One document matched: draft-ietf-opsawg-operations-and-management-09.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!--
<!ENTITY RelaxNG SYSTEM "http://www.relaxng.org/">
<!ENTITY DSDL SYSTEM "http://www.dsdl.org/">
-->
<!ENTITY rfc5321 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5321.xml">
<!ENTITY rfc1034 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1034.xml">
<!ENTITY rfc1052 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1052.xml">
<!ENTITY rfc1958 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1958.xml">
<!ENTITY rfc2113 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2113.xml">
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc2205 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2205.xml">
<!ENTITY rfc2439 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2439.xml">
<!ENTITY rfc2578 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2578.xml">
<!ENTITY rfc2711 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2711.xml">
<!ENTITY rfc2865 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml">
<!ENTITY rfc2975 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2975.xml">
<!ENTITY rfc3060 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3060.xml">
<!ENTITY rfc3084 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3084.xml">
<!ENTITY rfc3139 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3139.xml">
<!ENTITY rfc3198 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3198.xml">
<!ENTITY rfc3290 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3290.xml">
<!ENTITY rfc3410 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3410.xml">
<!ENTITY rfc3444 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3444.xml">
<!ENTITY rfc3460 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3460.xml">
<!ENTITY rfc3535 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3535.xml">
<!ENTITY rfc3585 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3585.xml">
<!ENTITY rfc3588 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3588.xml">
<!ENTITY rfc3644 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3644.xml">
<!ENTITY rfc3670 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3670.xml">
<!ENTITY rfc3805 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3805.xml">
<!ENTITY rfc4741 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4741.xml">
<!ENTITY rfc5101 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5101.xml">
<!ENTITY rfc5424 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5424.xml">
<!ENTITY W3C.REC-xmlschema-0-20010502 SYSTEM "http://xml.resource.org/public/rfc/bibxml4/reference.W3C.REC-xmlschema-0-20010502.xml">
]>
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc strict="yes"?>
<?rfc rfcedstyle="yes"?>
<rfc category="info" docName="draft-ietf-opsawg-operations-and-management-09"
ipr="pre5378Trust200902">
<!--
$Id: draft-ietf-opsawg-operations-and-management.xml,v 1.12 2009/09/10 20:23:14 David Exp $
-->
<front>
<title abbrev="Ops and Mgmt Guidelines">Guidelines for Considering
Operations and Management of New Protocols and Protocol Extensions</title>
<author fullname="David Harrington" initials="D" surname="Harrington">
<organization>HuaweiSymantec USA</organization>
<address>
<postal>
<street>20245 Stevens Creek Blvd</street>
<city>Cupertino</city>
<region>CA</region>
<code>95014</code>
<country>USA</country>
</postal>
<phone>+1 603 436 8634</phone>
<facsimile></facsimile>
<email>ietfdbh@comcast.net</email>
<uri></uri>
</address>
</author>
<date year="2009" />
<area>IETF Operations and Management Area</area>
<keyword>management</keyword>
<keyword>operations</keyword>
<abstract>
<t>New protocols or protocol extensions are best designed with due
consideration of functionality needed to operate and manage the
protocols. Retrofitting operations and management is sub-optimal. The
purpose of this document is to provide guidance to authors and reviewers
of documents defining new protocols or protocol extensions, about
covering aspects of operations and management that should be
considered.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Often when new protocols or protocol extensions are developed, not
enough consideration is given to how the protocol will be deployed,
operated and managed. Retrofitting operations and management mechanisms
is often hard and architecturally unpleasant, and certain protocol
design choices may make deployment, operations, and management
particularly hard. This document provides guidelines to help protocol
designers and working groups consider the operations and management
functionality for their new IETF protocol or protocol extension at an
earlier phase.</t>
<section title="Designing for Operations and Management">
<t>The operational environment and manageability of the protocol
should be considered from the start when new protocols are
designed.</t>
<t>Most of the existing IETF management standards are focused on using
SMI-based data models (MIB modules) to monitor and manage networking
devices. As the Internet has grown, IETF protocols have addressed a
constantly growing set of needs, such as web servers and collaboration
services and applications. The number of IETF management technologies
has been expanding and the IETF management strategy has been changing
to address the emerging management requirements. The discussion of
emerging sets of management requirements has a long history in the
IETF. The set of management protocols you should use depends on what
you are managing.</t>
<t>Protocol designers should consider which operations and management
needs are relevant to their protocol, document how those needs could
be addressed, and suggest (preferably standard) management protocols
and data models that could be used to address those needs. This is
similar to a working group (WG) that considers which security threats
are relevant to their protocol, documents how threats should be
mitigated, and then suggests appropriate standard protocols that could
mitigate the threats.</t>
<t>When a WG considers operation and management functionality for a
protocol, the document should contain enough information to understand
how the protocol will be deployed and managed, and the WG should
expect that considerations for operations and management may need to
be updated in the future, after further operational experience has
been gained.</t>
</section>
<section title="This Document">
<t>This document makes a distinction between "Operational
Considerations" and "Management Considerations", although the two are
closely related. The section on manageability is focused on management
technology such as how to utilize management protocols and how to
design management data models. The operational considerations apply to
operating the protocol within a network, even if there were no
management protocol actively being used.</t>
<t>The purpose of this document is to provide guidance about what to
consider when thinking about the management and deployment of a new
protocol, and to provide guidance about documenting the
considerations. The following guidelines are designed to help writers
provide a reasonably consistent format for such documentation.
Separate manageability and operational considerations sections are
desirable in many cases, but their structure and location is a
decision that can be made from case to case.</t>
<t>This document does not impose a solution, or imply that a formal
data model is needed, or imply that using a specific management
protocol is mandatory. If protocol designers conclude that the
technology can be managed solely by using proprietary command line
interfaces (CLIs), and no structured or standardized data model needs
to be in place, this might be fine, but it is a decision that should
be explicit in a manageability discussion, that this is how the
protocol will need to be operated and managed. Protocol designers
should avoid having manageability pushed for a later phase of the
development of the standard.</t>
<t>This document discusses the importance of considering operations
and management by setting forth a list of guidelines and a checklist
of questions to consider, which a protocol designer or reviewer can
use to evaluate whether the protocol and documentation address common
operations and management needs. Operations and management are highly
dependent on their environment, so most guidelines are subjective
rather than objective.</t>
<!--
<t>This document provides some objective criteria to promote interoperability
through the use of standard management interfaces, such as "did you
design counters in a MIB module for monitoring packets in/out of an
interface?" <xref target="RFC2863">The Interfaces Group MIB
</xref>, "did you write an XML-based
data model for configuring your protocol with Netconf?" <xref
target="RFC4741">NETCONF Configuration Protocol</xref>, and "did you standardize syslog message
content and structured data elements for reporting events that might
occur when operating your protocol?" <xref
target="I-D.ietf-syslog-protocol"></xref> and "did you consider appropriate notifications in case of failure situations?"</t>
-->
</section>
<section title="Motivation">
<t>For years the IETF community has used the IETF Standard Management
Framework, including the Simple Network Management Protocol <xref
target="RFC3410"></xref>, the Structure of Management Information
<xref target="RFC2578"></xref>, and MIB data models for managing new
protocols. As the Internet has evolved, operators have found the
reliance on one protocol and one schema language for managing all
aspects of the Internet inadequate. The IESG policy to require working
groups to write a MIB module to provide manageability for new
protocols is being replaced by a policy that is more open to using a
variety of management protocols and data models designed to achieve
different goals.</t>
<t>This document provides some initial guidelines for considering
operations and management in an IETF Management Framework that
consists of multiple protocols and multiple data modeling languages,
with an eye toward being flexible while also striving for
interoperability.</t>
<t>Fully new protocols may require significant consideration of
expected operations and management, while extensions to existing
widely-deployed protocols may have established defacto operations and
management practices that are already well understood.</t>
<t>Suitable management approaches may vary for different areas,
working groups, and protocols in the IETF. This document does not
prescribe a fixed solution or format in dealing with operational and
management aspects of IETF protocols. However, these aspects should be
considered for any IETF protocol, because we develop technologies and
protocols to be deployed and operated in the real world Internet. It
is fine if a WG decides that its protocol does not need interoperable
management or no standardized data model, but this should be a
deliberate decision, not the result of omission. This document
provides some guidelines for those considerations.</t>
</section>
<section title="Background">
<t>There have been a significant number of efforts, meetings, and
documents that are related to Internet operations and management. Some
of them are mentioned here, to help protocol designers find
documentation of previous efforts. Hopefully, providing these
references will help the IETF avoid rehashing old discussions and
reinventing old solutions.</t>
<t>In 1988, the IAB published <xref target="RFC1052">IAB
Recommendations for the Development of Internet Network Management
Standards</xref> which recommended a solution that, where possible,
deliberately separates modeling languages, data models, and the
protocols that carry data. The goal is to allow standardized
information and data models to be used by different protocols.</t>
<t>In 2001, OPS Area design teams were created to document
requirements related to configuration of IP-based networks. One output
was "Requirements for Configuration Management of IP-based Networks"
<xref target="RFC3139"></xref>.</t>
<t>In 2003, the Internet Architecture Board (IAB) held a workshop on
Network Management <xref target="RFC3535"></xref> that discussed the
strengths and weaknesses of some IETF network management protocols,
and compared them to operational needs, especially configuration.</t>
<t>One issue discussed was the user-unfriendliness of the binary
format of SNMP <xref target="RFC3410"></xref> and <xref
target="RFC3084">COPS Usage for Policy Provisioning (COPS-PR)</xref>,
and it was recommended that the IETF explore an XML-based Structure of
Management Information, and an XML-based protocol for
configuration.</t>
<t>Another conclusion was that the tools for event/alarm correlation
and for root cause analysis and logging are not sufficient, and that
there is a need to support a human interface and a programmatic
interface. The IETF decided to standardize aspects of the de facto
standard for system logging security and programmatic support.</t>
<t>In 2006, the IETF discussed whether the Management Framework should
be updated to accommodate multiple IETF schema languages for
describing the structure of management information, and multiple IETF
standard protocols for performing management tasks. The IESG asked
that a document be written to discuss how protocol designers and
working groups should address management in this emerging
multi-protocol environment. This document, and some planned companion
documents, attempt to provide some guidelines for navigating the
rapidly-shifting operating and management environments.</t>
</section>
<!-- background -->
<section anchor="availmgmt" title="Available Management Technologies">
<t>The IETF has a number of standard management protocols available
that are suitable for different purposes. These include <list>
<t>SNMP <xref target="RFC3410"></xref>,</t>
<t>SYSLOG <xref target="RFC5424"></xref>,</t>
<t>RADIUS <xref target="RFC2865"></xref>,</t>
<t>DIAMETER <xref target="RFC3588"></xref>,</t>
<t>NETCONF <xref target="RFC4741"></xref>,</t>
<t>IPFIX <xref target="RFC5101"></xref>.</t>
</list> A planned supplement to this document will discuss these
protocol standards, and discuss some standard information and data
models for specific functionality, and provide pointers to the
documents that define them.</t>
</section>
<!-- available -->
<section title="Terminology">
<t>This document deliberately does not use the (capitalized) keywords
described in <xref target="RFC2119">RFC 2119</xref>. RFC 2119 states
the keywords must only be used where it is actually required for
interoperation or to limit behavior which has potential for causing
harm (e.g., limiting retransmissions). For example, they must not be
used to try to impose a particular method on implementers where the
method is not required for interoperability. This document is a set of
guidelines based on current practices of protocol designers and
operators. This document does not describe requirements, so the key
words from RFC2119 have no place here.</t>
<t><list style="symbols">
<t>CLI: Command Line Interface</t>
<t>Data model: A mapping of the contents of an information model
into a form that is specific to a particular type of data store or
repository. <xref target="RFC3444"></xref></t>
<t>Information model: An abstraction and representation of the
entities in a managed environment, their properties, attributes
and operations, and the way that they relate to each other. It is
independent of any specific repository, software usage, protocol,
or platform. <xref target="RFC3444"></xref></t>
<t>"new protocol" includes new protocols, protocol extensions,
data models, or other functionality being designed.</t>
<t>"protocol designer" represents individuals and working groups
involved in the development of new protocols or extensions.</t>
</list></t>
</section>
<!-- Terminology -->
</section>
<!-- Introduction -->
<section anchor="opcons"
title="Operational Considerations - How Will the New Protocol Fit Into the Current Environment?">
<t>Designers of a new protocol should carefully consider the operational
aspects. To ensure that a protocol will be practical to deploy in the
real world, it is not enough to merely define it very precisely in a
well-written document. Operational aspects will have a serious impact on
the actual success of a protocol. Such aspects include bad interactions
with existing solutions, a difficult upgrade path, difficulty of
debugging problems, difficulty configuring from a central database, or a
complicated state diagram that operations staff will find difficult to
understand.</t>
<t>BGP flap damping <xref target="RFC2439"></xref> is an example. It was
designed to block high frequency route flaps, however the design did not
consider the existence of BGP path exploration/slow convergence. In real
operations, path exploration caused false flap damping, resulting in
loss of reachability. As a result, many networks turned flap damping
off.</t>
<section anchor="opsmodel" title="Operations">
<t>Protocol designers can analyze the operational environment and mode
of work in which the new protocol or extension will work. Such an
exercise need not be reflected directly by text in their document, but
could help in visualizing how to apply the protocol in the Internet
environments where it will be deployed.</t>
<t>A key question is how the protocol can operate "out of the box". If
implementers are free to select their own defaults, the protocol needs
to operate well with any choice of values. If there are sensible
defaults, these need to be stated.</t>
<t>There may be a need to support a human interface, e.g., for
troubleshooting, and a programmatic interface, e.g., for automated
monitoring and root cause analysis. The application programming
interfaces and the human interfaces might benefit from being similar
to ensure that the information exposed by these two interfaces is
consistent when presented to an operator. Identifying consistent
methods of determining information, such as what gets counted in a
specific counter, is relevant.</t>
<!--A human interface, such as a command line interface, is
useful for troubleshooting, while a programmatic interface is
important for managing multiple devices in a consistent manner, and
automating repetitive functions. Graphical user interfaces can help an
operator comprehend an overview of the network quickly (one picture is
worth a thousand words), but an operator may also require seeing the
raw data to better understand just what is happening in the network.
Ease of use is a key requirement for any network management technology
from the operators point of view. Protocol designers should consider how
various protocol choices might impact ease of use in different
scenarios. -->
<t>Protocol designers should consider what management operations are
expected to be performed as a result of the deployment of the protocol
- such as whether write operations will be allowed on routers and on
hosts, or whether notifications for alarms or other events will be
expected.</t>
</section>
<section anchor="opsinstall" title="Installation and Initial Setup">
<t>Anything that can be configured can be misconfigured.
"Architectural Principles of the Internet" <xref
target="RFC1958"></xref> Section 3.8 states: "Avoid options and
parameters whenever possible. Any options and parameters should be
configured or negotiated dynamically rather than manually."</t>
<t>To simplify configuration, protocol designers should consider
specifying reasonable defaults, including default modes and
parameters. For example, it could be helpful or necessary to specify
default values for modes, timers, default state of logical control
variables, default transports, and so on. Even if default values are
used, it must be possible to retrieve all the actual values or at
least an indication that known default values are being used.</t>
<t>Protocol designers should consider how to enable operators to
concentrate on the configuration of the network as a whole rather than
on individual devices. Of course, how one accomplishes this is the
hard part.</t>
<t>It is desirable to discuss the background of chosen default values,
or perhaps why a range of values makes sense. In many cases, as
technology changes, the values in an RFC might make less and less
sense. It is very useful to understand whether defaults are based on
best current practice and are expected to change as technologies
advance or whether they have a more universal value that should not be
changed lightly. For example, the default interface speed might be
expected to change over time due to increased speeds in the network,
and cryptographical algorithms might be expected to change over time
as older algorithms are "broken".</t>
<t>It is extremely important to set a sensible default value for all
parameters</t>
<t>The default value should stay on the conservative side rather than
on the "optimizing performance" side. (example: the initial RTT and
RTTvar values of a TCP connection)</t>
<t>For those parameters that are speed-dependent, instead of using a
constant, try to set the default value as a function of the link speed
or some other relevant factors. This would help reduce the chance of
problems caused by technology advancement.</t>
</section>
<section anchor="opsmig" title="Migration Path">
<t>If the new protocol is a new version of an existing one, or if it
is replacing another technology, the protocol designer should consider
how deployments should transition to the new protocol. This should
include co-existence with previously deployed protocols and/or
previous versions of the same protocol, incompatibilities between
versions, translation between versions, and side-effects that might
occur. Are older protocols or versions disabled or do they co-exist in
the network with the new protocol?</t>
<t>Many protocols benefit from being incrementally deployable -
operators may deploy aspects of a protocol before deploying the
protocol fully.</t>
</section>
<section anchor="opsdep"
title="Requirements on Other Protocols and Functional Components">
<t>Protocol designers should consider the requirements that the new
protocol might put on other protocols and functional components, and
should also document the requirements from other protocols and
functional elements that have been considered in designing the new
protocol.</t>
<t>These considerations should generally remain illustrative to avoid
creating restrictions or dependencies, or potentially impacting the
behavior of existing protocols, or restricting the extensibility of
other protocols, or assuming other protocols will not be extended in
certain ways. If restrictions or dependencies exist, they should be
stated.</t>
<t>For example, the design of <xref target="RFC2205">Resource
ReSerVation Protocol (RSVP)</xref> required each router to look at the
RSVP PATH message, and if the router understood RSVP, to add its own
address to the message to enable automatically tunneling through
non-RSVP routers. But in reality routers cannot look at an otherwise
normal IP packet, and potentially take it off the fast path! The
initial designers overlooked that a new "deep packet inspection"
requirement was being put on the functional components of a router.
The "router alert" option <xref target="RFC2113"></xref> <xref
target="RFC2711"></xref> was finally developed to solve this problem
for RSVP and other protocols that require the router to take some
packets off the fast forwarding path. Router alert has its own
problems in impacting router performance.</t>
</section>
<section anchor="opsimpact" title="Impact on Network Operation">
<t>The introduction of a new protocol or extensions to an existing
protocol may have an impact on the operation of existing networks.
Protocol designers should outline such impacts (which may be positive)
including scaling concerns and interactions with other protocols. For
example, a new protocol that doubles the number of active, reachable
addresses in use within a network might need to be considered in the
light of the impact on the scalability of the interior gateway
protocols operating within the network.</t>
<t>A protocol could send active monitoring packets on the wire. If we
don't pay attention, we might get very good accuracy, but could send
too many active monitoring packets.</t>
<t>The protocol designer should consider the potential impact on the
behavior of other protocols in the network and on the traffic levels
and traffic patterns that might change, including specific types of
traffic such as multicast. Also consider the need to install new
components that are added to the network as result of the changes in
the configuration, such as servers performing auto-configuration
operations.</t>
<t>The protocol designer should consider also the impact on
infrastructure applications like <xref target="RFC1034">DNS</xref>,
the registries, or the size of routing tables. For example, <xref
target="RFC5321">Simple Mail Transfer Protocol (SMTP)</xref> servers
use a reverse DNS lookup to filter out incoming connection requests.
When Berkeley installed a new spam filter, their mail server stopped
functioning because of the DNS cache resolver overload.</t>
<t>The impact on performance may also be noted - increased delay or
jitter in real-time traffic applications, or response time in
client-server applications when encryption or filtering are
applied.</t>
<t>It is important to minimize the impact caused by configuration
changes. Given configuration A and configuration B, it should be
possible to generate the operations necessary to get from A to B with
minimal state changes and effects on network and systems.</t>
</section>
<section anchor="opsverify" title="Verifying Correct Operation">
<t>The protocol designer should consider techniques for testing the
effect that the protocol has had on the network by sending data
through the network and observing its behavior (aka active
monitoring). Protocol designers should consider how the correct
end-to-end operation of the new protocol in the network can be tested
actively and passively, and how the correct data or forwarding plane
function of each network element can be verified to be working
properly with the new protocol. Which metrics are of interest?</t>
<t>Having simple protocol status and health indicators on network
devices is a recommended means to check correct operation.</t>
</section>
</section>
<section title="Management Considerations - How Will The Protocol be Managed?">
<t>The considerations of manageability should start from identifying the
entities to be managed, and how the managed protocol is supposed to be
installed, configured and monitored.</t>
<t>Considerations for management should include a discussion of what
needs to be managed, and how to achieve various management tasks. Where
are the managers and what type of management interfaces and protocols
will they need? The "write a MIB module" approach to considering
management often focuses on monitoring a protocol endpoint on a single
device. A MIB module document typically only considers monitoring
properties observable at one end, while the document does not really
cover managing the *protocol* (the coordination of multiple ends), and
does not even come near managing the *service* (which includes a lot of
stuff that is very far away from the box). This is exactly what
operators hate - you need to be able to manage both ends. As <xref
target="RFC3535"></xref> says, MIB modules can often be characterized as
a list of ingredients without a recipe.</t>
<t>The management model should take into account factors such as: <list
style="symbols">
<t>what type of management entities will be involved (agents,
network management systems)?</t>
<t>what is the possible architecture (client-server, manager-agent,
poll-driven or event-driven, autoconfiguration, two levels or
hierarchical)?</t>
<t>what are the management operations - initial configuration,
dynamic configuration, alarm and exception reporting, logging,
performance monitoring, performance reporting, debugging?</t>
<t>how are these operations performed - locally, remotely, atomic
operation, scripts? Are they performed immediately or time scheduled
or event triggered?</t>
<!--
<t>what are the typical user interfaces - Command line (CLI) or
graphical user interface (GUI)?</t>
-->
</list></t>
<t>Protocol designers should consider how the new protocol will be
managed in different deployment scales. It might be sensible to use a
local management interface to manage the new protocol on a single
device, but in a large network, remote management using a centralized
server and/or using distributed management functionality might make more
sense. Auto-configuration and default parameters might be possible for
some new protocols.</t>
<t>Management needs to be considered not only from the perspective of a
device, but also from the perspective of network and service management
perspectives. A service might be network and operational functionality
derived from the implementation and deployment of a new protocol. Often
an individual network element is not aware of the service being
delivered.</t>
<t>WGs should consider how to configure multiple related/co-operating
devices and how to back off if one of those configurations fails or
causes trouble. NETCONF <xref target="RFC4741"></xref> addresses this in
a generic manner by allowing an operator to lock the configuration on
multiple devices, perform the configuration settings/changes, check that
they are OK (undo if not) and then unlock the devices.</t>
<t>Techniques for debugging protocol interactions in a network must be
part of the network management discussion. Implementation source code
should be debugged before ever being added to a network, so asserts and
memory dumps do not normally belong in management data models. However,
debugging on-the-wire interactions is a protocol issue: while the
messages can be seen by sniffing, it is enormously helpful if a protocol
specification supports features that make debugging of network
interactions and behaviors easier. There could be alerts issued when
messages are received, or when there are state transitions in the
protocol state machine. However, the state machine is often not part of
the on-the-wire protocol; the state machine explains how the protocol
works so that an implementer can decide, in an implementation-specific
manner, how to react to a received event.</t>
<t>In a client/server protocol, it may be more important to instrument
the server end of a protocol than the client end, since the performance
of the server might impact more nodes than the performance of a specific
client.</t>
<section anchor="intermgmt" title="Interoperability">
<t>Just as when deploying protocols that will inter-connect devices,
management interoperability should be considered, whether across
devices from different vendors, across models from the same vendor, or
across different releases of the same product. Management
interoperability refers to allowing information sharing and operations
between multiple devices and multiple management applications, often
from different vendors. Interoperability allows for the use of 3rd
party applications and the outsourcing of management services.</t>
<t>Some product designers and protocol designers assume that if a
device can be managed individually using a command line interface or a
web page interface, that such a solution is enough. But when equipment
from multiple vendors is combined into a large network, scalability of
management may become a problem. It may be important to have
consistency in the management interfaces so network-wide operational
processes can be automated. For example, a single switch might be
easily managed using an interactive web interface when installed in a
single office small business, but when, say, a fast food company
installs similar switches from multiple vendors in hundreds or
thousands of individual branches and wants to automate monitoring them
from a central location, monitoring vendor-and-model-specific web
pages would be difficult to automate.</t>
<t>The primary goal is the ability to roll out new useful functions
and services in a way in which they can be managed in a scalable
manner, where one understands the network impact (as part of the total
cost of operations) of that service.</t>
<t>Getting everybody to agree on a single syntax and an associated
protocol to do all management has proven to be difficult. So
management systems tend to speak whatever the boxes support, whether
the IETF likes this or not. The IETF is moving from support for one
schema language for modeling the structure of management information
(<xref target="RFC2578">Structure of Management Information Version 2
(SMIv2) </xref>) and one simple network management protocol (<xref
target="RFC3410">Simple Network Management Protocol (SNMP)</xref>)
towards support for additional schema languages and additional
management protocols suited to different purposes. Other Standard
Development Organizations (e.g. DMTF, TMF) also define schemas and
protocols for management and these may be more suitable than IETF
schemas and protocols in some cases. Some of the alternatives being
considered include <list>
<t><xref target="W3C.REC-xmlschema-0-20010502">XML Schema
Definition</xref></t>
<!--
<t><xref target="RelaxNG">Relax NG</xref></t>
<t><xref target="DSDL">Document Schema Definition Languages</xref></t>
-->
<t>and others</t>
</list> and <list>
<t><xref target="RFC4741">NETCONF Configuration
Protocol</xref></t>
<t><xref target="RFC5101">IP Flow Information Export (IPFIX)
Protocol </xref>) for usage accounting</t>
<t><xref target="RFC5424">The syslog Protocol</xref> for
logging</t>
<t>and others</t>
</list></t>
<t>Interoperability needs to be considered on the syntactic level and
the semantic level. While it can be irritating and time-consuming,
application designers including operators who write their own scripts
can make their processing conditional to accommodate syntactic
differences across vendors or models or releases of product.</t>
<t>Semantic differences are much harder to deal with on the manager
side - once you have the data, its meaning is a function of the
managed entity.</t>
<t>Information models are helpful to try to focus interoperability on
the semantic level - they establish standards for what information
should be gathered, and how gathered information might be used
regardless of which management interface carries the data or which
vendor produces the product. The use of an information model might
help improve the ability of operators to correlate messages in
different protocols where the data overlaps, such as a SYSLOG message
and an SNMP notification about the same event. An information model
might identify which error conditions should be counted separately,
and which error conditions can be counted together in a single
counter. Then, whether the counter is gathered via SNMP or a CLI
command or a SYSLOG message, the counter will have the same
meaning.</t>
<t>Protocol designers should consider which information might be
useful for managing the new protocol or protocol extensions.</t>
<figure title="Figure 1">
<preamble></preamble>
<artwork><![CDATA[ IM --> conceptual/abstract model
| for designers and operators
+----------+---------+
| | |
DM DM DM --> concrete/detailed model
for implementers
]]></artwork>
<postamble>Information Models and Data Models</postamble>
</figure>
<t>Protocol designers may decide an information model or data model
would be appropriate for managing the new protocol or protocol
extensions.</t>
<t>On the Difference between Information Models and Data Models <xref
target="RFC3444"> </xref> can be helpful in determining what
information to consider regarding information models, as compared to
data models.</t>
<t>Information models should come from the protocol WGs and include
lists of events, counters and configuration parameters that are
relevant. There are a number of information models contained in
protocol WG RFCs. Some examples:</t>
<t><list style="symbols">
<t><xref target="RFC3060"></xref> - Policy Core Information Model
version 1</t>
<t><xref target="RFC3290"></xref> - An Informal Management Model
for DiffServ Routers</t>
<t><xref target="RFC3460"></xref> - Policy Core Information Model
Extensions</t>
<t><xref target="RFC3585"></xref> - IPsec Configuration Policy
Information Model</t>
<t><xref target="RFC3644"></xref> - Policy Quality of Service
Information Model</t>
<t><xref target="RFC3670"></xref> - Information Model for
Describing Network Device QoS Datapath Mechanisms</t>
<t><xref target="RFC3805"></xref> - Printer MIB v2 contains both
an IM and a DM</t>
</list>Management protocol standards and management data model
standards often contain compliance clauses to ensure interoperability.
Manageability considerations should include discussion of which level
of compliance is expected to be supported for interoperability.</t>
<t></t>
</section>
<section anchor="datamgmt" title="Management Information">
<t>Languages used to describe an information model can influence the
nature of the model. Using a particular data modeling language, such
as the SMIv2, influence the model to use certain types of structures,
such as two-dimensional tables. This document recommends using English
text (the official language for IETF specifications) to describe an
information model. A sample data model could be developed to
demonstrate the information model.</t>
<t>A management information model should include a discussion of what
is manageable, which aspects of the protocol need to be configured,
what types of operations are allowed, what protocol-specific events
might occur, which events can be counted, and for which events should
an operator be notified.</t>
<t>Operators find it important to be able to make a clear distinction
between configuration data, operational state, and statistics. They
need to determine which parameters were administratively configured
and which parameters have changed since configuration as the result of
mechanisms such as routing protocols or network management protocols.
It is important to be able to separately fetch current configuration
information, initial configuration information, operational state
information, and statistics from devices, and to be able to compare
current state to initial state, and to compare information between
devices. So when deciding what information should exist, do not
conflate multiple information elements into a single element.</t>
<t>What is typically difficult to work through are relationships
between abstract objects. Ideally an information model would describe
the relationships between the objects and concepts in the information
model.</t>
<t>Is there always just one instance of this object or can there be
multiple instances? Does this object relate to exactly one other
object or may it relate to multiple? When is it possible to change a
relationship?</t>
<t>Do objects (such as rows in tables) share fate? For example, if a
row in table A must exist before a related row in table B can be
created, what happens to the row in table B if the related row in
table A is deleted? Does the existence of relationships between
objects have an impact on fate sharing?</t>
<section title="Information Model Design">
<t>This document recommends keeping the information model as simple
as possible by applying the following criteria: <list
style="numbers">
<t>Start with a small set of essential objects and add only as
further objects are needed.</t>
<t>Require that objects be essential for management.</t>
<t>Consider evidence of current use and/or utility.</t>
<t>Limit the total number of objects.</t>
<t>Exclude objects that are simply derivable from others in this
or other information models.</t>
<t>Avoid causing critical sections to be heavily instrumented. A
guideline is one counter per critical section per layer.</t>
</list></t>
</section>
</section>
<section anchor="faultmgmt" title="Fault Management">
<t>The protocol designer should document the basic faults and health
indicators that need to be instrumented for the new protocol, and the
alarms and events that must be propagated to management applications
or exposed through a data model.</t>
<t>The protocol designer should consider how fault information will be
propagated. Will it be done using asynchronous notifications or
polling of health indicators?</t>
<t>If notifications are used to alert operators to certain conditions,
then the protocol designer should discuss mechanisms to throttle
notifications to prevent congestion and duplications of event
notifications. Will there be a hierarchy of faults, and will the fault
reporting be done by each fault in the hierarchy, or will only the
lowest fault be reported and the higher levels be suppressed? Should
there be aggregated status indicators based on concatenation of
propagated faults from a given domain or device?</t>
<t>SNMP notifications and SYSLOG messages can alert an operator when
an aspect of the new protocol fails or encounters an error or failure
condition, and SNMP is frequently used as a heartbeat monitor. Should
the event reporting provide guaranteed accurate delivery of the event
information within a given (high) margin of confidence? Can we poll
the latest events in the box?</t>
<section title="Liveness Detection and Monitoring">
<t>Protocol designers should always build in basic testing features
(e.g. ICMP echo, UDP/TCP echo service, NULL RPC calls) that can be
used to test for liveness, with an option to enable and disable
them.</t>
<t>Mechanisms for monitoring the liveness of the protocol and for
detecting faults in protocol connectivity are usually built into
protocols. In some cases, mechanisms already exist within other
protocols responsible for maintaining lower layer connectivity (e.g.
ICMP echo), but often new procedures are required to detect failures
and to report rapidly, allowing remedial action to be taken.</t>
<t>These liveness monitoring mechanisms do not typically require
additional management capabilities. However, when a system detects a
fault, there is often a requirement to coordinate recovery action
through management applications or at least to record the fact in an
event log.</t>
</section>
<section title="Fault Determination">
<t>It can be helpful to describe how faults can be pinpointed using
management information. For example, counters might record instances
of error conditions. Some faults might be able to be pinpointed by
comparing the outputs of one device and the inputs of another device
looking for anomalies. Protocol designers should consider what
counters should count. If a single counter provided by vendor A
counts three types of error conditions, while the corresponding
counter provided by vendor B counts seven types of error conditions,
these counters cannot be compared effectively - they are not
interoperable counters.</t>
<t>How do you distinguish between faulty messages and good
messages?</t>
<t>Would some threshold-based mechanisms, such as RMON events/alarms
or the EVENT-MIB, be useable to help determine error conditions? Are
SNMP notifications for all events needed, or are there some
"standard" notifications that could be used? or can relevant
counters be polled as needed?</t>
</section>
<section title="Root Cause Analysis">
<t>Root cause analysis is about working out where in the network the
fault is. For example, if end-to-end data delivery is failing
(reported by a notification), root cause analysis can help find the
failed link or node in the end-to-end path.</t>
</section>
<section title="Fault Isolation">
<t>It might be useful to isolate or quarantine faults, such as
isolating a device that emits malformed messages that are necessary
to coordinate connections properly. This might be able to be done by
configuring next-hop devices to drop the faulty messages to prevent
them from entering the rest of the network.</t>
</section>
</section>
<section anchor="confmgmt" title="Configuration Management">
<t>A protocol designer should document the basic configuration
parameters that need to be instrumented for a new protocol, as well as
default values and modes of operation.</t>
<t>What information should be maintained across reboots of the device,
or restarts of the management system?</t>
<t><xref target="RFC3139">"Requirements for Configuration Management
of IP-based Networks"</xref> discusses requirements for configuration
management, including discussion of different levels of management,
high-level-policies, network-wide configuration data, and device-local
configuration. Network configuration is not just multi-device push or
pull. It is knowing that the configurations being pushed are
semantically compatible. Is the circuit between them configured
compatibly on both ends? is the is-is metric the same? ... now do that
for 1,000 devices.</t>
<t>A number of efforts have existed in the IETF to develop
policy-based configuration management. <xref
target="RFC3198">"Terminology for Policy-Based Management"</xref> was
written to standardize the terminology across these efforts.</t>
<!-- <t>It is highly desirable that text processing tools such as diff, and
version management tools such as RCS or CVS or SVN, can be used to
process configurations. This approach simplifies comparing the current
operational state to the initial configuration. It is commonplace to compare
configuration changes to e.g., last day, last week, last month, etc. Having
configuration in a text, and human-understandable format is very valuable
for various reasons such as change control (or verification), configuration
consistency checks, etc.</t>
<t>With structured text such as XML, simple text diffs may be found to
be inadequate and more sophisticated tools may be needed to make any
useful comparison of versions.</t>
-->
<t>Implementations should not arbitrarily modify configuration data.
In some cases (such as Access Control Lists) the order of data items
is significant and comprises part of the configured data. If a
protocol designer defines mechanisms for configuration, it would be
desirable to standardize the order of elements for consistency of
configuration and of reporting across vendors, and across releases
from vendors.</t>
<t>There are two parts to this: 1. An NMS system could optimize access
control lists (ACLs) for performance reasons 2. Unless the device/NMS
systems has correct rules/a lot of experience, reordering ACLs can
lead to a huge security issue.</t>
<t>Network wide configurations may be stored in central master
databases and transformed into formats that can be pushed to devices,
either by generating sequences of CLI commands or complete
configuration files that are pushed to devices. There is no common
database schema for network configuration, although the models used by
various operators are probably very similar. Many operators consider
it desirable to extract, document, and standardize the common parts of
these network wide configuration database schemas. A protocol designer
should consider how to standardize the common parts of configuring the
new protocol, while recognizing that vendors may also have proprietary
aspects of their configurations.</t>
<!--
<t>It is important to distinguish between the distribution of
configurations and the activation of a certain configuration. Devices
should be able to hold multiple configurations. NETCONF <xref
target="RFC4741"></xref>, for example, differentiates between the
"running" configuration and "candidate" configurations.</t>
-->
<t>It is important to enable operators to concentrate on the
configuration of the network as a whole rather than individual
devices. Support for configuration transactions across a number of
devices could significantly simplify network configuration management.
The ability to distribute configurations to multiple devices, or
modify candidate configurations on multiple devices, and then activate
them in a near-simultaneous manner might help. Protocol designers can
consider how it would make sense for their protocol to be configured
across multiple devices. Configuration-templates might also be
helpful.</t>
<t>Consensus of the 2002 IAB Workshop <xref target="RFC3535"></xref>
was that textual configuration files should be able to contain
international characters. Human-readable strings should utilize UTF-8,
and protocol elements should be in case insensitive ASCII.</t>
<t>A mechanism to dump and restore configurations is a primitive
operation needed by operators. Standards for pulling and pushing
configurations from/to devices are desirable.</t>
<t>Given configuration A and configuration B, it should be possible to
generate the operations necessary to get from A to B with minimal
state changes and effects on network and systems. It is important to
minimize the impact caused by configuration changes.</t>
<t>A protocol designer should consider the configurable items that
exist for the control of function via the protocol elements described
in the protocol specification. For example, sometimes the protocol
requires that timers can be configured by the operator to ensure
specific policy-based behavior by the implementation. These timers
should have default values suggested in the protocol specification and
may not need to be otherwise configurable.</t>
<section title="Verifying Correct Operation">
<t>An important function that should be provided is guidance on how
to verify the correct operation of a protocol. A protocol designer
could suggest techniques for testing the impact of the protocol on
the network before it is deployed, and techniques for testing the
effect that the protocol has had on the network after being
deployed.</t>
<t>Protocol designers should consider how to test the correct
end-to-end operation of the network or service, and how to verify
the correct functioning of the protocol, whether it is the data or
forwarding plane function of each network element, or the function
of service. This may be achieved through status and statistical
information gathered from devices.</t>
</section>
</section>
<section anchor="acctmgmt" title="Accounting Management">
<t>A protocol designer should consider whether it would be appropriate
to collect usage information related to this protocol, and if so, what
usage information would be appropriate to collect.</t>
<t><xref target="RFC2975">"Introduction to Accounting
Management"</xref> discusses a number of factors relevant to
monitoring usage of protocols for purposes of capacity and trend
analysis, cost allocation, auditing, and billing. The document also
discusses how some existing protocols can be used for these purposes.
These factors should be considered when designing a protocol whose
usage might need to be monitored, or when recommending a protocol to
do usage accounting.</t>
</section>
<section anchor="perfmgmt" title="Performance Management">
<t>From a manageability point of view it is important to determine how
well a network deploying the protocol or technology defined in the
document is doing. In order to do this the network operators need to
consider information that would be useful to determine the performance
characteristics of a deployed system using the target protocol.</t>
<t>The IETF, via the Benchmarking Methodology WG (BMWG), has defined
recommendations for the measurement of the performance characteristics
of various internetworking technologies in a laboratory environment,
including the systems or services that are built from these
technologies. Each benchmarking recommendation describes the class of
equipment, system, or service being addressed; discuss the performance
characteristics that are pertinent to that class; clearly identify a
set of metrics that aid in the description of those characteristics;
specify the methodologies required to collect said metrics; and
lastly, present the requirements for the common, unambiguous reporting
of benchmarking results. Search for "benchmark" in the RFC search
tool.</t>
<t>Performance metrics may be useful in multiple environments, and for
different protocols. The IETF, via the IP Performance Monitoring
(IPPM) WG, has developed a set of standard metrics that can be applied
to the quality, performance, and reliability of Internet data delivery
services. These metrics are designed such that they can be performed
by network operators, end users, or independent testing groups. The
existing metrics might be applicable to the new protocol. Search for
"metric" in the RFC search tool. In some cases, new metrics need to be
defined. It would be useful if the protocol documentation identified
the need for such new metrics. For performance monitoring, it is often
important to report the time spent in a state rather than the current
state. Snapshots are of less value for performance monitoring.</t>
<t>There are several parts to performance management to be considered:
protocol monitoring, device monitoring (the impact of the new
protocol/service activation on the device), network monitoring, and
service monitoring (the impact of service activation on the
network).</t>
<section title="Monitoring the Protocol">
<t>Certain properties of protocols are useful to monitor. The number
of protocol packets received, the number of packets sent, and the
number of packets dropped are usually very helpful to operators.</t>
<t>Packet drops should be reflected in counter variable(s) somewhere
that can be inspected - both from the security point of view and
from the troubleshooting point of view.</t>
<t>Counter definitions should be unambiguous about what is included
in the count, and what is not included in the count.</t>
<t>Consider the expected behaviors for counters - what is a
reasonable maximum value for expected usage? Should they stop
counting at the maximum value and retain the maximum value, or
should they rollover? How can users determine if a rollover has
occurred, and how can users determine if more than one rollover has
occurred?</t>
<t>Consider whether multiple management applications will share a
counter; if so, then no one management application should be allowed
to reset the value to zero since this will impact other
applications.</t>
<t>Could events, such as hot-swapping a blade in a chassis, cause
discontinuities in counter? Does this make any difference in
evaluating the performance of a protocol?</t>
<t>The protocol document should make clear the limitations implicit
within the protocol and the behavior when limits are exceeded. This
should be considered in a data-modeling independent manner - what
makes managed-protocol sense, not what makes
management-protocol-sense. If constraints are not
managed-protocol-dependent, then it should be left for the
management-protocol data modelers to decide. For example, VLAN
identifiers have a range of 1..4095 because of the VLAN standards. A
MIB implementing a VLAN table should be able to support 4096 entries
because the content being modeled requires it.</t>
</section>
<section title="Monitoring the Device">
<t>Consider whether device performance will be affected by the
number of protocol entities being instantiated on the device.
Designers of an information model should include information,
accessible at runtime, about the maximum number of instances an
implementation can support, the current number of instances, and the
expected behavior when the current instances exceed the capacity of
the implementation or the capacity of the device.</t>
<t>Designers of an information model should model information,
accessible at runtime, about the maximum number of protocol entity
instances an implementation can support on a device, the current
number of instances, and the expected behavior when the current
instances exceed the capacity of the device.</t>
</section>
<section title="Monitoring the Network">
<t>Consider whether network performance will be affected by the
number of protocol entities being deployed.</t>
<t>Consider the capability of determining the operational activity,
such as the number of messages in and the messages out, the number
of received messages rejected due to format problems, the expected
behaviors when a malformed message is received.</t>
<t>What are the principal performance factors that need to be looked
at when measuring the operational performance of the network built
using the protocol? Is it important to measure setup times?
end-to-end connectivity? hop-to-hop connectivity? network
throughput?</t>
</section>
<section title="Monitoring the Service">
<t>What are the principal performance factors that need to be looked
at when measuring the performance of a service using the protocol?
Is it important to measure application-specific throughput?
client-server associations? end-to-end application quality? service
interruptions? user experience?</t>
</section>
</section>
<section anchor="secmgmt" title="Security Management">
<t>Protocol designers should consider how to monitor and to manage
security aspects and vulnerabilities of the new protocol.</t>
<t>There will be security considerations related to the new protocol.
To make it possible for operators to be aware of security-related
events, it is recommended that system logs should record events, such
as failed logins, but the logs must be secured.</t>
<t>Should a system automatically notify operators of every event
occurrence, or should an operator-defined threshold control when a
notification is sent to an operator?</t>
<t>Should certain statistics be collected about the operation of the
new protocol that might be useful for detecting attacks, such as the
receipt of malformed messages, or messages out of order, or messages
with invalid timestamps? If such statistics are collected, is it
important to count them separately for each sender to help identify
the source of attacks?</t>
<t>Manageability considerations that are security-oriented might
include discussion of the security implications when no monitoring is
in place, the regulatory implications of absence of audit-trail or
logs in enterprises, exceeding the capacity of logs, and security
exposures present in chosen / recommended management mechanisms.</t>
<t>Consider security threats that may be introduced by management
operations. For example CAPWAP breaks the structure of monolithic
Access Points (AP) into Access Controllers and Wireless Termination
Points (WTP). By using a management interface, internal information
that was previously not accessible is now exposed over the network and
to management applications and may become a source of potential
security threats.</t>
<t>The granularity of access control needed on management interfaces
needs to match operational needs. Typical requirements are a
role-based access control model and the principle of least privilege,
where a user can be given only the minimum access necessary to perform
a required task.</t>
<t>Some operators wish to do consistency checks of access control
lists across devices. Protocol designers should consider information
models to promote comparisons across devices and across vendors to
permit checking the consistency of security configurations.</t>
<t>Protocol designers should consider how to provide a secure
transport, authentication, identity, and access control which
integrates well with existing key and credential management
infrastructure. It is a good idea to start with defining the threat
model for the protocol, and from that deducing what is required.</t>
<t>Protocol designers should consider how access control lists are
maintained and updated.</t>
<t>Standard SNMP notifications or SYSLOG messages <xref
target="RFC5424"></xref> might already exist, or can be defined, to
alert operators to the conditions identified in the security
considerations for the new protocol. For example, you can log all the
commands entered by the operator using syslog (giving you some degree
of audit trail), or you can see who has logged on/off using SSH from
where, failed SSH logins can be logged using syslog, etc.</t>
<t>An analysis of existing counters might help operators recognize the
conditions identified in the security considerations for the new
protocol before they can impact the network.</t>
<!--
<t>RADIUS and DIAMETER can provide authentication and authorization. A
protocol designer should consider which attributes would be
appropriate for their protocol.</t>
removed in response to comment from Adrian: This paragraph is apropos of what? What are you trying to tell me?
Should I run my management using Radius? Should I try to build
Diameter into my new protocol?
-->
<t>Different management protocols use different assumptions about
message security and data access controls. A protocol designer that
recommends using different protocols should consider how security will
be applied in a balanced manner across multiple management interfaces.
SNMP authority levels and policy are data-oriented, while CLI
authority levels and policy are usually command (task) oriented.
Depending on the management function, sometimes data-oriented or
task-oriented approaches make more sense. Protocol designers should
consider both data-oriented and task-oriented authority levels and
policy.</t>
</section>
</section>
<section title="Documentation Guidelines">
<t>This document is focused on what to think about, and how to document
the considerations of the protocol designer.</t>
<section title="Recommended Discussions">
<t>A Manageability Considerations section should include discussion of
the management and operations topics raised in this document, and when
one or more of these topics is not relevant, it would be useful to
contain a simple statement explaining why the topic is not relevant
for the new protocol. Of course, additional relevant topics should be
included as well.</t>
<t>Existing protocols and data models can provide the management
functions identified in the previous section. Protocol designers
should consider how using existing protocols and data models might
impact network operations.</t>
</section>
<section title="Null Manageability Considerations Sections">
<t>A protocol designer may seriously consider the manageability
requirements of a new protocol, and determine that no management
functionality is needed by the new protocol. It would be helpful to
those who may update or write extensions to the protocol in the future
or to those deploying the new protocol to know the thinking of the
working regarding the manageability of the protocol at the time of its
design.</t>
<t>If there are no new manageability or deployment considerations, it
is recommended that a Manageability Considerations section contain a
simple statement such as "There are no new manageability requirements
introduced by this document," and a brief explanation of why that is
the case. The presence of such a Manageability Considerations section
would indicate to the reader that due consideration has been given to
manageability and operations.</t>
<t>In the case where the new protocol is an extension, and the base
protocol discusses all the relevant operational and manageability
considerations, it would be helpful to point out the considerations
section in the base document.</t>
</section>
<section title="Placement of Operations and Manageability Considerations Sections ">
<t>If a protocol designer develops a Manageability Considerations
section for a new protocol, it is recommended that the section be
placed immediately before the Security Considerations section.
Reviewers interested in such sections could find it easily, and this
placement could simplify the development of tools to detect the
presence of such a section.</t>
</section>
</section>
<section title="IANA Considerations">
<t>This document does not introduce any new codepoints or name spaces
for registration with IANA.</t>
<t>Note to RFC Editor: this section may be removed on publication as an
RFC.</t>
</section>
<section title="Security Considerations">
<t>This document is informational and provides guidelines for
considering manageability and operations. It introduces no new security
concerns.</t>
<t>The provision of a management portal to a network device provides a
doorway through which an attack on the device may be launched. Making
the protocol under development be manageable through a management
protocol creates a vulnerability to a new source of attacks. Only
management protocols with adequate security apparatus, such as
authentication, message integrity checking, and authorization should be
used.</t>
<t>A standard description of the manageable knobs and whistles on a
protocol makes it easier for an attacker to understand what they may try
to control and how to tweak it.</t>
<t>A well-designed protocol is usually more stable and secure. A
protocol that can be managed and inspected offers the operator a better
chance of spotting and quarantining any attacks. Conversely making a
protocol easy to inspect is a risk if the wrong person inspects it.</t>
<t>If security events cause logs and or notifications/alerts, a
concerted attack might be able to be mounted by causing an excess of
these events. In other words, the security management mechanisms could
constitute a security vulnerability. The management of security aspects
is important (see <xref target="secmgmt"></xref>).</t>
</section>
<section title="Acknowledgements">
<t>This document started from an earlier document edited by Adrian
Farrel, which itself was based on work exploring the need for
Manageability Considerations sections in all Internet-Drafts produced
within the Routing Area of the IETF. That earlier work was produced by
Avri Doria, Loa Andersson, and Adrian Farrel, with valuable feedback
provided by Pekka Savola and Bert Wijnen.</t>
<t>Some of the discussion about designing for manageability came from
private discussions between Dan Romascanu, Bert Wijnen, Juergen
Schoenwaelder, Andy Bierman, and David Harrington.</t>
<t>Thanks to reviewers who helped fashion this document, including
Harald Alvestrand, Ron Bonica, Brian Carpenter, Benoit Claise, Adrian
Farrell, David Kessens, Dan Romascanu, Pekka Savola, Juergen
Schoenwaelder, Bert Wijnen, Ralf Wolter, and Lixia Zhang.</t>
</section>
</middle>
<back>
<references title="Informative References">
&rfc5321;
&rfc1034;
&rfc1052;
&rfc1958;
&rfc2113;
&rfc2119;
&rfc2205;
&rfc2439;
&rfc2578;
&rfc2711;
&rfc2865;
&rfc2975;
&rfc3060;
&rfc3084;
&rfc3139;
&rfc3198;
&rfc3290;
&rfc3410;
&rfc3444;
&rfc3460;
&rfc3535;
&rfc3585;
&rfc3588;
&rfc3644;
&rfc3670;
&rfc3805;
&rfc4741;
&rfc5101;
&rfc5424;
&W3C.REC-xmlschema-0-20010502;
</references>
<section title="Operations and Management Review Checklist">
<!-- start of checklist -->
<t>This appendix provides a quick checklist of issues that protocol
designers should expect operations and management expert reviewers to
look for when reviewing a document being proposed for consideration as a
protocol standard.</t>
<section title="Operational Considerations">
<t>Has deployment been discussed? see <xref target="opsmodel"></xref>
<list>
<t>Does the document include a description of how this protocol or
technology is going to be deployed and managed?</t>
<t>Is the proposed specification deployable? If not, how could it
be improved?</t>
<t>Does the solution scale well from the operational and
management perspective? Does the proposed approach have any
scaling issues that could affect usability for large scale
operation?</t>
<t>Are there any coexistence issues?</t>
</list></t>
<t>Has installation and initial setup been discussed? see <xref
target="opsinstall"></xref> <list>
<t>Is the solution sufficiently configurable?</t>
<t>Are configuration parameters clearly identified?</t>
<t>Are configuration parameters normalized?</t>
<t>Does each configuration parameter have a reasonable default
value?</t>
<t>Will configuration be pushed to a device by a configuration
manager, or pulled by a device from a configuration server?</t>
<t>How will the devices and managers find and authenticate each
other?</t>
</list></t>
<t>Has the migration path been discussed? see <xref
target="opsmig"></xref> <list>
<t>Are there any backward compatibility issues?</t>
</list></t>
<t>Have the Requirements on Other Protocols and Functional Components
been discussed? see <xref target="opsdep"></xref>. <list>
<t>What protocol operations are expected to be performed relative
to the new protocol or technology, and what protocols and data
models are expected to be in place or recommended to ensure for
interoperable management?</t>
</list></t>
<t>Has the Impact on Network Operation been discussed? see <xref
target="opsimpact"></xref> <list>
<t>Will the new protocol significantly increase traffic load on
existing networks?</t>
<t>Will the proposed management for the new protocol significantly
increase traffic load on existing networks?</t>
<t>How will the new protocol impact the behavior of other
protocols in the network? Will it impact performance (e.g. jitter)
of certain types of applications running in the same network?</t>
<t>Does the new protocol need supporting services (e.g. DNS or
AAA) added to an existing network?</t>
</list></t>
<t>Have suggestions for verifying correct operation been discussed?
see <xref target="opsverify"></xref> <list>
<t>How can one test end-to-end connectivity and throughput?</t>
<t>Which metrics are of interest?</t>
<t>Will testing have an impact on the protocol or the network?</t>
</list></t>
<t>Has management interoperability been discussed? see <xref
target="intermgmt"></xref> <list>
<t>Is a standard protocol needed for interoperable management?</t>
<t>Is a standard information or data model needed to make
properties comparable across devices from different vendors?</t>
</list></t>
<t>Are there fault or threshold conditions that should be reported?
see <xref target="faultmgmt"></xref> <list>
<t>Does specific management information have time utility?</t>
<t>Should the information be reported by notifications? polling?
event-driven polling?</t>
<t>Is notification throttling discussed?</t>
<t>Is there support for saving state that could be used for
root-cause analysis?</t>
</list></t>
<t>Is configuration discussed? see <xref target="confmgmt"></xref>
<list>
<t>Are configuration defaults, and default modes of operation
considered?</t>
<t>Is there discussion of what information should be preserved
across reboots of the device or the management system? Can devices
realistically preserve this information through hard reboots where
physical configuration might change (e.g. cards might be swapped
while a chassis is powered down)?</t>
<t></t>
</list></t>
</section>
<!-- /Operational Consierations -->
<section title="Management Considerations">
<t>Do you anticipate any manageability issues with the
specification?</t>
<t><list>
<t>Is Management interoperability discussed? see <xref
target="intermgmt"></xref> <list>
<t>Will it use centralized or distributed management?</t>
<t>Will it require remote and/or local management
applications?</t>
<t>Are textual or graphical user interfaces required?</t>
<t>Is textual or binary format for management information
preferred?</t>
</list></t>
<!-- /4.1 -->
<t>Is Management Information discussed? see <xref
target="datamgmt"></xref> <list>
<t>What is the minimal set of management (configuration,
faults, performance monitoring) objects that need to be
instrumented in order to manage the new protocol?</t>
</list></t>
<!-- /4.2 -->
<t>Is Fault Management discussed? see <xref
target="faultmgmt"></xref> <list>
<t>Is Liveness Detection and Monitoring discussed?</t>
<t>Does the solution have failure modes that are difficult to
diagnose or correct? Are faults and alarms reported and
logged?</t>
<t></t>
</list></t>
<!-- /4.3 -->
<t>Is Configuration Management discussed? see <xref
target="confmgmt"></xref> <list>
<t>Is protocol state information exposed to the user? How? are
significant state transitions logged?</t>
<t></t>
</list></t>
<!-- /4.4 -->
<t>Is Accounting Management discussed? see <xref
target="acctmgmt"></xref> <list>
<t></t>
</list></t>
<!-- /4.5 -->
<t>Is Performance Management discussed? see <xref
target="perfmgmt"></xref> <list>
<t>Does the protocol have an impact on network traffic and
network devices? Can performance be measured?</t>
<t>Is protocol performance information exposed to the
user?</t>
</list></t>
<!-- /4.6 -->
<t>Is Security Management discussed? see <xref
target="secmgmt"></xref> <list>
<t>Does the specification discuss how to manage aspects of
security, such as access controls, managing key distribution,
etc.</t>
<t></t>
</list></t>
<!-- /4.7 -->
</list></t>
</section>
<!-- /management considerations -->
<section title="Documentation">
<t>Is an operational considerations and/or manageability section part
of the document?</t>
<t>Does the proposed protocol have a significant operational impact on
the Internet?</t>
<t>Is there proof of implementation and/or operational experience?</t>
</section>
</section>
<!--
***************************** end of checklist *****************************
-->
</back>
</rfc>| PAFTECH AB 2003-2026 | 2026-04-23 03:52:15 |