idnits 2.17.1 draft-ietf-opsawg-operations-and-management-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 10, 2009) is 5341 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 3588 (Obsoleted by RFC 6733) -- Obsolete informational reference (is this intentional?): RFC 4741 (Obsoleted by RFC 6241) -- Obsolete informational reference (is this intentional?): RFC 5101 (Obsoleted by RFC 7011) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Harrington 3 Internet-Draft HuaweiSymantec USA 4 Intended status: Informational September 10, 2009 5 Expires: March 14, 2010 7 Guidelines for Considering Operations and Management of New Protocols 8 and Protocol Extensions 9 draft-ietf-opsawg-operations-and-management-09 11 Status of This Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. This document may contain material 15 from IETF Documents or IETF Contributions published or made publicly 16 available before November 10, 2008. The person(s) controlling the 17 copyright in some of this material may not have granted the IETF 18 Trust the right to allow modifications of such material outside the 19 IETF Standards Process. Without obtaining an adequate license from 20 the person(s) controlling the copyright in such materials, this 21 document may not be modified outside the IETF Standards Process, and 22 derivative works of it may not be created outside the IETF Standards 23 Process, except to format it for publication as an RFC or to 24 translate it into languages other than English. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt. 39 The list of Internet-Draft Shadow Directories can be accessed at 40 http://www.ietf.org/shadow.html. 42 This Internet-Draft will expire on March 14, 2010. 44 Copyright Notice 46 Copyright (c) 2009 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents in effect on the date of 51 publication of this document (http://trustee.ietf.org/license-info). 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. 55 Abstract 57 New protocols or protocol extensions are best designed with due 58 consideration of functionality needed to operate and manage the 59 protocols. Retrofitting operations and management is sub-optimal. 60 The purpose of this document is to provide guidance to authors and 61 reviewers of documents defining new protocols or protocol extensions, 62 about covering aspects of operations and management that should be 63 considered. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 1.1. Designing for Operations and Management . . . . . . . . . 5 69 1.2. This Document . . . . . . . . . . . . . . . . . . . . . . 5 70 1.3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 6 71 1.4. Background . . . . . . . . . . . . . . . . . . . . . . . . 7 72 1.5. Available Management Technologies . . . . . . . . . . . . 8 73 1.6. Terminology . . . . . . . . . . . . . . . . . . . . . . . 8 74 2. Operational Considerations - How Will the New Protocol Fit 75 Into the Current Environment? . . . . . . . . . . . . . . . . 9 76 2.1. Operations . . . . . . . . . . . . . . . . . . . . . . . . 10 77 2.2. Installation and Initial Setup . . . . . . . . . . . . . . 10 78 2.3. Migration Path . . . . . . . . . . . . . . . . . . . . . . 11 79 2.4. Requirements on Other Protocols and Functional 80 Components . . . . . . . . . . . . . . . . . . . . . . . . 11 81 2.5. Impact on Network Operation . . . . . . . . . . . . . . . 12 82 2.6. Verifying Correct Operation . . . . . . . . . . . . . . . 13 83 3. Management Considerations - How Will The Protocol be 84 Managed? . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 85 3.1. Interoperability . . . . . . . . . . . . . . . . . . . . . 15 86 3.2. Management Information . . . . . . . . . . . . . . . . . . 18 87 3.2.1. Information Model Design . . . . . . . . . . . . . . . 19 88 3.3. Fault Management . . . . . . . . . . . . . . . . . . . . . 19 89 3.3.1. Liveness Detection and Monitoring . . . . . . . . . . 20 90 3.3.2. Fault Determination . . . . . . . . . . . . . . . . . 20 91 3.3.3. Root Cause Analysis . . . . . . . . . . . . . . . . . 20 92 3.3.4. Fault Isolation . . . . . . . . . . . . . . . . . . . 21 93 3.4. Configuration Management . . . . . . . . . . . . . . . . . 21 94 3.4.1. Verifying Correct Operation . . . . . . . . . . . . . 22 95 3.5. Accounting Management . . . . . . . . . . . . . . . . . . 23 96 3.6. Performance Management . . . . . . . . . . . . . . . . . . 23 97 3.6.1. Monitoring the Protocol . . . . . . . . . . . . . . . 24 98 3.6.2. Monitoring the Device . . . . . . . . . . . . . . . . 25 99 3.6.3. Monitoring the Network . . . . . . . . . . . . . . . . 25 100 3.6.4. Monitoring the Service . . . . . . . . . . . . . . . . 25 101 3.7. Security Management . . . . . . . . . . . . . . . . . . . 25 102 4. Documentation Guidelines . . . . . . . . . . . . . . . . . . . 27 103 4.1. Recommended Discussions . . . . . . . . . . . . . . . . . 27 104 4.2. Null Manageability Considerations Sections . . . . . . . . 27 105 4.3. Placement of Operations and Manageability 106 Considerations Sections . . . . . . . . . . . . . . . . . 28 107 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 108 6. Security Considerations . . . . . . . . . . . . . . . . . . . 28 109 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29 110 8. Informative References . . . . . . . . . . . . . . . . . . . . 29 111 Appendix A. Operations and Management Review Checklist . . . . . 32 112 A.1. Operational Considerations . . . . . . . . . . . . . . . . 32 113 A.2. Management Considerations . . . . . . . . . . . . . . . . 35 114 A.3. Documentation . . . . . . . . . . . . . . . . . . . . . . 36 116 1. Introduction 118 Often when new protocols or protocol extensions are developed, not 119 enough consideration is given to how the protocol will be deployed, 120 operated and managed. Retrofitting operations and management 121 mechanisms is often hard and architecturally unpleasant, and certain 122 protocol design choices may make deployment, operations, and 123 management particularly hard. This document provides guidelines to 124 help protocol designers and working groups consider the operations 125 and management functionality for their new IETF protocol or protocol 126 extension at an earlier phase. 128 1.1. Designing for Operations and Management 130 The operational environment and manageability of the protocol should 131 be considered from the start when new protocols are designed. 133 Most of the existing IETF management standards are focused on using 134 SMI-based data models (MIB modules) to monitor and manage networking 135 devices. As the Internet has grown, IETF protocols have addressed a 136 constantly growing set of needs, such as web servers and 137 collaboration services and applications. The number of IETF 138 management technologies has been expanding and the IETF management 139 strategy has been changing to address the emerging management 140 requirements. The discussion of emerging sets of management 141 requirements has a long history in the IETF. The set of management 142 protocols you should use depends on what you are managing. 144 Protocol designers should consider which operations and management 145 needs are relevant to their protocol, document how those needs could 146 be addressed, and suggest (preferably standard) management protocols 147 and data models that could be used to address those needs. This is 148 similar to a working group (WG) that considers which security threats 149 are relevant to their protocol, documents how threats should be 150 mitigated, and then suggests appropriate standard protocols that 151 could mitigate the threats. 153 When a WG considers operation and management functionality for a 154 protocol, the document should contain enough information to 155 understand how the protocol will be deployed and managed, and the WG 156 should expect that considerations for operations and management may 157 need to be updated in the future, after further operational 158 experience has been gained. 160 1.2. This Document 162 This document makes a distinction between "Operational 163 Considerations" and "Management Considerations", although the two are 164 closely related. The section on manageability is focused on 165 management technology such as how to utilize management protocols and 166 how to design management data models. The operational considerations 167 apply to operating the protocol within a network, even if there were 168 no management protocol actively being used. 170 The purpose of this document is to provide guidance about what to 171 consider when thinking about the management and deployment of a new 172 protocol, and to provide guidance about documenting the 173 considerations. The following guidelines are designed to help 174 writers provide a reasonably consistent format for such 175 documentation. Separate manageability and operational considerations 176 sections are desirable in many cases, but their structure and 177 location is a decision that can be made from case to case. 179 This document does not impose a solution, or imply that a formal data 180 model is needed, or imply that using a specific management protocol 181 is mandatory. If protocol designers conclude that the technology can 182 be managed solely by using proprietary command line interfaces 183 (CLIs), and no structured or standardized data model needs to be in 184 place, this might be fine, but it is a decision that should be 185 explicit in a manageability discussion, that this is how the protocol 186 will need to be operated and managed. Protocol designers should 187 avoid having manageability pushed for a later phase of the 188 development of the standard. 190 This document discusses the importance of considering operations and 191 management by setting forth a list of guidelines and a checklist of 192 questions to consider, which a protocol designer or reviewer can use 193 to evaluate whether the protocol and documentation address common 194 operations and management needs. Operations and management are 195 highly dependent on their environment, so most guidelines are 196 subjective rather than objective. 198 1.3. Motivation 200 For years the IETF community has used the IETF Standard Management 201 Framework, including the Simple Network Management Protocol 202 [RFC3410], the Structure of Management Information [RFC2578], and MIB 203 data models for managing new protocols. As the Internet has evolved, 204 operators have found the reliance on one protocol and one schema 205 language for managing all aspects of the Internet inadequate. The 206 IESG policy to require working groups to write a MIB module to 207 provide manageability for new protocols is being replaced by a policy 208 that is more open to using a variety of management protocols and data 209 models designed to achieve different goals. 211 This document provides some initial guidelines for considering 212 operations and management in an IETF Management Framework that 213 consists of multiple protocols and multiple data modeling languages, 214 with an eye toward being flexible while also striving for 215 interoperability. 217 Fully new protocols may require significant consideration of expected 218 operations and management, while extensions to existing widely- 219 deployed protocols may have established defacto operations and 220 management practices that are already well understood. 222 Suitable management approaches may vary for different areas, working 223 groups, and protocols in the IETF. This document does not prescribe 224 a fixed solution or format in dealing with operational and management 225 aspects of IETF protocols. However, these aspects should be 226 considered for any IETF protocol, because we develop technologies and 227 protocols to be deployed and operated in the real world Internet. It 228 is fine if a WG decides that its protocol does not need interoperable 229 management or no standardized data model, but this should be a 230 deliberate decision, not the result of omission. This document 231 provides some guidelines for those considerations. 233 1.4. Background 235 There have been a significant number of efforts, meetings, and 236 documents that are related to Internet operations and management. 237 Some of them are mentioned here, to help protocol designers find 238 documentation of previous efforts. Hopefully, providing these 239 references will help the IETF avoid rehashing old discussions and 240 reinventing old solutions. 242 In 1988, the IAB published IAB Recommendations for the Development of 243 Internet Network Management Standards [RFC1052] which recommended a 244 solution that, where possible, deliberately separates modeling 245 languages, data models, and the protocols that carry data. The goal 246 is to allow standardized information and data models to be used by 247 different protocols. 249 In 2001, OPS Area design teams were created to document requirements 250 related to configuration of IP-based networks. One output was 251 "Requirements for Configuration Management of IP-based Networks" 252 [RFC3139]. 254 In 2003, the Internet Architecture Board (IAB) held a workshop on 255 Network Management [RFC3535] that discussed the strengths and 256 weaknesses of some IETF network management protocols, and compared 257 them to operational needs, especially configuration. 259 One issue discussed was the user-unfriendliness of the binary format 260 of SNMP [RFC3410] and COPS Usage for Policy Provisioning (COPS-PR) 261 [RFC3084], and it was recommended that the IETF explore an XML-based 262 Structure of Management Information, and an XML-based protocol for 263 configuration. 265 Another conclusion was that the tools for event/alarm correlation and 266 for root cause analysis and logging are not sufficient, and that 267 there is a need to support a human interface and a programmatic 268 interface. The IETF decided to standardize aspects of the de facto 269 standard for system logging security and programmatic support. 271 In 2006, the IETF discussed whether the Management Framework should 272 be updated to accommodate multiple IETF schema languages for 273 describing the structure of management information, and multiple IETF 274 standard protocols for performing management tasks. The IESG asked 275 that a document be written to discuss how protocol designers and 276 working groups should address management in this emerging multi- 277 protocol environment. This document, and some planned companion 278 documents, attempt to provide some guidelines for navigating the 279 rapidly-shifting operating and management environments. 281 1.5. Available Management Technologies 283 The IETF has a number of standard management protocols available that 284 are suitable for different purposes. These include 286 SNMP [RFC3410], 288 SYSLOG [RFC5424], 290 RADIUS [RFC2865], 292 DIAMETER [RFC3588], 294 NETCONF [RFC4741], 296 IPFIX [RFC5101]. 298 A planned supplement to this document will discuss these protocol 299 standards, and discuss some standard information and data models for 300 specific functionality, and provide pointers to the documents that 301 define them. 303 1.6. Terminology 305 This document deliberately does not use the (capitalized) keywords 306 described in RFC 2119 [RFC2119]. RFC 2119 states the keywords must 307 only be used where it is actually required for interoperation or to 308 limit behavior which has potential for causing harm (e.g., limiting 309 retransmissions). For example, they must not be used to try to 310 impose a particular method on implementers where the method is not 311 required for interoperability. This document is a set of guidelines 312 based on current practices of protocol designers and operators. This 313 document does not describe requirements, so the key words from 314 RFC2119 have no place here. 316 o CLI: Command Line Interface 318 o Data model: A mapping of the contents of an information model into 319 a form that is specific to a particular type of data store or 320 repository. [RFC3444] 322 o Information model: An abstraction and representation of the 323 entities in a managed environment, their properties, attributes 324 and operations, and the way that they relate to each other. It is 325 independent of any specific repository, software usage, protocol, 326 or platform. [RFC3444] 328 o "new protocol" includes new protocols, protocol extensions, data 329 models, or other functionality being designed. 331 o "protocol designer" represents individuals and working groups 332 involved in the development of new protocols or extensions. 334 2. Operational Considerations - How Will the New Protocol Fit Into the 335 Current Environment? 337 Designers of a new protocol should carefully consider the operational 338 aspects. To ensure that a protocol will be practical to deploy in 339 the real world, it is not enough to merely define it very precisely 340 in a well-written document. Operational aspects will have a serious 341 impact on the actual success of a protocol. Such aspects include bad 342 interactions with existing solutions, a difficult upgrade path, 343 difficulty of debugging problems, difficulty configuring from a 344 central database, or a complicated state diagram that operations 345 staff will find difficult to understand. 347 BGP flap damping [RFC2439] is an example. It was designed to block 348 high frequency route flaps, however the design did not consider the 349 existence of BGP path exploration/slow convergence. In real 350 operations, path exploration caused false flap damping, resulting in 351 loss of reachability. As a result, many networks turned flap damping 352 off. 354 2.1. Operations 356 Protocol designers can analyze the operational environment and mode 357 of work in which the new protocol or extension will work. Such an 358 exercise need not be reflected directly by text in their document, 359 but could help in visualizing how to apply the protocol in the 360 Internet environments where it will be deployed. 362 A key question is how the protocol can operate "out of the box". If 363 implementers are free to select their own defaults, the protocol 364 needs to operate well with any choice of values. If there are 365 sensible defaults, these need to be stated. 367 There may be a need to support a human interface, e.g., for 368 troubleshooting, and a programmatic interface, e.g., for automated 369 monitoring and root cause analysis. The application programming 370 interfaces and the human interfaces might benefit from being similar 371 to ensure that the information exposed by these two interfaces is 372 consistent when presented to an operator. Identifying consistent 373 methods of determining information, such as what gets counted in a 374 specific counter, is relevant. 376 Protocol designers should consider what management operations are 377 expected to be performed as a result of the deployment of the 378 protocol - such as whether write operations will be allowed on 379 routers and on hosts, or whether notifications for alarms or other 380 events will be expected. 382 2.2. Installation and Initial Setup 384 Anything that can be configured can be misconfigured. "Architectural 385 Principles of the Internet" [RFC1958] Section 3.8 states: "Avoid 386 options and parameters whenever possible. Any options and parameters 387 should be configured or negotiated dynamically rather than manually." 389 To simplify configuration, protocol designers should consider 390 specifying reasonable defaults, including default modes and 391 parameters. For example, it could be helpful or necessary to specify 392 default values for modes, timers, default state of logical control 393 variables, default transports, and so on. Even if default values are 394 used, it must be possible to retrieve all the actual values or at 395 least an indication that known default values are being used. 397 Protocol designers should consider how to enable operators to 398 concentrate on the configuration of the network as a whole rather 399 than on individual devices. Of course, how one accomplishes this is 400 the hard part. 402 It is desirable to discuss the background of chosen default values, 403 or perhaps why a range of values makes sense. In many cases, as 404 technology changes, the values in an RFC might make less and less 405 sense. It is very useful to understand whether defaults are based on 406 best current practice and are expected to change as technologies 407 advance or whether they have a more universal value that should not 408 be changed lightly. For example, the default interface speed might 409 be expected to change over time due to increased speeds in the 410 network, and cryptographical algorithms might be expected to change 411 over time as older algorithms are "broken". 413 It is extremely important to set a sensible default value for all 414 parameters 416 The default value should stay on the conservative side rather than on 417 the "optimizing performance" side. (example: the initial RTT and 418 RTTvar values of a TCP connection) 420 For those parameters that are speed-dependent, instead of using a 421 constant, try to set the default value as a function of the link 422 speed or some other relevant factors. This would help reduce the 423 chance of problems caused by technology advancement. 425 2.3. Migration Path 427 If the new protocol is a new version of an existing one, or if it is 428 replacing another technology, the protocol designer should consider 429 how deployments should transition to the new protocol. This should 430 include co-existence with previously deployed protocols and/or 431 previous versions of the same protocol, incompatibilities between 432 versions, translation between versions, and side-effects that might 433 occur. Are older protocols or versions disabled or do they co-exist 434 in the network with the new protocol? 436 Many protocols benefit from being incrementally deployable - 437 operators may deploy aspects of a protocol before deploying the 438 protocol fully. 440 2.4. Requirements on Other Protocols and Functional Components 442 Protocol designers should consider the requirements that the new 443 protocol might put on other protocols and functional components, and 444 should also document the requirements from other protocols and 445 functional elements that have been considered in designing the new 446 protocol. 448 These considerations should generally remain illustrative to avoid 449 creating restrictions or dependencies, or potentially impacting the 450 behavior of existing protocols, or restricting the extensibility of 451 other protocols, or assuming other protocols will not be extended in 452 certain ways. If restrictions or dependencies exist, they should be 453 stated. 455 For example, the design of Resource ReSerVation Protocol (RSVP) 456 [RFC2205] required each router to look at the RSVP PATH message, and 457 if the router understood RSVP, to add its own address to the message 458 to enable automatically tunneling through non-RSVP routers. But in 459 reality routers cannot look at an otherwise normal IP packet, and 460 potentially take it off the fast path! The initial designers 461 overlooked that a new "deep packet inspection" requirement was being 462 put on the functional components of a router. The "router alert" 463 option [RFC2113] [RFC2711] was finally developed to solve this 464 problem for RSVP and other protocols that require the router to take 465 some packets off the fast forwarding path. Router alert has its own 466 problems in impacting router performance. 468 2.5. Impact on Network Operation 470 The introduction of a new protocol or extensions to an existing 471 protocol may have an impact on the operation of existing networks. 472 Protocol designers should outline such impacts (which may be 473 positive) including scaling concerns and interactions with other 474 protocols. For example, a new protocol that doubles the number of 475 active, reachable addresses in use within a network might need to be 476 considered in the light of the impact on the scalability of the 477 interior gateway protocols operating within the network. 479 A protocol could send active monitoring packets on the wire. If we 480 don't pay attention, we might get very good accuracy, but could send 481 too many active monitoring packets. 483 The protocol designer should consider the potential impact on the 484 behavior of other protocols in the network and on the traffic levels 485 and traffic patterns that might change, including specific types of 486 traffic such as multicast. Also consider the need to install new 487 components that are added to the network as result of the changes in 488 the configuration, such as servers performing auto-configuration 489 operations. 491 The protocol designer should consider also the impact on 492 infrastructure applications like DNS [RFC1034], the registries, or 493 the size of routing tables. For example, Simple Mail Transfer 494 Protocol (SMTP) [RFC5321] servers use a reverse DNS lookup to filter 495 out incoming connection requests. When Berkeley installed a new spam 496 filter, their mail server stopped functioning because of the DNS 497 cache resolver overload. 499 The impact on performance may also be noted - increased delay or 500 jitter in real-time traffic applications, or response time in client- 501 server applications when encryption or filtering are applied. 503 It is important to minimize the impact caused by configuration 504 changes. Given configuration A and configuration B, it should be 505 possible to generate the operations necessary to get from A to B with 506 minimal state changes and effects on network and systems. 508 2.6. Verifying Correct Operation 510 The protocol designer should consider techniques for testing the 511 effect that the protocol has had on the network by sending data 512 through the network and observing its behavior (aka active 513 monitoring). Protocol designers should consider how the correct end- 514 to-end operation of the new protocol in the network can be tested 515 actively and passively, and how the correct data or forwarding plane 516 function of each network element can be verified to be working 517 properly with the new protocol. Which metrics are of interest? 519 Having simple protocol status and health indicators on network 520 devices is a recommended means to check correct operation. 522 3. Management Considerations - How Will The Protocol be Managed? 524 The considerations of manageability should start from identifying the 525 entities to be managed, and how the managed protocol is supposed to 526 be installed, configured and monitored. 528 Considerations for management should include a discussion of what 529 needs to be managed, and how to achieve various management tasks. 530 Where are the managers and what type of management interfaces and 531 protocols will they need? The "write a MIB module" approach to 532 considering management often focuses on monitoring a protocol 533 endpoint on a single device. A MIB module document typically only 534 considers monitoring properties observable at one end, while the 535 document does not really cover managing the *protocol* (the 536 coordination of multiple ends), and does not even come near managing 537 the *service* (which includes a lot of stuff that is very far away 538 from the box). This is exactly what operators hate - you need to be 539 able to manage both ends. As [RFC3535] says, MIB modules can often 540 be characterized as a list of ingredients without a recipe. 542 The management model should take into account factors such as: 544 o what type of management entities will be involved (agents, network 545 management systems)? 547 o what is the possible architecture (client-server, manager-agent, 548 poll-driven or event-driven, autoconfiguration, two levels or 549 hierarchical)? 551 o what are the management operations - initial configuration, 552 dynamic configuration, alarm and exception reporting, logging, 553 performance monitoring, performance reporting, debugging? 555 o how are these operations performed - locally, remotely, atomic 556 operation, scripts? Are they performed immediately or time 557 scheduled or event triggered? 559 Protocol designers should consider how the new protocol will be 560 managed in different deployment scales. It might be sensible to use 561 a local management interface to manage the new protocol on a single 562 device, but in a large network, remote management using a centralized 563 server and/or using distributed management functionality might make 564 more sense. Auto-configuration and default parameters might be 565 possible for some new protocols. 567 Management needs to be considered not only from the perspective of a 568 device, but also from the perspective of network and service 569 management perspectives. A service might be network and operational 570 functionality derived from the implementation and deployment of a new 571 protocol. Often an individual network element is not aware of the 572 service being delivered. 574 WGs should consider how to configure multiple related/co-operating 575 devices and how to back off if one of those configurations fails or 576 causes trouble. NETCONF [RFC4741] addresses this in a generic manner 577 by allowing an operator to lock the configuration on multiple 578 devices, perform the configuration settings/changes, check that they 579 are OK (undo if not) and then unlock the devices. 581 Techniques for debugging protocol interactions in a network must be 582 part of the network management discussion. Implementation source 583 code should be debugged before ever being added to a network, so 584 asserts and memory dumps do not normally belong in management data 585 models. However, debugging on-the-wire interactions is a protocol 586 issue: while the messages can be seen by sniffing, it is enormously 587 helpful if a protocol specification supports features that make 588 debugging of network interactions and behaviors easier. There could 589 be alerts issued when messages are received, or when there are state 590 transitions in the protocol state machine. However, the state 591 machine is often not part of the on-the-wire protocol; the state 592 machine explains how the protocol works so that an implementer can 593 decide, in an implementation-specific manner, how to react to a 594 received event. 596 In a client/server protocol, it may be more important to instrument 597 the server end of a protocol than the client end, since the 598 performance of the server might impact more nodes than the 599 performance of a specific client. 601 3.1. Interoperability 603 Just as when deploying protocols that will inter-connect devices, 604 management interoperability should be considered, whether across 605 devices from different vendors, across models from the same vendor, 606 or across different releases of the same product. Management 607 interoperability refers to allowing information sharing and 608 operations between multiple devices and multiple management 609 applications, often from different vendors. Interoperability allows 610 for the use of 3rd party applications and the outsourcing of 611 management services. 613 Some product designers and protocol designers assume that if a device 614 can be managed individually using a command line interface or a web 615 page interface, that such a solution is enough. But when equipment 616 from multiple vendors is combined into a large network, scalability 617 of management may become a problem. It may be important to have 618 consistency in the management interfaces so network-wide operational 619 processes can be automated. For example, a single switch might be 620 easily managed using an interactive web interface when installed in a 621 single office small business, but when, say, a fast food company 622 installs similar switches from multiple vendors in hundreds or 623 thousands of individual branches and wants to automate monitoring 624 them from a central location, monitoring vendor-and-model-specific 625 web pages would be difficult to automate. 627 The primary goal is the ability to roll out new useful functions and 628 services in a way in which they can be managed in a scalable manner, 629 where one understands the network impact (as part of the total cost 630 of operations) of that service. 632 Getting everybody to agree on a single syntax and an associated 633 protocol to do all management has proven to be difficult. So 634 management systems tend to speak whatever the boxes support, whether 635 the IETF likes this or not. The IETF is moving from support for one 636 schema language for modeling the structure of management information 637 (Structure of Management Information Version 2 (SMIv2) [RFC2578]) and 638 one simple network management protocol (Simple Network Management 639 Protocol (SNMP) [RFC3410]) towards support for additional schema 640 languages and additional management protocols suited to different 641 purposes. Other Standard Development Organizations (e.g. DMTF, TMF) 642 also define schemas and protocols for management and these may be 643 more suitable than IETF schemas and protocols in some cases. Some of 644 the alternatives being considered include 646 XML Schema Definition [W3C.REC-xmlschema-0-20010502] 648 and others 650 and 652 NETCONF Configuration Protocol [RFC4741] 654 IP Flow Information Export (IPFIX) Protocol [RFC5101]) for usage 655 accounting 657 The syslog Protocol [RFC5424] for logging 659 and others 661 Interoperability needs to be considered on the syntactic level and 662 the semantic level. While it can be irritating and time-consuming, 663 application designers including operators who write their own scripts 664 can make their processing conditional to accommodate syntactic 665 differences across vendors or models or releases of product. 667 Semantic differences are much harder to deal with on the manager side 668 - once you have the data, its meaning is a function of the managed 669 entity. 671 Information models are helpful to try to focus interoperability on 672 the semantic level - they establish standards for what information 673 should be gathered, and how gathered information might be used 674 regardless of which management interface carries the data or which 675 vendor produces the product. The use of an information model might 676 help improve the ability of operators to correlate messages in 677 different protocols where the data overlaps, such as a SYSLOG message 678 and an SNMP notification about the same event. An information model 679 might identify which error conditions should be counted separately, 680 and which error conditions can be counted together in a single 681 counter. Then, whether the counter is gathered via SNMP or a CLI 682 command or a SYSLOG message, the counter will have the same meaning. 684 Protocol designers should consider which information might be useful 685 for managing the new protocol or protocol extensions. 687 IM --> conceptual/abstract model 688 | for designers and operators 689 +----------+---------+ 690 | | | 691 DM DM DM --> concrete/detailed model 692 for implementers 694 Information Models and Data Models 696 Figure 1 698 Protocol designers may decide an information model or data model 699 would be appropriate for managing the new protocol or protocol 700 extensions. 702 On the Difference between Information Models and Data Models 703 [RFC3444] can be helpful in determining what information to consider 704 regarding information models, as compared to data models. 706 Information models should come from the protocol WGs and include 707 lists of events, counters and configuration parameters that are 708 relevant. There are a number of information models contained in 709 protocol WG RFCs. Some examples: 711 o [RFC3060] - Policy Core Information Model version 1 713 o [RFC3290] - An Informal Management Model for DiffServ Routers 715 o [RFC3460] - Policy Core Information Model Extensions 717 o [RFC3585] - IPsec Configuration Policy Information Model 719 o [RFC3644] - Policy Quality of Service Information Model 721 o [RFC3670] - Information Model for Describing Network Device QoS 722 Datapath Mechanisms 724 o [RFC3805] - Printer MIB v2 contains both an IM and a DM 726 Management protocol standards and management data model standards 727 often contain compliance clauses to ensure interoperability. 728 Manageability considerations should include discussion of which level 729 of compliance is expected to be supported for interoperability. 731 3.2. Management Information 733 Languages used to describe an information model can influence the 734 nature of the model. Using a particular data modeling language, such 735 as the SMIv2, influence the model to use certain types of structures, 736 such as two-dimensional tables. This document recommends using 737 English text (the official language for IETF specifications) to 738 describe an information model. A sample data model could be 739 developed to demonstrate the information model. 741 A management information model should include a discussion of what is 742 manageable, which aspects of the protocol need to be configured, what 743 types of operations are allowed, what protocol-specific events might 744 occur, which events can be counted, and for which events should an 745 operator be notified. 747 Operators find it important to be able to make a clear distinction 748 between configuration data, operational state, and statistics. They 749 need to determine which parameters were administratively configured 750 and which parameters have changed since configuration as the result 751 of mechanisms such as routing protocols or network management 752 protocols. It is important to be able to separately fetch current 753 configuration information, initial configuration information, 754 operational state information, and statistics from devices, and to be 755 able to compare current state to initial state, and to compare 756 information between devices. So when deciding what information 757 should exist, do not conflate multiple information elements into a 758 single element. 760 What is typically difficult to work through are relationships between 761 abstract objects. Ideally an information model would describe the 762 relationships between the objects and concepts in the information 763 model. 765 Is there always just one instance of this object or can there be 766 multiple instances? Does this object relate to exactly one other 767 object or may it relate to multiple? When is it possible to change a 768 relationship? 770 Do objects (such as rows in tables) share fate? For example, if a 771 row in table A must exist before a related row in table B can be 772 created, what happens to the row in table B if the related row in 773 table A is deleted? Does the existence of relationships between 774 objects have an impact on fate sharing? 776 3.2.1. Information Model Design 778 This document recommends keeping the information model as simple as 779 possible by applying the following criteria: 781 1. Start with a small set of essential objects and add only as 782 further objects are needed. 784 2. Require that objects be essential for management. 786 3. Consider evidence of current use and/or utility. 788 4. Limit the total number of objects. 790 5. Exclude objects that are simply derivable from others in this or 791 other information models. 793 6. Avoid causing critical sections to be heavily instrumented. A 794 guideline is one counter per critical section per layer. 796 3.3. Fault Management 798 The protocol designer should document the basic faults and health 799 indicators that need to be instrumented for the new protocol, and the 800 alarms and events that must be propagated to management applications 801 or exposed through a data model. 803 The protocol designer should consider how fault information will be 804 propagated. Will it be done using asynchronous notifications or 805 polling of health indicators? 807 If notifications are used to alert operators to certain conditions, 808 then the protocol designer should discuss mechanisms to throttle 809 notifications to prevent congestion and duplications of event 810 notifications. Will there be a hierarchy of faults, and will the 811 fault reporting be done by each fault in the hierarchy, or will only 812 the lowest fault be reported and the higher levels be suppressed? 813 Should there be aggregated status indicators based on concatenation 814 of propagated faults from a given domain or device? 816 SNMP notifications and SYSLOG messages can alert an operator when an 817 aspect of the new protocol fails or encounters an error or failure 818 condition, and SNMP is frequently used as a heartbeat monitor. 819 Should the event reporting provide guaranteed accurate delivery of 820 the event information within a given (high) margin of confidence? 821 Can we poll the latest events in the box? 823 3.3.1. Liveness Detection and Monitoring 825 Protocol designers should always build in basic testing features 826 (e.g. ICMP echo, UDP/TCP echo service, NULL RPC calls) that can be 827 used to test for liveness, with an option to enable and disable them. 829 Mechanisms for monitoring the liveness of the protocol and for 830 detecting faults in protocol connectivity are usually built into 831 protocols. In some cases, mechanisms already exist within other 832 protocols responsible for maintaining lower layer connectivity (e.g. 833 ICMP echo), but often new procedures are required to detect failures 834 and to report rapidly, allowing remedial action to be taken. 836 These liveness monitoring mechanisms do not typically require 837 additional management capabilities. However, when a system detects a 838 fault, there is often a requirement to coordinate recovery action 839 through management applications or at least to record the fact in an 840 event log. 842 3.3.2. Fault Determination 844 It can be helpful to describe how faults can be pinpointed using 845 management information. For example, counters might record instances 846 of error conditions. Some faults might be able to be pinpointed by 847 comparing the outputs of one device and the inputs of another device 848 looking for anomalies. Protocol designers should consider what 849 counters should count. If a single counter provided by vendor A 850 counts three types of error conditions, while the corresponding 851 counter provided by vendor B counts seven types of error conditions, 852 these counters cannot be compared effectively - they are not 853 interoperable counters. 855 How do you distinguish between faulty messages and good messages? 857 Would some threshold-based mechanisms, such as RMON events/alarms or 858 the EVENT-MIB, be useable to help determine error conditions? Are 859 SNMP notifications for all events needed, or are there some 860 "standard" notifications that could be used? or can relevant counters 861 be polled as needed? 863 3.3.3. Root Cause Analysis 865 Root cause analysis is about working out where in the network the 866 fault is. For example, if end-to-end data delivery is failing 867 (reported by a notification), root cause analysis can help find the 868 failed link or node in the end-to-end path. 870 3.3.4. Fault Isolation 872 It might be useful to isolate or quarantine faults, such as isolating 873 a device that emits malformed messages that are necessary to 874 coordinate connections properly. This might be able to be done by 875 configuring next-hop devices to drop the faulty messages to prevent 876 them from entering the rest of the network. 878 3.4. Configuration Management 880 A protocol designer should document the basic configuration 881 parameters that need to be instrumented for a new protocol, as well 882 as default values and modes of operation. 884 What information should be maintained across reboots of the device, 885 or restarts of the management system? 887 "Requirements for Configuration Management of IP-based Networks" 888 [RFC3139] discusses requirements for configuration management, 889 including discussion of different levels of management, high-level- 890 policies, network-wide configuration data, and device-local 891 configuration. Network configuration is not just multi-device push 892 or pull. It is knowing that the configurations being pushed are 893 semantically compatible. Is the circuit between them configured 894 compatibly on both ends? is the is-is metric the same? ... now do 895 that for 1,000 devices. 897 A number of efforts have existed in the IETF to develop policy-based 898 configuration management. "Terminology for Policy-Based Management" 899 [RFC3198] was written to standardize the terminology across these 900 efforts. 902 Implementations should not arbitrarily modify configuration data. In 903 some cases (such as Access Control Lists) the order of data items is 904 significant and comprises part of the configured data. If a protocol 905 designer defines mechanisms for configuration, it would be desirable 906 to standardize the order of elements for consistency of configuration 907 and of reporting across vendors, and across releases from vendors. 909 There are two parts to this: 1. An NMS system could optimize access 910 control lists (ACLs) for performance reasons 2. Unless the device/ 911 NMS systems has correct rules/a lot of experience, reordering ACLs 912 can lead to a huge security issue. 914 Network wide configurations may be stored in central master databases 915 and transformed into formats that can be pushed to devices, either by 916 generating sequences of CLI commands or complete configuration files 917 that are pushed to devices. There is no common database schema for 918 network configuration, although the models used by various operators 919 are probably very similar. Many operators consider it desirable to 920 extract, document, and standardize the common parts of these network 921 wide configuration database schemas. A protocol designer should 922 consider how to standardize the common parts of configuring the new 923 protocol, while recognizing that vendors may also have proprietary 924 aspects of their configurations. 926 It is important to enable operators to concentrate on the 927 configuration of the network as a whole rather than individual 928 devices. Support for configuration transactions across a number of 929 devices could significantly simplify network configuration 930 management. The ability to distribute configurations to multiple 931 devices, or modify candidate configurations on multiple devices, and 932 then activate them in a near-simultaneous manner might help. 933 Protocol designers can consider how it would make sense for their 934 protocol to be configured across multiple devices. Configuration- 935 templates might also be helpful. 937 Consensus of the 2002 IAB Workshop [RFC3535] was that textual 938 configuration files should be able to contain international 939 characters. Human-readable strings should utilize UTF-8, and 940 protocol elements should be in case insensitive ASCII. 942 A mechanism to dump and restore configurations is a primitive 943 operation needed by operators. Standards for pulling and pushing 944 configurations from/to devices are desirable. 946 Given configuration A and configuration B, it should be possible to 947 generate the operations necessary to get from A to B with minimal 948 state changes and effects on network and systems. It is important to 949 minimize the impact caused by configuration changes. 951 A protocol designer should consider the configurable items that exist 952 for the control of function via the protocol elements described in 953 the protocol specification. For example, sometimes the protocol 954 requires that timers can be configured by the operator to ensure 955 specific policy-based behavior by the implementation. These timers 956 should have default values suggested in the protocol specification 957 and may not need to be otherwise configurable. 959 3.4.1. Verifying Correct Operation 961 An important function that should be provided is guidance on how to 962 verify the correct operation of a protocol. A protocol designer 963 could suggest techniques for testing the impact of the protocol on 964 the network before it is deployed, and techniques for testing the 965 effect that the protocol has had on the network after being deployed. 967 Protocol designers should consider how to test the correct end-to-end 968 operation of the network or service, and how to verify the correct 969 functioning of the protocol, whether it is the data or forwarding 970 plane function of each network element, or the function of service. 971 This may be achieved through status and statistical information 972 gathered from devices. 974 3.5. Accounting Management 976 A protocol designer should consider whether it would be appropriate 977 to collect usage information related to this protocol, and if so, 978 what usage information would be appropriate to collect. 980 "Introduction to Accounting Management" [RFC2975] discusses a number 981 of factors relevant to monitoring usage of protocols for purposes of 982 capacity and trend analysis, cost allocation, auditing, and billing. 983 The document also discusses how some existing protocols can be used 984 for these purposes. These factors should be considered when 985 designing a protocol whose usage might need to be monitored, or when 986 recommending a protocol to do usage accounting. 988 3.6. Performance Management 990 From a manageability point of view it is important to determine how 991 well a network deploying the protocol or technology defined in the 992 document is doing. In order to do this the network operators need to 993 consider information that would be useful to determine the 994 performance characteristics of a deployed system using the target 995 protocol. 997 The IETF, via the Benchmarking Methodology WG (BMWG), has defined 998 recommendations for the measurement of the performance 999 characteristics of various internetworking technologies in a 1000 laboratory environment, including the systems or services that are 1001 built from these technologies. Each benchmarking recommendation 1002 describes the class of equipment, system, or service being addressed; 1003 discuss the performance characteristics that are pertinent to that 1004 class; clearly identify a set of metrics that aid in the description 1005 of those characteristics; specify the methodologies required to 1006 collect said metrics; and lastly, present the requirements for the 1007 common, unambiguous reporting of benchmarking results. Search for 1008 "benchmark" in the RFC search tool. 1010 Performance metrics may be useful in multiple environments, and for 1011 different protocols. The IETF, via the IP Performance Monitoring 1012 (IPPM) WG, has developed a set of standard metrics that can be 1013 applied to the quality, performance, and reliability of Internet data 1014 delivery services. These metrics are designed such that they can be 1015 performed by network operators, end users, or independent testing 1016 groups. The existing metrics might be applicable to the new 1017 protocol. Search for "metric" in the RFC search tool. In some 1018 cases, new metrics need to be defined. It would be useful if the 1019 protocol documentation identified the need for such new metrics. For 1020 performance monitoring, it is often important to report the time 1021 spent in a state rather than the current state. Snapshots are of 1022 less value for performance monitoring. 1024 There are several parts to performance management to be considered: 1025 protocol monitoring, device monitoring (the impact of the new 1026 protocol/service activation on the device), network monitoring, and 1027 service monitoring (the impact of service activation on the network). 1029 3.6.1. Monitoring the Protocol 1031 Certain properties of protocols are useful to monitor. The number of 1032 protocol packets received, the number of packets sent, and the number 1033 of packets dropped are usually very helpful to operators. 1035 Packet drops should be reflected in counter variable(s) somewhere 1036 that can be inspected - both from the security point of view and from 1037 the troubleshooting point of view. 1039 Counter definitions should be unambiguous about what is included in 1040 the count, and what is not included in the count. 1042 Consider the expected behaviors for counters - what is a reasonable 1043 maximum value for expected usage? Should they stop counting at the 1044 maximum value and retain the maximum value, or should they rollover? 1045 How can users determine if a rollover has occurred, and how can users 1046 determine if more than one rollover has occurred? 1048 Consider whether multiple management applications will share a 1049 counter; if so, then no one management application should be allowed 1050 to reset the value to zero since this will impact other applications. 1052 Could events, such as hot-swapping a blade in a chassis, cause 1053 discontinuities in counter? Does this make any difference in 1054 evaluating the performance of a protocol? 1056 The protocol document should make clear the limitations implicit 1057 within the protocol and the behavior when limits are exceeded. This 1058 should be considered in a data-modeling independent manner - what 1059 makes managed-protocol sense, not what makes management-protocol- 1060 sense. If constraints are not managed-protocol-dependent, then it 1061 should be left for the management-protocol data modelers to decide. 1062 For example, VLAN identifiers have a range of 1..4095 because of the 1063 VLAN standards. A MIB implementing a VLAN table should be able to 1064 support 4096 entries because the content being modeled requires it. 1066 3.6.2. Monitoring the Device 1068 Consider whether device performance will be affected by the number of 1069 protocol entities being instantiated on the device. Designers of an 1070 information model should include information, accessible at runtime, 1071 about the maximum number of instances an implementation can support, 1072 the current number of instances, and the expected behavior when the 1073 current instances exceed the capacity of the implementation or the 1074 capacity of the device. 1076 Designers of an information model should model information, 1077 accessible at runtime, about the maximum number of protocol entity 1078 instances an implementation can support on a device, the current 1079 number of instances, and the expected behavior when the current 1080 instances exceed the capacity of the device. 1082 3.6.3. Monitoring the Network 1084 Consider whether network performance will be affected by the number 1085 of protocol entities being deployed. 1087 Consider the capability of determining the operational activity, such 1088 as the number of messages in and the messages out, the number of 1089 received messages rejected due to format problems, the expected 1090 behaviors when a malformed message is received. 1092 What are the principal performance factors that need to be looked at 1093 when measuring the operational performance of the network built using 1094 the protocol? Is it important to measure setup times? end-to-end 1095 connectivity? hop-to-hop connectivity? network throughput? 1097 3.6.4. Monitoring the Service 1099 What are the principal performance factors that need to be looked at 1100 when measuring the performance of a service using the protocol? Is 1101 it important to measure application-specific throughput? client- 1102 server associations? end-to-end application quality? service 1103 interruptions? user experience? 1105 3.7. Security Management 1107 Protocol designers should consider how to monitor and to manage 1108 security aspects and vulnerabilities of the new protocol. 1110 There will be security considerations related to the new protocol. 1112 To make it possible for operators to be aware of security-related 1113 events, it is recommended that system logs should record events, such 1114 as failed logins, but the logs must be secured. 1116 Should a system automatically notify operators of every event 1117 occurrence, or should an operator-defined threshold control when a 1118 notification is sent to an operator? 1120 Should certain statistics be collected about the operation of the new 1121 protocol that might be useful for detecting attacks, such as the 1122 receipt of malformed messages, or messages out of order, or messages 1123 with invalid timestamps? If such statistics are collected, is it 1124 important to count them separately for each sender to help identify 1125 the source of attacks? 1127 Manageability considerations that are security-oriented might include 1128 discussion of the security implications when no monitoring is in 1129 place, the regulatory implications of absence of audit-trail or logs 1130 in enterprises, exceeding the capacity of logs, and security 1131 exposures present in chosen / recommended management mechanisms. 1133 Consider security threats that may be introduced by management 1134 operations. For example CAPWAP breaks the structure of monolithic 1135 Access Points (AP) into Access Controllers and Wireless Termination 1136 Points (WTP). By using a management interface, internal information 1137 that was previously not accessible is now exposed over the network 1138 and to management applications and may become a source of potential 1139 security threats. 1141 The granularity of access control needed on management interfaces 1142 needs to match operational needs. Typical requirements are a role- 1143 based access control model and the principle of least privilege, 1144 where a user can be given only the minimum access necessary to 1145 perform a required task. 1147 Some operators wish to do consistency checks of access control lists 1148 across devices. Protocol designers should consider information 1149 models to promote comparisons across devices and across vendors to 1150 permit checking the consistency of security configurations. 1152 Protocol designers should consider how to provide a secure transport, 1153 authentication, identity, and access control which integrates well 1154 with existing key and credential management infrastructure. It is a 1155 good idea to start with defining the threat model for the protocol, 1156 and from that deducing what is required. 1158 Protocol designers should consider how access control lists are 1159 maintained and updated. 1161 Standard SNMP notifications or SYSLOG messages [RFC5424] might 1162 already exist, or can be defined, to alert operators to the 1163 conditions identified in the security considerations for the new 1164 protocol. For example, you can log all the commands entered by the 1165 operator using syslog (giving you some degree of audit trail), or you 1166 can see who has logged on/off using SSH from where, failed SSH logins 1167 can be logged using syslog, etc. 1169 An analysis of existing counters might help operators recognize the 1170 conditions identified in the security considerations for the new 1171 protocol before they can impact the network. 1173 Different management protocols use different assumptions about 1174 message security and data access controls. A protocol designer that 1175 recommends using different protocols should consider how security 1176 will be applied in a balanced manner across multiple management 1177 interfaces. SNMP authority levels and policy are data-oriented, 1178 while CLI authority levels and policy are usually command (task) 1179 oriented. Depending on the management function, sometimes data- 1180 oriented or task-oriented approaches make more sense. Protocol 1181 designers should consider both data-oriented and task-oriented 1182 authority levels and policy. 1184 4. Documentation Guidelines 1186 This document is focused on what to think about, and how to document 1187 the considerations of the protocol designer. 1189 4.1. Recommended Discussions 1191 A Manageability Considerations section should include discussion of 1192 the management and operations topics raised in this document, and 1193 when one or more of these topics is not relevant, it would be useful 1194 to contain a simple statement explaining why the topic is not 1195 relevant for the new protocol. Of course, additional relevant topics 1196 should be included as well. 1198 Existing protocols and data models can provide the management 1199 functions identified in the previous section. Protocol designers 1200 should consider how using existing protocols and data models might 1201 impact network operations. 1203 4.2. Null Manageability Considerations Sections 1205 A protocol designer may seriously consider the manageability 1206 requirements of a new protocol, and determine that no management 1207 functionality is needed by the new protocol. It would be helpful to 1208 those who may update or write extensions to the protocol in the 1209 future or to those deploying the new protocol to know the thinking of 1210 the working regarding the manageability of the protocol at the time 1211 of its design. 1213 If there are no new manageability or deployment considerations, it is 1214 recommended that a Manageability Considerations section contain a 1215 simple statement such as "There are no new manageability requirements 1216 introduced by this document," and a brief explanation of why that is 1217 the case. The presence of such a Manageability Considerations 1218 section would indicate to the reader that due consideration has been 1219 given to manageability and operations. 1221 In the case where the new protocol is an extension, and the base 1222 protocol discusses all the relevant operational and manageability 1223 considerations, it would be helpful to point out the considerations 1224 section in the base document. 1226 4.3. Placement of Operations and Manageability Considerations Sections 1228 If a protocol designer develops a Manageability Considerations 1229 section for a new protocol, it is recommended that the section be 1230 placed immediately before the Security Considerations section. 1231 Reviewers interested in such sections could find it easily, and this 1232 placement could simplify the development of tools to detect the 1233 presence of such a section. 1235 5. IANA Considerations 1237 This document does not introduce any new codepoints or name spaces 1238 for registration with IANA. 1240 Note to RFC Editor: this section may be removed on publication as an 1241 RFC. 1243 6. Security Considerations 1245 This document is informational and provides guidelines for 1246 considering manageability and operations. It introduces no new 1247 security concerns. 1249 The provision of a management portal to a network device provides a 1250 doorway through which an attack on the device may be launched. 1251 Making the protocol under development be manageable through a 1252 management protocol creates a vulnerability to a new source of 1253 attacks. Only management protocols with adequate security apparatus, 1254 such as authentication, message integrity checking, and authorization 1255 should be used. 1257 A standard description of the manageable knobs and whistles on a 1258 protocol makes it easier for an attacker to understand what they may 1259 try to control and how to tweak it. 1261 A well-designed protocol is usually more stable and secure. A 1262 protocol that can be managed and inspected offers the operator a 1263 better chance of spotting and quarantining any attacks. Conversely 1264 making a protocol easy to inspect is a risk if the wrong person 1265 inspects it. 1267 If security events cause logs and or notifications/alerts, a 1268 concerted attack might be able to be mounted by causing an excess of 1269 these events. In other words, the security management mechanisms 1270 could constitute a security vulnerability. The management of 1271 security aspects is important (see Section 3.7). 1273 7. Acknowledgements 1275 This document started from an earlier document edited by Adrian 1276 Farrel, which itself was based on work exploring the need for 1277 Manageability Considerations sections in all Internet-Drafts produced 1278 within the Routing Area of the IETF. That earlier work was produced 1279 by Avri Doria, Loa Andersson, and Adrian Farrel, with valuable 1280 feedback provided by Pekka Savola and Bert Wijnen. 1282 Some of the discussion about designing for manageability came from 1283 private discussions between Dan Romascanu, Bert Wijnen, Juergen 1284 Schoenwaelder, Andy Bierman, and David Harrington. 1286 Thanks to reviewers who helped fashion this document, including 1287 Harald Alvestrand, Ron Bonica, Brian Carpenter, Benoit Claise, Adrian 1288 Farrell, David Kessens, Dan Romascanu, Pekka Savola, Juergen 1289 Schoenwaelder, Bert Wijnen, Ralf Wolter, and Lixia Zhang. 1291 8. Informative References 1293 [RFC1034] Mockapetris, P., "Domain names - 1294 concepts and facilities", STD 13, 1295 RFC 1034, November 1987. 1297 [RFC1052] Cerf, V., "IAB recommendations for 1298 the development of Internet network 1299 management standards", RFC 1052, 1300 April 1988. 1302 [RFC1958] Carpenter, B., "Architectural 1303 Principles of the Internet", 1304 RFC 1958, June 1996. 1306 [RFC2113] Katz, D., "IP Router Alert Option", 1307 RFC 2113, February 1997. 1309 [RFC2119] Bradner, S., "Key words for use in 1310 RFCs to Indicate Requirement Levels", 1311 BCP 14, RFC 2119, March 1997. 1313 [RFC2205] Braden, B., Zhang, L., Berson, S., 1314 Herzog, S., and S. Jamin, "Resource 1315 ReSerVation Protocol (RSVP) -- 1316 Version 1 Functional Specification", 1317 RFC 2205, September 1997. 1319 [RFC2439] Villamizar, C., Chandra, R., and R. 1320 Govindan, "BGP Route Flap Damping", 1321 RFC 2439, November 1998. 1323 [RFC2578] McCloghrie, K., Ed., Perkins, D., 1324 Ed., and J. Schoenwaelder, Ed., 1325 "Structure of Management Information 1326 Version 2 (SMIv2)", STD 58, RFC 2578, 1327 April 1999. 1329 [RFC2711] Partridge, C. and A. Jackson, "IPv6 1330 Router Alert Option", RFC 2711, 1331 October 1999. 1333 [RFC2865] Rigney, C., Willens, S., Rubens, A., 1334 and W. Simpson, "Remote 1335 Authentication Dial In User Service 1336 (RADIUS)", RFC 2865, June 2000. 1338 [RFC2975] Aboba, B., Arkko, J., and D. 1339 Harrington, "Introduction to 1340 Accounting Management", RFC 2975, 1341 October 2000. 1343 [RFC3060] Moore, B., Ellesson, E., Strassner, 1344 J., and A. Westerinen, "Policy Core 1345 Information Model -- Version 1 1346 Specification", RFC 3060, 1347 February 2001. 1349 [RFC3084] Chan, K., Seligson, J., Durham, D., 1350 Gai, S., McCloghrie, K., Herzog, S., 1351 Reichmeyer, F., Yavatkar, R., and A. 1352 Smith, "COPS Usage for Policy 1353 Provisioning (COPS-PR)", RFC 3084, 1354 March 2001. 1356 [RFC3139] Sanchez, L., McCloghrie, K., and J. 1357 Saperia, "Requirements for 1358 Configuration Management of IP-based 1359 Networks", RFC 3139, June 2001. 1361 [RFC3198] Westerinen, A., Schnizlein, J., 1362 Strassner, J., Scherling, M., Quinn, 1363 B., Herzog, S., Huynh, A., Carlson, 1364 M., Perry, J., and S. Waldbusser, 1365 "Terminology for Policy-Based 1366 Management", RFC 3198, November 2001. 1368 [RFC3290] Bernet, Y., Blake, S., Grossman, D., 1369 and A. Smith, "An Informal Management 1370 Model for Diffserv Routers", 1371 RFC 3290, May 2002. 1373 [RFC3410] Case, J., Mundy, R., Partain, D., and 1374 B. Stewart, "Introduction and 1375 Applicability Statements for 1376 Internet-Standard Management 1377 Framework", RFC 3410, December 2002. 1379 [RFC3444] Pras, A. and J. Schoenwaelder, "On 1380 the Difference between Information 1381 Models and Data Models", RFC 3444, 1382 January 2003. 1384 [RFC3460] Moore, B., "Policy Core Information 1385 Model (PCIM) Extensions", RFC 3460, 1386 January 2003. 1388 [RFC3535] Schoenwaelder, J., "Overview of the 1389 2002 IAB Network Management 1390 Workshop", RFC 3535, May 2003. 1392 [RFC3585] Jason, J., Rafalow, L., and E. 1393 Vyncke, "IPsec Configuration Policy 1394 Information Model", RFC 3585, 1395 August 2003. 1397 [RFC3588] Calhoun, P., Loughney, J., Guttman, 1398 E., Zorn, G., and J. Arkko, "Diameter 1399 Base Protocol", RFC 3588, 1400 September 2003. 1402 [RFC3644] Snir, Y., Ramberg, Y., Strassner, J., 1403 Cohen, R., and B. Moore, "Policy 1404 Quality of Service (QoS) Information 1405 Model", RFC 3644, November 2003. 1407 [RFC3670] Moore, B., Durham, D., Strassner, J., 1408 Westerinen, A., and W. Weiss, 1409 "Information Model for Describing 1410 Network Device QoS Datapath 1411 Mechanisms", RFC 3670, January 2004. 1413 [RFC3805] Bergman, R., Lewis, H., and I. 1414 McDonald, "Printer MIB v2", RFC 3805, 1415 June 2004. 1417 [RFC4741] Enns, R., "NETCONF Configuration 1418 Protocol", RFC 4741, December 2006. 1420 [RFC5101] Claise, B., "Specification of the IP 1421 Flow Information Export (IPFIX) 1422 Protocol for the Exchange of IP 1423 Traffic Flow Information", RFC 5101, 1424 January 2008. 1426 [RFC5321] Klensin, J., "Simple Mail Transfer 1427 Protocol", RFC 5321, October 2008. 1429 [RFC5424] Gerhards, R., "The Syslog Protocol", 1430 RFC 5424, March 2009. 1432 [W3C.REC-xmlschema-0-20010502] Fallside, D., "XML Schema Part 0: 1433 Primer", World Wide Web Consortium 1434 FirstEdition REC-xmlschema-0- 1435 20010502, May 2001, . 1439 Appendix A. Operations and Management Review Checklist 1441 This appendix provides a quick checklist of issues that protocol 1442 designers should expect operations and management expert reviewers to 1443 look for when reviewing a document being proposed for consideration 1444 as a protocol standard. 1446 A.1. Operational Considerations 1448 Has deployment been discussed? see Section 2.1 1449 Does the document include a description of how this protocol or 1450 technology is going to be deployed and managed? 1452 Is the proposed specification deployable? If not, how could it be 1453 improved? 1455 Does the solution scale well from the operational and management 1456 perspective? Does the proposed approach have any scaling issues 1457 that could affect usability for large scale operation? 1459 Are there any coexistence issues? 1461 Has installation and initial setup been discussed? see Section 2.2 1463 Is the solution sufficiently configurable? 1465 Are configuration parameters clearly identified? 1467 Are configuration parameters normalized? 1469 Does each configuration parameter have a reasonable default value? 1471 Will configuration be pushed to a device by a configuration 1472 manager, or pulled by a device from a configuration server? 1474 How will the devices and managers find and authenticate each 1475 other? 1477 Has the migration path been discussed? see Section 2.3 1479 Are there any backward compatibility issues? 1481 Have the Requirements on Other Protocols and Functional Components 1482 been discussed? see Section 2.4. 1484 What protocol operations are expected to be performed relative to 1485 the new protocol or technology, and what protocols and data models 1486 are expected to be in place or recommended to ensure for 1487 interoperable management? 1489 Has the Impact on Network Operation been discussed? see Section 2.5 1491 Will the new protocol significantly increase traffic load on 1492 existing networks? 1494 Will the proposed management for the new protocol significantly 1495 increase traffic load on existing networks? 1496 How will the new protocol impact the behavior of other protocols 1497 in the network? Will it impact performance (e.g. jitter) of 1498 certain types of applications running in the same network? 1500 Does the new protocol need supporting services (e.g. DNS or AAA) 1501 added to an existing network? 1503 Have suggestions for verifying correct operation been discussed? see 1504 Section 2.6 1506 How can one test end-to-end connectivity and throughput? 1508 Which metrics are of interest? 1510 Will testing have an impact on the protocol or the network? 1512 Has management interoperability been discussed? see Section 3.1 1514 Is a standard protocol needed for interoperable management? 1516 Is a standard information or data model needed to make properties 1517 comparable across devices from different vendors? 1519 Are there fault or threshold conditions that should be reported? see 1520 Section 3.3 1522 Does specific management information have time utility? 1524 Should the information be reported by notifications? polling? 1525 event-driven polling? 1527 Is notification throttling discussed? 1529 Is there support for saving state that could be used for root- 1530 cause analysis? 1532 Is configuration discussed? see Section 3.4 1534 Are configuration defaults, and default modes of operation 1535 considered? 1537 Is there discussion of what information should be preserved across 1538 reboots of the device or the management system? Can devices 1539 realistically preserve this information through hard reboots where 1540 physical configuration might change (e.g. cards might be swapped 1541 while a chassis is powered down)? 1543 A.2. Management Considerations 1545 Do you anticipate any manageability issues with the specification? 1547 Is Management interoperability discussed? see Section 3.1 1549 Will it use centralized or distributed management? 1551 Will it require remote and/or local management applications? 1553 Are textual or graphical user interfaces required? 1555 Is textual or binary format for management information 1556 preferred? 1558 Is Management Information discussed? see Section 3.2 1560 What is the minimal set of management (configuration, faults, 1561 performance monitoring) objects that need to be instrumented in 1562 order to manage the new protocol? 1564 Is Fault Management discussed? see Section 3.3 1566 Is Liveness Detection and Monitoring discussed? 1568 Does the solution have failure modes that are difficult to 1569 diagnose or correct? Are faults and alarms reported and 1570 logged? 1572 Is Configuration Management discussed? see Section 3.4 1574 Is protocol state information exposed to the user? How? are 1575 significant state transitions logged? 1577 Is Accounting Management discussed? see Section 3.5 1579 Is Performance Management discussed? see Section 3.6 1581 Does the protocol have an impact on network traffic and network 1582 devices? Can performance be measured? 1583 Is protocol performance information exposed to the user? 1585 Is Security Management discussed? see Section 3.7 1587 Does the specification discuss how to manage aspects of 1588 security, such as access controls, managing key distribution, 1589 etc. 1591 A.3. Documentation 1593 Is an operational considerations and/or manageability section part of 1594 the document? 1596 Does the proposed protocol have a significant operational impact on 1597 the Internet? 1599 Is there proof of implementation and/or operational experience? 1601 Author's Address 1603 David Harrington 1604 HuaweiSymantec USA 1605 20245 Stevens Creek Blvd 1606 Cupertino, CA 95014 1607 USA 1609 Phone: +1 603 436 8634 1610 Fax: 1611 EMail: ietfdbh@comcast.net 1612 URI: