoperability Just as when deploying protocols that will inter-connect devices, our primary goal in considering management should be interoperability, whether across devices from different vendors, across models from the same vendor, or across different releases of the same product. Management interoperability refers to allowing information sharing and operations between multiple devices and multiple management applications, often from different vendors. Interoperability allows for the use of 3rd party applications and the outsourcing of management services. Some product designers and protocol designers assume that if a device can be managed individually using a command line interface or a web page interface, that such a solution is enough. But when equipment from multiple vendors is combined into a large network, scalability of management becomes a problem. It is important to have consistency in the management interfaces so network-wide operational processes can be automated. For example, a single switch might be easily managed using an interactive web interface when installed in a single office small business, but when, say, a fast food company installs similar switches from multiple vendors in hundreds or thousands of individual branches and wants to automate monitoring them from a central location, monitoring vendor-and-model-specific web pages would be difficult to automate. Getting everybody to agree on a single syntax and an associated protocol to do all management has proven to be difficult. So management systems tend to speak whatever the boxes support, whether the IETF likes this or not. The IETF is moving from support for one schema language for modeling the structure of management information (Structure of Management Information Version 2 (SMIv2) [RFC2578]) and one simple network management protocol (Simple Network Management Protocol (SNMP) [RFC3410]) towards support for additional schema languages and additional management protocols suited to different purposes. Other Standard Development Organizations (e.g. DMTF, TMF) also define schemas and protocols for management and these may be more suitable than IETF schemas and protocols in some cases. Some of the alternatives being considered include XML Schema Definition [W3C.REC-xmlschema-0-20010502] and others and NETCONF Configuration Protocol [RFC4741] IP Flow Information Export (IPFIX) Protocol [RFC5101]) for usage accounting The syslog Protocol [I-D.ietf-syslog-protocol] for logging and others Interoperability needs to be considered on the syntactic level and the semantic level. While it can be irritating and time-consuming, application designers including operators who write their own scripts can make their processing conditional to accommodate syntactic differences across vendors or models or releases of product. Semantic differences are much harder to deal with on the manager side - once you have the data, its meaning is a function of the managed entity. For example, if a single counter provided by vendor A counts three types of error conditions, while the corresponding counter provided by vendor B counts seven types of error conditions, these counters cannot be compared effectively - they are not interoperable counters. Information models are helpful to try to focus interoperability on the semantic level - they establish standards for what information should be gathered, and how gathered information might be used regardless of which management interface carries the data or which vendor produces the product. The use of an information model might help improve the ability of operators to correlate messages in different protocols where the data overlaps, such as a SYSLOG message and an SNMP notification about the same event. An information model might identify which error conditions should be counted separately, and which error conditions can be counted together in a single counter. Then, whether the counter is gathered via SNMP or a CLI command or a SYSLOG message, the counter will have similarthe same meaning. Protocol designers should consider which information might be useful for managing the new protocol or protocol extensions. IM --> conceptual/abstract model | for designers and operators +----------+---------+ | | | DM DM DM --> concrete/detailed model for implementers Information Models and Data Models Figure 1 On the Difference between Information Models and Data Models [RFC3444] may be useful in determining what information to consider regarding information models, as compared to data models. Information models should come from the protocol WGs and include lists of events, counters and configuration parameters that are relevant. There are a number of information models contained in protocol WG RFCs. Some examples: o [RFC3060] - Policy Core Information Model version 1 o [RFC3290] - An Informal Management Model for DiffServ Routers o [RFC3460] - Policy Core Information Model Extensions o [RFC3585] - IPsec Configuration Policy Information Model o [RFC3644] - Policy Quality of Service Information Model o [RFC3670] - Information Model for Describing Network Device QoS Datapath Mechanisms o [RFC3805] - Printer MIB v2 (containscontains both an IM and a DM Management protocol standards and management data model standards often contain compliance clauses to ensure interoperability. Manageability considerations should include discussion of which level of compliance is expected to be supported for interoperability. 184.108.40.206. Management Information Languages used to describe an information model can influence the nature of the model. Using a particular data modeling language, such as the SMIv2, influence the model to use certain types of structures, such as two-dimensional tables. This document recommends using English text (the official language for IETF specifications) to describe an information model. A sample data model could be developed to demonstrate the information model. A management information model should include a discussion of what is manageable, which aspects of the protocol need to be configured, what types of operations are allowed, what protocol-specific events might occur, which events can be counted, and for which events should an operator be notified. Operators find it important to be able to make a clear distinction between configuration data, operational state, and statistics. They need to determine which parameters were administrativeadministratively configured and which parameters have changed since configuration as the result of mechanisms such as routing protocols or network management protocols. It is important to be able to separately fetch current configuration data,information, initial configuration information, operational state data,information, and statistics from devices, and to be able to compare current state to initial state, and to compare datainformation between devices. So when deciding what information should exist, do not conflate multiple information elements into a single element. What is typically difficult to work through are relationships between abstract objects. Ideally an information model would describe the relationships between the objects and concepts in the information model. Is there always just one instance of this object or can there be multiple instances? Does this object relate to exactly one other object or may it relate to multiple? When is it possible to change a relationship? Do objects (such as rows in tables) share fate? For example, if a row in table A must exist before a related row in table B can be created, what happens to the row in table B if the related rowrelated row in table A is deleted? Does the existence of relationships between objects have an impact on fate sharing? 3.2.1. Information Model Design This document recommends keeping the information model as simple as possible by applying the following criteria: 1. Start with a small set of essential objects and add only as further objects are needed. 2. Require that objects be essential for management. 3. Consider evidence of current use and/or utility. 4. Limit the total number of objects. 5. Exclude objects that are simply derivable from others in tablethis or other information models. 6. Avoid causing critical sections to be heavily instrumented. A guideline is deleted? Does the existence of relationships between objects have an impact on fate sharing? 4.3.one counter per critical section per layer. 3.3. Fault Management The protocol designer should document the basic faults and health indicators that need to be instrumented for the new protocol, and the alarms and events that must be propagated to management applications or exposed through a data model. The protocol designer should consider how faultsfault information will be propagated. Will it be done using asynchronous notifications or polling of health indicators? If notifications are used to alert operators to certain conditions, then the protocol designer should discuss mechanisms to throttle notifications to prevent congestion and duplications of event notifications. Will there be a hierarchy of faults, and will the fault reporting be done by each fault in the hierarchy, or will only the lowest fault be reported and the higher levels be suppressed? shouldShould there be aggregated status indicators based on concatenation of propagated faults from a given domain or device? SNMP notifications and SYSLOG messages can alert an operator when an aspect of the new protocol fails or encounters an error or failure condition, and SNMP is frequently used as a heartbeat monitor. Should the event reporting provide gyaranteedguaranteed accurate delivery of the event information within a given (high) margin of confidence? Can we poll the latest events in the box? 220.127.116.11.3.1. Liveness Detection and Monitoring Liveness detection and monitoring applies both to the control plane and the data plane. Mechanisms for detecting faults in the control plane or for monitoring its liveness are usually built into the control plane protocols or inherited from underlying data plane or forwarding plane protocols. These mechanisms do not typically require additional management capabilities. However, when a system detects a control plane fault, there is often a requirement to coordinate recovery action through management applications or at least to record the fact in an event log. Where the protocol is responsible for establishing data or user plane connectivity, liveness detection and monitoring usually need to be achieved through other mechanisms. In some cases, these mechanisms already exist within other protocols responsible for maintaining lower layer connectivity, but it will often be the case that new procedures are required to detect failures in the data path and to report rapidly, allowing remedial action to be taken. Protocol designers should always build in basic testing features (e.g. ICMP echo, UDP/TCP echo service, NULL RPC calls) that can be used to test for liveness, with an option to enable and disable them. 18.104.22.168.3.2. Fault Determination It can be helpful to describe how faults can be pinpointed using management information. For example, counters might record instances of error conditions. Some faults might be able to be pinpointed by comparing the outputs of one device and the inputs of another device looking for anomalies. How do you distinguish between faulty messages and good messages? Would some threshold-based mechanisms, such as RMON events/alarms or the EVENT-MIB, be useable to help determine error conditions? Are SNMP notifications for all events needed, or are there some "standard" notifications that could be used? or can the rightrelevant counters that canbe polled as needed? 22.214.171.124.3.3. Root Cause Analysis Root cause analysis is about working out where in the network the fault is. For example, if end-to-end data delivery is failing (reported by a notification), root cause analysis can help find the failed link or node in the end-to-end path. 3.3.4. Fault Isolation It might be useful to isolate or quarantine faults, such as isolating a systemdevice that emits malformed messages that are necessary to coordinate connections properly. Spanning tree comes to mind.This might be able to be done by configuring next-hop devices to drop the faulty messages to prevent them from entering the rest of the network. 126.96.36.199. Configuration Management A protocol desoignersdesigner should document whatthe basic configuration parameters that need to be instrumented for a new protocol, as well as default values and modes of operation. What information should be maintained across reboots of the device, or restarts of the management system? "Requirements for Configuration Management of IP-based Networks" [RFC3139] discusses requirements for configuration management. This document includesmanagement, including discussion of different levels of management, including high-level-policies,high-level- policies, network-wide configuration data, and device-local configuration. A number of efforts have existed in the IETF to develop policy-based management. "Terminology for Policy-Based Management" [RFC3198] was written to standardize the terminology across these efforts. Some of the efforts resulted in proposalsNetwork configuration is not just multi-device push or pull. It is knowing that the configurations being pushed are NOT RECOMMENDED, so a protocol designer should checksemantically compatible. Is the current recommendation status before dependingcircuit between them configured compatibly on a specific protocol suggestion. Itboth ends? is highly desirable that text processing tools such as diff, and version management tools such as RCS or CVS or SVN, can be used to process configurations. This approach simplifies comparingthe current operational state tois-is metric the initial configuration. It is commonplace to compare configuration changes to e.g., last day, last week, last month, etc. -- having configuration in a text, and human- understandable format is very valuablesame? ... now do that for various reasons such as change control (or verification), configuration consistency checks, etc. With structured text such as XML, simple text diffs may be found1,000 devices. A number of efforts have existed in the IETF to be inadequate and more sophisticated tools may be neededdevelop policy-based management. "Terminology for Policy-Based Management" [RFC3198] was written to make any useful comparison of versions. To simplify such configuration comparisons, devicesstandardize the terminology across these efforts. Implementations should not arbitrarily reorder data suchmodify configuration data. In some cases (such as access control lists.Access Control Lists) the order of data items is significant and comprises part of the configured data. If a protocol designer defines mechanisms for configuration, it would be desirable to standardize the order of elements for consistency of configuration and of reporting across vendors, and across releases from vendors. There are two parts to this: 1. An NMS system could optimize ACLsaccess control lists (ACLs) for performance reasons 2. Unless the device/NMSdevice/ NMS systems has correct rules/a lot of experience, reordering ACLs can lead to a huge security issue. Network wide configurations are ideallymay be stored in central master databases and transformed into formats that can be pushed to devices, either by generating sequences of CLI commands or complete configuration files that are pushed to devices. There is no common database schema for network configuration, although the models used by various operators are probably very similar. It isMany operators consider it desirable to extract, document, and standardize the common parts of these network wide configuration database schemas. A protocol designer should consider how to standardize the common parts of configuring the new protocol, while recognizing thethat vendors will likelymay also have proprietary aspects of their configurations. It is important to distinguish between the distribution of configurations and the activation of a certain configuration. Devices should be able to hold multiple configurations. NETCONF [RFC4741], for example, differentiates between the "running" configuration and "candidate" configurations. It is important toenable operators to concentrate on the configuration of the network as a whole rather than individual devices. Support for configuration transactions across a number of devices wouldcould significantly simplify network configuration management. The ability to distribute configurations to multiple devices, or modify "candidatecandidate configurations on multiple devices, and then activate them in a near-simultaneous manner might help. Protocol designers can consider how it would make sense for their protocol to be configured across multiple devices. Configuration- templates might also be helpful. Consensus of the 2002 IAB Workshop [RFC3535] was that textual configuration files should be able to contain international characters. Human- readableHuman-readable strings should utilize UTF-8, and protocol elements should be in case insensitive ASCII. A mechanism to dump and restore configurations is a primitive operation needed by operators. Standards for pulling and pushing configurations from/to devices are desirable. Given configuration A and configuration B, it should be possible to generate the operations necessary to get from A to B with minimal state changes and effects on network and systems. It is important to minimize the impact caused by configuration changes. Many protocol specifications include timers that are used as part of operation of the protocol. These timers may needshould have default values suggested in the protocol specification and domay not need to be otherwise configurable. 188.8.131.52.4.1. Verifying Correct Operation An important function that should be provided is guidance on how to verify the correct operation of a protocol. A protocol designer could suggest techniques for testing the impact of the protocol on the network before it is deployed, and techniques for testing the effect that the protocol has had on the network after being deployed. Protocol designers should consider how to test the correct end-to-end operation of the network, and how to verify the correct data or forwarding plane function of each network element. This may be achieved through status and statistical information from network devices. 184.108.40.206.4.2. Control of Function and Policy A protocol designer should consider the configurable items that exist for the control of function via the protocol elements described in the protocol specification. For example, Sometimessometimes the protocol requires that timers can be configured by the operator to ensure specific policy-based behavior by the implementation. 220.127.116.11. Accounting Management A protocol designer should consider whether it would be appropriate to collect usage information related to this protocol, and if so, what usage information would be appropriate to collect?collect. "Introduction to Accounting Management" [RFC2975] discusses a number of factors relevant to monitoring usage of protocols for purposes of capacity and trend analysis, cost allocation, auditing, and billing. ThisThe document also discusses how Remote Authentication Dial In User Service (RADIUS) [RFC2865], Terminal Access Controller Access Control System (TACACS) [RFC1492], SNMP, IPFIX, and Packet Sampling (PSAMP) Protocol [I-D.ietf-psamp-protocol]some existing protocols can be used for these purposes. These factors should be considered when designing a protocol whose usage might need to be monitored, or when recommending a protocol to do usage accounting. 18.104.22.168. Performance Management ConsiderFrom a manageability point of view it is important to determine how well a network deploying the protocol or technology defined in the document is doing. In order to do this the network operators need to consider information that would be useful when tryingto determine the performance characteristics of a deployed system using the target protocol. There are several parts toThe Benchmarking Methodology WG (BMWG) has defined recommendations for the measurement of the performance management to be considered: protocol monitoring,characteristics of various internetworking technologies in a laboratory environment, including the systems or services monitoring, and device monitoring (the impactthat are built from these technologies. Each recommendation describes the class of equipment, system, or service being addressed; discuss the new protocol/service activation onperformance characteristics that are pertinent to that class; clearly identify a set of metrics that aid in the device). From a manageability pointdescription of view it is importantthose characteristics; specify the methodologies required to determine how well a network deployingcollect said metrics; and lastly, present the protocolrequirements for the common, unambiguous reporting of benchmarking results. Performance metrics may be useful in multiple environments, and for different protocols. The IP Performance Monitoring (IPPM) WG or technologyBenchmarking (BMWG) WG may have already defined inmetrics that would be useful for the document is doing.new protocol. In order to do this the network operatorssome cases, new metrics need to consider information thatbe defined. It would be useful to determineif the performance characteristics of a deployed system usingprotocol documentation identified the target protocol. Consider scalability,need for such as whethernew metrics. For performance will be affected by the number of protocol connections. If so, thenmonitoring, it might be useful to provide information about the maximum number of table entries that should be expectedis often important to be modeled, how many entries an implementation can support, the current number of instances, andreport the expected behavior whentime spent in a state rather than the current instances exceed the capacitystate. Snapshots are of the implementation. This should be considered in a data-modeling independent manner - what makes managed-protocol sense, not what makes management-protocol-sense. If it is not managed-protocol- dependent, then it should be leftless value for the management-protocol data modelersperformance monitoring. There are several parts to decide. For example, VLAN identifiers have a range of 1..4095 because of the VLAN standards. A MIB implementing a VLAN table should be ableperformance management to support 4096 entries because the content being modeled requires it. Any recommendation in the document shouldbe data-modeling language independent. Theconsidered: protocol document should make clearmonitoring, device monitoring (the impact of the limitations implicit withinnew protocol/service activation on the protocoldevice), network monitoring, and service monitoring (the impact of service activation on the behavior when limits are exceeded. Considernetwork). 3.6.1. Monitoring the capabilityProtocol Certain properties of determining the operational activity, such asprotocols are useful to monitor. The number of protocol packets received, the number of message inpackets sent, and the messages out, thenumber of received messages rejected duepackets dropped are usually very helpful to format problems,operators. Packet drops should be reflected in counter variable(s) somewhere that can be inspected - both from the expected behaviors when a malformed messagesecurity point of view and from the troubleshooting point of view. Counter definitions should be unambiguous about what is received.included in the count, and what is not included in the count. Consider the expected behaviors for counters - what is a reasonable maximum value for expected usage? shouldShould they stop counting at the maximum value and retain the maximum value, or should they rollover? How can users determine if a rollover has occurred, and how can users determine if more than one rollover has occurred? Consider whether multiple management applications will share a counter; if so, then no one management application should be allowed to reset the value to zero since this will impact other applications. Could events, such as hot-swapping a blade in a chassis, cause discontinuities in information?counter? Does this make any difference in evaluating the performance of a protocol? For performance monitoring,The protocol document should make clear the limitations implicit within the protocol and the behavior when limits are exceeded. This should be considered in a data-modeling independent manner - what makes managed-protocol sense, not what makes management-protocol- sense. If constraints are not managed-protocol-dependent, then it is often importantshould be left for the management-protocol data modelers to reportdecide. For example, VLAN identifiers have a range of 1..4095 because of the VLAN standards. A MIB implementing a VLAN table should be able to support 4096 entries because the content being modeled requires it. 3.6.2. Monitoring the Device Consider whether device performance will be affected by the number of protocol entities being instantiated on the device. Designers of an information model should include information, accessible at runtime, about the maximum number of instances an implementation can support, the current number of instances, and the time spent in a state rather thanexpected behavior when the current state. Snapshots areinstances exceed the capacity of less value for performance monitoring. The Benchmarking Methodology WG (bmwg) has defined recommendations forthe measurementimplementation or the capacity of the performance characteristicsdevice. Designers of various internetworking technologies inan information model should model information, accessible at runtime, about the maximum number of protocol entity instances an implementation can support on a laboratory environment, includingdevice, the systems or services that are built from these technologies. Each recommendation describescurrent number of instances, and the classexpected behavior when the current instances exceed the capacity of equipment, system, or service being addressed; discussthe device. 3.6.3. Monitoring the Network Consider whether network performance characteristics that are pertinent to that class; clearly identify a setwill be affected by the number of metrics that aid inprotocol entities being deployed. Consider the descriptioncapability of those characteristics; specifydetermining the methodologies required to collect said metrics;operational activity, such as the number of messages in and lastly, presentthe requirements formessages out, the common, unambiguous reportingnumber of benchmarking results.received messages rejected due to format problems, the expected behaviors when a malformed message is received. What are the principal performance factors that need to be looked at when measuring the operational performance of the protocol implementations?network built using the protocol? Is it important to measure setup times? throughput? quality versus throughput? interruptions?end-to-end throughput? end- to-end quality?connectivity? hop-to-hop connectivity? network throughput? In many cases3.6.4. Monitoring the performance metricsService What are generic and already defined by work done inthe IPPM WG, or BMWG for example, but in some cases new metricsprincipal performance factors that need to be defined. It would be useful iflooked at when measuring the document would identifyperformance of a service using the need for such new metrics. 4.7.protocol? Is it important to measure application-specific throughput? client- server associations? end-to-end application quality? service interruptions? user experience? 3.7. Security Management Protocol designers should consider how to monitor and to manage security aspects and vulnerabilities of the new protocol. There will be security considerations related to the new protocol. To make it possible for operators to be aware of security-related events, it is recommended that system logs should record events, such as failed logins, but the logs must be secured. Should a system automatically notify operators of every event occurrence, or should an operator-defined threshold control when a notification is sent to an operator? Should certain statistics be collected about the operation of the new protocol that might be useful for detecting attacks, such as the receipt of malformed messages, or messages out of order, or messages with invalid timestamps? If such statistics are collected, is it important to count them separately for each sender to help identify the source of attacks? Manageability considerations that are security-oriented might include discussion of the security implications when no monitoring is in place, the regulatory implications of absence of audit-trail or logs in enterprises, exceeding the capacity of logs, and security exposures present in chosen / recommended management mechanisms. Consider security threats that may be introduced by management operations. For example CAPWAP breaks the structure of monolithic Access Points (AP) into Access Controllers and Wireless Termination Points (WTP). By using a management interface, internal information that was previously not accessible is now exposed over the network and to management applications and may become a source of potential security threats. The granularity of access control needed on management interfaces needs to match operational needs. Typical requirements are a role- based access control model and the principle of least privilege, where a user can be given only the minimum access necessary to perform a required task. It must be possibleSome operators wish to do consistency checks of access control lists across devices. Protocol designers should consider information models to promote comparisons across devices and across vendors to permit checking the consistency of security configurations. Protocol designers should consider how to provide a secure transport, authentication, identity, and access control which integrates well with existing key and credential management infrastructure. It is a good idea to start with defining the threat model for the protocol, and from that deducing what is required. Protocol designers should consider how access control lists are maintained and updated. Standard SNMP notifications or SYSLOG messages [I-D.ietf-syslog-protocol] might already exist, or can be defined, to alert operators to the conditions identified in the security considerations for the new protocol. For example, you can log all the commands entered by the operator using syslog (giving you some degree of audit trail), or you can see who has logged on/off using SSH from where, failed SSH logins can be logged using syslog, etc. An analysis of existing counters might help operators recognize the conditions identified in the security considerations for the new protocol before they can impact the network. RADIUS and DIAMETER can provide authentication and authorization. A protocol designer should consider which attributes would be appropriate for their protocol.Different management protocols use different assumptions about message security and data access controls. A protocol designer that recommends using different protocols should consider how security will be applied in a balanced manner across multiple management interfaces. SNMP access control isauthority levels and policy are data-oriented, while CLI access control isauthority levels and policy are usually command (task) oriented. Depending on the management function, sometimes data-orienteddata- oriented or task-oriented access control makesapproaches make more sense. Protocol designers should consider both data-oriented and task- oriented access control. 5.task-oriented authority levels and policy. 4. Documentation Guidelines This document is focused on what to think about, and how to document the considerations of the protocol designer. 22.214.171.124. Recommended Discussions A Manageability Considerations section should include discussion of the management and operations topics raised in this document, and when one or more of these topics is not relevant, it would be useful to contain a simple statement explaining why the topic is not relevant for the new protocol. Of course, additional relevant topics should be included as well. Existing protocols and data models can provide the management functions identified in the previous section. Protocol designers should consider how using existing protocols and data models might impact network operations. 126.96.36.199. Null Manageability Considerations Sections A protocol designer may seriously consider the manageability requirements of a new protocol, and determine that no management functionality is needed by the new protocol. It would be helpful to those who may update or write extensions to the protocol in the future or to those deploying the new protocol to know the thinking of the working regarding the manageability of the protocol at the time of its design. If there are no new manageability or deployment considerations, it is recommended that a Manageability Considerations section contain a simple statement such as "There are no new manageability requirements introduced by this document," and a brief explanation of why that is the case. The presence of such a Manageability Considerations section would indicate to the reader that due consideration has been given to manageability and operations. In the case where the new protocol is an extension, and the base protocol discusses all the relevant operational and manageability considerations, it would be helpful to point out the considerations section in the base document. 188.8.131.52. Placement of Operations and Manageability Considerations Sections If a protocol designer develops a Manageability Considerations section for a new protocol, it is recommended that the section be placed immediately before the Security Considerations section. Reviewers interested in such sections could find it easily, and this placement could simplify the development of tools to detect the presence of such a section. 6.5. IANA Considerations This document does not introduce any new codepoints or name spaces for registration with IANA. Note to RFC Editor: this section may be removed on publication as an RFC. 7.6. Security Considerations This document is informational and provides guidelines for considering manageability and operations. It introduces no new security concerns. 8.The provision of a management portal to a network device provides a doorway through which an attack on the device may be launched. Making the protocol under development be manageable through a management protocol creates a vulnerability to a new source of attacks. Only management protocols with adequate security apparatus, such as authentication, message integrity checking, and authorization should be used. A standard description of the manageable knobs and whistles on a protocol makes it easier for an attacker to understand what they may try to control and how to tweak it. A well-designed protocol is usually more stable and secure. A protocol that can be managed and inspected offers the operator a better chance of spotting and quarantining any attacks. Conversely making a protocol easy to inspect is a risk if the wrong person inspects it. If security events cause logs and or notifications/alerts, a concerted attack might be able to be mounted by causing an excess of these events. In other words, the security management mechanisms could constitute a security vulnerability. The management of security aspects is important (see Section 3.7). 7. Acknowledgements This document started from an earlier document edited by Adrian Farrel, which itself was based on work exploring the need for Manageability Considerations sections in all Internet-Drafts produced within the Routing Area of the IETF. That earlier work was produced by Avri Doria, Loa Andersson, and Adrian Farrel, with valuable feedback provided by Pekka Savola and Bert Wijnen. Some of the discussion about designing for manageability came from private discussions between Dan Romascanu, Bert Wijnen, Juergen Schoenwaelder, Andy Bierman, and David Harrington. Thanks to reviewers who helped fashion this document, including Adrian Farrell, David Kessens, Dan Romascanu, Ron Bonica, Bert Wijnen, Lixia Zhang, Ralf Wolter, Benoit Claise, Brian Carpenter, Harald Alvestrand, Juergen Schoenwaelder, and Pekka Savola 9.Savola. 8. Informative References [I-D.ietf-psamp-protocol] Claise, B., "Packet Sampling (PSAMP) Protocol Specifications", draft-ietf-psamp-protocol-09[I-D.ietf-opsawg-survey-management] Harrington, D., "Survey of IETF Network Management Standards", d raft-ietf-opsawg-survey- management-00 (work in progress), December 2007.March 2009. [I-D.ietf-syslog-protocol] Gerhards, R., "The syslog Protocol", draft-ietf-syslog-protocol-23 (work in progress), September 2007. [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987. [RFC1052] Cerf, V., "IAB recommendations for the development of Internet network management standards", RFC 1052, April 1988. [RFC1492] Finseth, C., "An Access Control Protocol, Sometimes Called TACACS",[RFC1958] Carpenter, B., "Architectural Principles of the Internet", RFC 1492, July 1993.1958, June 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2205] Braden, B., Zhang, L., Berson, S., Herzog, S., and S. Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 Functional Specification", RFC 2205, September 1997. [RFC2439] Villamizar, C., Chandra, R., and R. Govindan, "BGP Route Flap Damping", RFC 2439, November 1998. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. Schoenwaelder, Ed., "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, April 2001. [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group MIB", RFC 2863, June 2000. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.April 1999. [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to Accounting Management", RFC 2975, October 2000. [RFC3060] Moore, B., Ellesson, E., Strassner, J., and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [RFC3084] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie, K., Herzog, S., Reichmeyer, F., Yavatkar, R., and A. Smith, "COPS Usage for Policy Provisioning (COPS-PR)", RFC 3084, March 2001. [RFC3139] Sanchez, L., McCloghrie, K., and J. Saperia, "Requirements for Configuration Management of IP-basedIP- based Networks", RFC 3139, June 2001. [RFC3198] Westerinen, A., Schnizlein, J., Strassner, J., Scherling, M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry, J., and S. Waldbusser, "Terminology for Policy-Based Management", RFC 3198, November 2001. [RFC3290] Bernet, Y., Blake, S., Grossman, D., and A. Smith, "An Informal Management Model for Diffserv Routers", RFC 3290, May 2002. [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for Internet-Standard Management Framework", RFC 3410, December 2002. [RFC3444] Pras, A. and J. Schoenwaelder, "On the Difference between Information Models and Data Models", RFC 3444, January 2003. [RFC3460] Moore, B., "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [RFC3535] Schoenwaelder, J., "Overview of the 2002 IAB Network Management Workshop", RFC 3535, May 2003. [RFC3585] Jason, J., Rafalow, L., and E. Vyncke, "IPsec Configuration Policy Information Model", RFC 3585, August 2003. [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., Cohen, R., and B. Moore, "Policy Quality of Service (QoS) Information Model", RFC 3644, November 2003. [RFC3670] Moore, B., Durham, D., Strassner, J., Westerinen, A., and W. Weiss, "Information Model for Describing Network Device QoS Datapath Mechanisms", RFC 3670, January 2004. [RFC3805] Bergman, R., Lewis, H., and I. McDonald, "Printer MIB v2", RFC 3805, June 2004. [RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741, December 2006. [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", RFC 5101, January 2008. [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, October 2008. [W3C.REC-xmlschema-0-20010502] Fallside, D., "XML Schema Part 0: Primer", World Wide Web Consortium FirstEdition REC-xmlschema-0- 20010502,REC- xmlschema-0-20010502, May 2001, <http:// www.w3.org/TR/2001/<http://www.w3.org/TR/2001/ REC-xmlschema-0-20010502>. Appendix A. Operations and Management Review Checklist This appendix provides a quick checklist of issues that protocol designers should expect operations and management expert reviewers to look for when reviewing a document being proposed for consideration as a protocol standard. A.1. Operational Considerations Has the operations model been discussed? see section 3.1.Section 2.1 Does the document include a description of the operational model - how is this protocol or technology going to be deployed and managed? Is the proposed specification deployable? If not, how could it be improved? Does the solution scale well?well from the operational and management perspective? Does the proposed approach have any scaling issues that could affect usability for large scale operation? Are there any coexistence issues? Has installation and initial setup been discussed? see section 3.2Section 2.2 Is the solution sufficiently configurable? areAre configuration parameters clearly identified? areAre configuration parameters normalized? doesDoes each configuration parameter have a reasonable default value? Will configuration be pushed to a device by a configuration manager, or pulled by a device from a configuration server? How will the devices and managers find and authenticate each other? Has the migration path been discussed? see section 3.3.Section 2.3 Are there any backward compatibility issues? Have the Requirements on Other Protocols and Functional Components been discussed? see section 3.4.Section 2.4. What protocol operations are expected to be performed relative to the new protocol or technology, and what protocols and data models are expected to be in place or recommended to ensure for interoperable management? Has the Impact on Network Operation been discussed? see section 3.5.Section 2.5 Will the new protocol significantly increase traffic load on existing networks? Will the proposed management for the new protocol significantly increase traffic load on existing networks? How will the new protocol impact the behavior of other protocols in the network? Will it impact performance (e.g. jitter) of certain types of applications running in the same network? Does the new protocol need supporting services (e.g. DNS or AAA) added to an existing network? Have suggestions for verifying correct operation been discussed? see section 3.6. Have suggestions for verifying correct operationSection 2.6 How can one test end-to-end connectivity and throughput? Which metrics are of interest? Will testing have an impact on the protocol or the network? Has management interoperability been discussed? see section 4.1.Section 3.1 Is a standard protocol needed for interoperable management? Is a standard information or data model needed to make properties comparable across devices from different vendors? Are there fault or threshold conditions that should be reported? see Section 3.3 Does specific management information have time utility? Should the information be reported by notifications? polling? event-driven polling? Is notification throttling discussed? Is there support for saving state that could be used for root- cause analysis? Is configuration discussed? see Section 3.4 Are configuration defaults, and default modes of operation considered? Is there discussion of what information should be preserved across reboots of the device or the management system? Can devices realistically preserve this information through hard reboots where physical configuration might change (e.g. cards might be swapped while a chassis is powered down)? A.2. Management Considerations Do you anticipate any manageability issues with the specification? Is Management interoperability discussed? see section 4.1. willSection 3.1 Will it use centralized or distributed management? willWill it require remote and/or local management applications? Are textual or graphical user interfaces required? Is textual or binary format for management information preferred? Is Management Information discussed? see section 4.2.Section 3.2 What is the minimal set of management (configuration, faults, performance monitoring) objects that need to be instrumented in order to manage the new protocol? Is Fault Management discussed? see section 4.3.Section 3.3 Is Liveness Detection and Monitoring discussed? Does the solution have failure modes that are difficult to diagnose or correct? Are faults and alarms reported and logged? Is Configuration Management discussed? see section 4.4. isSection 3.4 Is protocol state information exposed to the user? How? are significant state transitions logged? Is Accounting Management discussed? see section 4.5.Section 3.5 Is Performance Management discussed? see section 4.6.Section 3.6 Does the protocol have an impact on network traffic and network devices? Can performance be measured? Is protocol performance information exposed to the user? Is Security Management discussed? see section 4.7.Section 3.7 Does the specification discuss hwohow to manage aspects of security, such as access controls, managing key distribution, etc. A.3. Documentation Is an operational considerations and/or manageability section part of the document? Does the proposed protocol have a significant operational impact on the Internet. If it does, and the document under review targets standards track, is their enoughInternet? Is there proof of implementation and/or operational experience to grant Proposed Standard status?experience? Appendix B. Change Log -- Note to RFC Editor: Please remove this section upon publication as an RFC Changes from opsawg-05 to opsawg-06 Spelling and grammar corrections Addressed comments from WGLC. Editorial comments Addressed most comments from Randy Bush, Bert Wijnen, Adrian Farrel, Removed IETF Management Framework section. Added discussion of standard protocols. Changes from opsawg-04 to opsawg-05 added bullets for appendix checklist aligned checklist order and guidelines order resolved all DISCUSS and TODO issues. Changes from opsawg-03 to opsawg-04 improved wording in Introduction added a number of DISCUSS points raised during WG reviews added more wording on service management updated references and copyrights Changes from opsawg-02 to opsawg-03 From reviews by Lixia Zhang and feedback from WG Chairs' Lunch. added discussion of impact on the Internet to checklist spell check added examples added discussion of default values added discussion of database-driven configuration fixed some references expanded the checklist Changes from opsawg-01 to opsawg-02 moved survey of protocols and data models to separate document changed "working group" to "protocol designer" throughout, as applicable. modified wording from negative to positive spin in places. updated based on comments from Ralf Wolter and David Kessens Changes from opsawg-00 to opsawg-01 moved Proposed Standard data models to appendix moved advice out of data model survey and into considerations section addressed comments from Adrian and Dan modified the Introduction and Section 2 in response to many comments. expanded radius and syslog discussion, added psamp and VCCV, modified ipfix, Changes from harrington-01 to opsawg-00 added text regarding operational models to be managed. Added checklist appendix (to be filled in after consensus is reached on main text ) Changes from harrington-00 to harrington-01 modified unclear text in "Design for Operations and Management" Expanded discussion of counters Removed some redundant text Added ACLs to Security Management Expanded discussion of the status of COPS-PR, SPPI, and PIBs. Expanded comparison of RADIUS and Diameter. Added placeholders for EPP and XCAP protocols. Added Change Log and Open Issues Author's Address David Harrington Huawei Technologies USA 1700 Alma Dr, Suite 100 Plano, TX 75075 USA Phone: +1 603 436 8634 Fax: EMail: email@example.com URI: Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at firstname.lastname@example.org.