Network Working Group                                      D. Harrington
Internet-Draft                                   Huawei Technologies USA
Intended status: BCP                                       July 14, 2008
Expires: January 15, 2009


 Guidelines for Considering Operations and Management of New Protocols
             draft-ietf-opsawg-operations-and-management-04

Status of This Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 15, 2009.

Abstract

   New protocols or protocol extensions are best designed with due
   consideration of functionality needed to operate and manage the
   protocol.  Retrofitting operations and management is sub-optimal.
   The purpose of this document is to provide guidance to authors and
   reviewers of documents defining new protocols or protocol extensions,
   covering aspects of operations and management that should be
   considered.








Harrington              Expires January 15, 2009                [Page 1]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Design for Operations and Management . . . . . . . . . . . . .  4
     2.1.  IETF Management Framework  . . . . . . . . . . . . . . . .  4
   3.  Operational Considerations . . . . . . . . . . . . . . . . . .  5
     3.1.  Operations Model . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Installation and Initial Setup . . . . . . . . . . . . . .  7
     3.3.  Migration Path . . . . . . . . . . . . . . . . . . . . . .  8
     3.4.  Requirements on Other Protocols and Functional
           Components . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.5.  Impact on Network Operation  . . . . . . . . . . . . . . .  9
     3.6.  Verifying Correct Operation  . . . . . . . . . . . . . . . 10
   4.  Management Considerations  . . . . . . . . . . . . . . . . . . 10
     4.1.  Interoperability . . . . . . . . . . . . . . . . . . . . . 11
     4.2.  Management Information . . . . . . . . . . . . . . . . . . 13
     4.3.  Fault Management . . . . . . . . . . . . . . . . . . . . . 14
       4.3.1.  Liveness Detection and Monitoring  . . . . . . . . . . 15
       4.3.2.  Fault Determination  . . . . . . . . . . . . . . . . . 15
       4.3.3.  Fault Isolation  . . . . . . . . . . . . . . . . . . . 16
       4.3.4.  Corrective Action  . . . . . . . . . . . . . . . . . . 16
     4.4.  Configuration Management . . . . . . . . . . . . . . . . . 16
       4.4.1.  Verifying Correct Operation  . . . . . . . . . . . . . 18
       4.4.2.  Control of Function and Policy . . . . . . . . . . . . 18
     4.5.  Accounting Management  . . . . . . . . . . . . . . . . . . 18
     4.6.  Performance Management . . . . . . . . . . . . . . . . . . 19
     4.7.  Security Management  . . . . . . . . . . . . . . . . . . . 20
   5.  Documentation Guidelines . . . . . . . . . . . . . . . . . . . 22
     5.1.  Recommended Discussions  . . . . . . . . . . . . . . . . . 22
     5.2.  Null Manageability Considerations Sections . . . . . . . . 23
     5.3.  Placement of Operations and Manageability
           Considerations Sections  . . . . . . . . . . . . . . . . . 23
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
   9.  Informative References . . . . . . . . . . . . . . . . . . . . 24
   Appendix A.  Review Checklist  . . . . . . . . . . . . . . . . . . 26
     A.1.  General Document Checklist . . . . . . . . . . . . . . . . 27
     A.2.  Operations and Management Checklist  . . . . . . . . . . . 27
   Appendix B.  Open Issues . . . . . . . . . . . . . . . . . . . . . 28
   Appendix C.  DISCUSSES that have yet to be discussed . . . . . . . 28
   Appendix D.  Change Log  . . . . . . . . . . . . . . . . . . . . . 31








Harrington              Expires January 15, 2009                [Page 2]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


1.  Introduction

   Often when new protocols or protocol extensions are developed, not
   enough consideration is given to how the protocol will be deployed,
   operated and managed.  Retrofitting operations and management
   mechanisms is often hard and architecturally unpleasant, and certain
   protocol design choices may make deployment, operations, and
   management particularly hard.  Since the ease of operations and
   management may impact the success of IETF protocols, this document
   provides guidelines to help protocol designers and working groups
   consider the operations and management functionality needed by their
   new IETF protocol or protocol extension at an earlier phase.

   This document suggests protocol designers to consider operations and
   management needs and then recommend appropriate standard management
   protocols and data models to address the relevant operations and
   management needs.  This is similar to a WG considering which security
   threats are relevant to their protocol, and then recommending
   appropriate standard security protocols to mitigate the relevant
   threats.

   This document discusses the importance of considering operations and
   management.  Section 1 introduces the subject and section 2 describes
   the IETF Management Framework.  Section 3 discusses operational
   functionality to consider.  Section 4 discusses management
   functionality to consider.

   This document sets forth a list of subjective guidelines and a list
   of objective criteria by which a protocol designer can evaluate
   whether the protocol that he/she has developed addresses common
   operations and management needs.  Operations and management is highly
   dependent on the environment in which it is used, so most guidelines
   are subjective rather than objective.

   We provide some objective criteria to promote interoperability
   through the use of standard management interfaces, such as "did you
   design counters in a MIB module for monitoring packets in/out of an
   interface?"  [RFC2863], "did you write an XML-based data model for
   configuring your protocol with Netconf?"  [RFC4741], and "did you
   standardize syslog message content and structured data elements for
   reporting events that might occur when operating your protocol?"
   [I-D.ietf-syslog-protocol] and "did you consider appropriate
   notifications in case of failure situations??

   This document only provides guidelines; it does not specify how the
   guidelines provided should be used within the IETF.





Harrington              Expires January 15, 2009                [Page 3]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


1.1.  Terminology

   This document deliberately does not use the (capitalized) key words
   described in RFC 2119 [RFC2119].  RFC 2119 states the keywords must
   only be used where it is actually required for interoperation or to
   limit behavior which has potential for causing harm (e.g., limiting
   retransmissions).  For example, they must not be used to try to
   impose a particular method on implementers where the method is not
   required for interoperability.  This document is a set of guidelines
   based on current practices of protocol designers and operators.  This
   document does not describe requirements, so the key words from
   RFC2119 have no place here.

   o  "new protocol" includes new protocols, protocol extensions, data
      models, or other functionality being designed.

   o  "protocol designer" represents individuals and working groups
      involved in the development of new protocols.

   o  [DISCUSS] markers indicate a lack of consensus on what should be
      written.

   o  [TODO] markers indicate the editor has a reasonable understanding
      of what needs to be (re-)written.  Contributions of text would be
      welcome.

   o  Note to RFC Editor - All [DISCUSS] or [TODO] marks should be
      resolved before RFC publication.  If any still exist, including in
      the Terminology section, then please return the document to the
      editor for resolution.

2.  Design for Operations and Management

   "Design for operations and management" means that the operational
   environment and manageability of the protocol should be considered
   from the start when new protocols are designed.

   When a WG considers operation and management functionality for a
   protocol, the document should contain enough information to
   understand how the protocol will be deployed and managed, but the WG
   should expect that considerations for operations and management may
   need to be updated in the future, after further operational
   experience has been gained.

2.1.  IETF Management Framework

   For years the IETF has stressed the use of the IETF Standard
   Management Framework and SMI MIB modules [RFC2578] for managing new



Harrington              Expires January 15, 2009                [Page 4]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   protocols.  The IETF designed the Standard Management Framework and
   SMI MIB modules to permit multiple protocols to utilize the MIB data
   [RFC1052], but it became a common misunderstanding that a MIB module
   could only be used with the SNMP protocol (described in [RFC3410] and
   associated documents).

   In 2001, OPS Area design teams were created to document requirements
   related to configuration of IP-based networks.  One output was
   "Requirements for Configuration Management of IP-based Networks"
   [RFC3139].

   In 2003, the Internet Architecture Board (IAB) held a workshop on
   Network Management [RFC3535] that discussed the strengths and
   weaknesses of some IETF network management protocols, and compared
   them to operational needs, especially configuration.

   One factor discussed was the user-unfriendliness of the binary format
   of SNMP and COPS-PR [RFC3084], and it was recommended that the IETF
   explore an XML-based Structure of Management Information, and an XML-
   based protocol for configuration.

   Another factor discussed was that deployed tools for event/alarm
   correlation, root cause analysis and logging are not sufficient, and
   there is a need to support a human interface and a programmatic
   interface.  The IETF decided to standardize aspects of the de facto
   standard for system logging, especially security and the need for
   better programmatic support.

   In 2006, the IETF discussed whether the Management Framework should
   be updated to accommodate multiple IETF standard SMI languages, and
   multiple IETF standard protocols for doing network management.

   This document provides some initial guidelines for considering
   operations and management in an IETF Management Framework that
   consists of multiple protocols and multiple data models, with an eye
   toward being flexible while also striving for interoperability.

3.  Operational Considerations

   Designers of a new protocol should carefully consider the operational
   aspects.  A protocol that is defined very precisely in a well-written
   document does not guarantee that it is going to be deployable in the
   real world.  Operational aspects will have a serious impact on the
   actual success of a protocol.  Such aspects include bad interactions
   with existing solutions, a difficult upgrade path, difficulty of
   debugging problems, difficulty configuring from a central database,
   or a complicated state diagram that operations staff will find
   difficult to understand



Harrington              Expires January 15, 2009                [Page 5]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   BGP flap damping [RFC2439] is an example.  It was designed to block
   high frequency route flaps, however the design did not consider the
   existence of BGP path exploration/slow convergence.  In real
   operations, people observed the loss of reach-ability due to false
   flap damping that are caused by path exploration.  As a result, most
   places turned flap damping off.  RIPE even issued official
   recommendation for turning it off.

   [DISCUSS: examples, list of current protocols characteristics and
   their impact on the network. e.g., burst traffic impact on network
   congestion.]

   IPFIX contains congestion awareness enhancements for controlling the
   impact of the protocol on the network.

3.1.  Operations Model

   Protocol designers can analyze the operational environment and mode
   of work in which the new protocol or extension will work.  Such an
   exercise needs not be reflected directly by text in their document,
   but could help in visualizing the operational model related to the
   applicability of the protocol in the Internet environments where it
   will be deployed.  The operational model should take into account
   factors such as:

   o  what type of management entities will be involved (agents, network
      management systems)?

   o  what is the possible architecture (client-server, manager-agent,
      polling-driven or event-driven, autoconfiguration, two levels or
      hierarchical)?

   o  what are the management operations - initial configuration,
      dynamic configuration, alarms and exceptions reporting, logging,
      performance monitoring, performance reporting, debugging?

   o  how are these operations performed - locally, remotely, atomic
      operation, scripts?  Are they performed immediately or time
      scheduled or event triggered?

   o  what are the typical user interfaces - Command line (CLI) or
      graphical user interface (GUI)?

   Protocol designers should consider how the new protocol will be
   managed in different deployment scales.  It might be sensible to use
   a local management interface to manage the new protocol on a single
   device, but in a large network, remote management using a centralized
   server and/or using distributed management functionality might make



Harrington              Expires January 15, 2009                [Page 6]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   more sense.  Auto-configuration and default parameters might be
   possible for some new protocols.

   There may be a need to support a human interface, e.g., for
   troubleshooting, and a programmatic interface, e.g., for automated
   monitoring and root cause analysis.  It might be important that the
   internal method routines used by the application programming
   interfaces and the human interfaces should be the same to ensure that
   data exchanged between these two interfaces is always consistent.
   Mixing methods leads to inconsistency, so identifying consistent
   methods of retrieving information is relevant.  [DISCUSS: would the
   example of inconsistency between MIB counters that cannot be reset
   and CLI counters that can be rest be useful here?]

   Protocol designers should consider what management operations are
   expected to be performed as a result of the deployment of the
   protocol - such as whether write operations will be allowed on
   routers and on hosts, or if notifications for alarms or other events
   will be expected.

3.2.  Installation and Initial Setup

   Protocol designers should consider default values that make sense
   from the protocol objectives, so as to simplify configuration,
   including default modes and parameters.  For example, it could be
   helpful or necessary to specify default values for modes, timers,
   default state of logical control variables, default transports, and
   so on.  Even if default values are used, it must be possible to
   retrieve all the actual values or at least an indication that known
   default values are being used.

   Protocol designers should consider how to enable operators to
   concentrate on the configuration of the network as a whole rather
   than individual devices.

   It is desirable to discuss the background of chosen default values,
   or perhaps why a range of values makes sense.  In many cases, when
   technology changes, the values in an RFC might make less and less
   sense.  It is very useful to understand whether defaults are based on
   best current practice and are expected to change as technologies
   advance or whether they have a more universal value that should not
   be changed lightly.  For example, the default interface speed might
   be expected to change over time due to increased speeds in the
   network, and cryptographical algorithms might be expected to change
   over time as older algoithms are "broken".






Harrington              Expires January 15, 2009                [Page 7]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


      it is extremely important to set a sensible default value for all
      parameters

      the default value should stay on the conservative side rather than
      on the "optimizing performance" side. (example: the initial RTT
      and RTTvar values of a TCP connection)

      for those parameters that are speed-dependent, instead of using a
      constant, try to set the default value as a function of the link
      speed or some other relevant factors.  This would help reduce the
      chance of technology-advancement causing problems.

3.3.  Migration Path

   If the new protocol is a new version of an existing protocol, or is
   replacing another technology, the protocol designer should consider
   how deployments should transition to the new protocol.  This should
   include co-existence with previously deployed protocols and/or
   previous versions of the same protocol, incompatibilities between
   versions, translation between versions, and side effects that might
   occur.  Are older protocols or versions disabled or do they co-exist
   in the network with the new protocol?

   Another point to consider is extensibility of the management approach
   - How open to future protocol extensions are the management
   techniques you are defining?  [DISCUSS: this could use a good example
   of when a protocol designer should consider future extensions to the
   management.  Are we talking about writing extensible data models? ]

3.4.  Requirements on Other Protocols and Functional Components

   Protocol designers should consider the requirements that the new
   protocol might put on other protocols and functional components, and
   should also document the requirements from other protocols that have
   been considered in designing the new protocol.

   These considerations should generally remain illustrative to avoid
   creating restrictions or dependencies, or potentially impacting the
   behavior of existing protocols, or restricting the extensibility of
   other protocols, or assuming other protocols will not be extended in
   certain ways.

   For example, when RSVP [RFC2205] was designed, each router looked at
   the RSVP PATH message, and if the router understood RSVP, it would
   adds its own address to the message to enable automatically tunneling
   thru non-RSVP routers.  But in reality routers cannot look at an
   otherwise normal IP packet, and potentially take it off the fast
   path!  The initial designers overlooked that a new requirement was



Harrington              Expires January 15, 2009                [Page 8]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   being put on the functional components of a router.  The "router
   alert" option was finally developed to solve this problem for RSVP
   and other protocols that require the router take some packets off the
   fast forwarding path.

3.5.  Impact on Network Operation

   The introduction of a new protocol or extensions to an existing
   protocol may have an impact on the operation of existing networks.
   Protocol designers should outline such impacts (which may be
   positive) including scaling concerns and interactions with other
   protocols.  For example, a new protocol that doubles the number of
   active, reachable addresses in use within a network might need to be
   considered in the light of the impact on the scalability of the IGPs
   operating within the network.

   A protocol could send active monitoring packets on the wire.  If we
   don't pay attention, we might get very good accuracy, but at the cost
   of using all the available bandwidth.

   The protocol designer should consider the potential impact on the
   behavior of other protocols in the network and on the traffic levels
   and traffic patterns that might change, including specific types of
   traffic such as multicast.  Also consider the need to install new
   components that are added to the network as result of the changes in
   the operational model, such as servers performing auto-configuration
   operations.

   The protocol designer should consider also the impact on
   infrastructure applications like the DNS [RFC1034], registries, or
   the size of routing tables.  For example, SMTP [RFC2821] servers use
   a reverse DNS lookup to filter out incoming connection requests.
   When Berkeley installed a new spam filter, their mail server stopped
   functioning because of the DNS cache resolver overload.

   The impact on performance may also be noted - increased delay or
   jitter in real-time traffic applications, or response time in client-
   server applications when encryption or filtering are applied.

   It must be easy to do consistency checks of versions/revisions of
   configurations over time.  People tend to be lazy and change
   configuration on routers but not update the database.  A system
   better mandate database-driven configuration to reduce configuration
   errors/ inconsistencies.  [DISCUSS: is this paragraph really about
   protocol design for operability or about operational practice?  If
   this stays, it probably needs a bit more discussion on database
   driven configurations, and how protocol design would be impacted by
   the expectation of database-driven configuration. ]



Harrington              Expires January 15, 2009                [Page 9]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   It must be easy to do consistency checks of configurations between
   the ends of a link in order to determine the differences between two
   configurations and whether the configurations are consistent.
   [DISCUSS: this needs rewording to better describe consistency
   checking 1) over time, and 2) between ends of a link. probably needs
   a bit more discussion on the need to be able to understand and check
   what it is happening on the wire actually matches what the Operator
   tried to configure.  Basically, complexity is your enemy here, and
   that cannot be stressed often enough (no idea how you can verify
   whether for example a SIP application is actually doing what it is
   supposed to do due to the complexity).]

   It is important to minimize the impact caused by configuration
   changes.  Given configuration A and configuration B, it should be
   possible to generate the operations necessary to get from A to B with
   minimal state changes and effects on network and systems.

3.6.  Verifying Correct Operation

   The protocol designer should consider techniques for testing the
   effect that the protocol has had on the network by sending data
   through the network and observing its behavior (aka active
   monitoring).  Protocol designers should consider how the correct end-
   to-end operation of the new protocol in the network can be tested
   actively and passively, and how the correct data or forwarding plane
   function of each network element can be verified to be working
   properly with the new protocol.  Which metrics are of interest?

4.  Management Considerations

   The considerations of manageability should start from describing the
   operational model, which includes identifying the entities to be
   managed, how the respective protocol is supposed to be installed,
   configured and monitored, who are the managers and what type of
   management interfaces and protocols they would use.

   Considerations for management should include a discussion of what
   needs to be managed, and how to achieve various management tasks.
   The "write a MIB module" approach to considering management often
   focuses on monitoring a protocol endpoint on a single device.  A MIB
   module document typically only considers monitoring properties
   observable at one end, while the document does not really cover
   managing the *protocol* (the coordination of multiple ends), and does
   not even come near managing the *service* (which includes a lot of
   stuff that is very far away from the box).  This is exactly what
   operators hate - you need to be able to manage both ends.  As
   [RFC3535] says, MIB modules can often be characterized as a list of
   ingredients without a recipe.



Harrington              Expires January 15, 2009               [Page 10]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   Management needs to be considered not only from the perspective of a
   device, but also from the perspective of network and service
   management perspectives.  Often a network element is not aware of the
   service being delivered.

   [DISCUSS: Is a section on P2P vs. central management called for
   here?]

   WGs should consider how to configure multiple related/co-operating
   devices and how to back off if one of those configurations fails or
   causes trouble.  NETCONF addresses this in a generic manner by
   allowing an operator to lock the configuration on multiple devices,
   perform the configuration settings/changes, check that they are OK
   (undo if not) and then unlock the devices.

   Techniques for debugging protocol interactions in a network must be
   part of the network management discussion.  Implementation source
   code should be debugged before ever being added to a network, so
   asserts and memory dumps do not normally belong in management data
   models.  However, debugging on-the-wire interactions is a protocol
   issue: it is enormously helpful if a protocol has hooks to make
   debugging of network interactions easy, and/or is designed in such a
   way that debugging protocol behaviors is easy.  Hand-waving this away
   is not something that operators like ...

   In a client/server protocol, it may be more important to instrument
   the server end of a protocol than the client end.

4.1.  Interoperability

   Just as when deploying protocols that will inter-connect devices, our
   primary goal in considering management should be interoperability,
   whether across devices from different vendors, across models from the
   same vendor, or across different releases of the same product.

   Some product designers and protocol designers assume that if a device
   can be managed individually using a command line interface or a web
   page interface, that such a solution is enough.  But when equipment
   from multiple vendors is combined into a large network, scalability
   of management becomes a problem.  It is important to have consistency
   in the management interfaces so network-wide operational processes
   can be automated.  For example, a single switch might be easily
   managed using an interactive web interface when installed in a single
   office small business, but when, say, a fast food company installs
   similar switches from multiple vendors in hundreds or thousands of
   individual branches and wants to automate monitoring them from a
   central location, monitoring vendor-and-model-specific web pages
   would be difficult to automate.



Harrington              Expires January 15, 2009               [Page 11]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   Getting everybody to agree on a certain syntax and the protocol
   associated with that has proven to be difficult.  So management
   systems tend to speak whatever the boxes support, whether the IETF
   likes this or not.  The IETF is moving from support for a single
   management data modeling language (SMI [RFC2578]) and a single
   management protocol (SNMP [RFC3410]) towards support for additional
   management protocols and data models suited to different purposes,
   such as configuration (netconf [RFC4741]), usage accounting (IPFIX
   [RFC5105]), and logging (syslog [I-D.ietf-syslog-protocol])).  Other
   Standard Development Organizations (e.g.  DMTF, TMF) also define
   management mechanisms and these mechanisms may be more suitable than
   IETF mechanisms in some cases.

   Interoperability needs to be considered on the syntactic level and
   the semantic level.  While it can be irritating and time-consuming,
   application designers including operators who write their own scripts
   can make their processing conditional to accommodate differences
   across vendors or models or releases of product.

   Semantic differences are much harder to deal with on the manager side
   - once you have the data, its meaning is a function of the managed
   entity.  For example, if a single counter provided by vendor A counts
   three types of error conditions, while the corresponding counter
   provided by vendor B counts seven types of error conditions, these
   counters cannot be compared effectively - they are not interoperable
   counters.

   Information models are helpful to try to focus interoperability on
   the semantic level - they establish standards for what information
   should be gathered, and how gathered information might be used
   regardless of which management interface carries the data or which
   vendor produces the product.  The use of an information model might
   help improve the ability of operators to correlate messages in
   different protocols where the data overlaps, such as a SYSLOG message
   and an SNMP notification about the same event.  An information model
   might identify which error conditions should be counted separately,
   and which error conditions can be counted together in a single
   counter.  Then, whether the counter is gathered via SNMP or a CLI
   command or a SYSLOG message, the counter will have similar meaning.

   Protocol designers should consider which information might be useful
   for managing the new protocol or protocol extensions.









Harrington              Expires January 15, 2009               [Page 12]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


                IM                --> conceptual/abstract model
                 |                    for designers and operators
      +----------+---------+
      |          |         |
      DM        DM         DM     --> concrete/detailed model
                                      for implementers

   Information Models and Data Models

                                 Figure 1

   On the Difference between Information Models and Data Models
   [RFC3444] may be useful in determining what information to consider
   regarding information models, as compared to data models.

   Information models should come from the protocol WGs and include
   lists of events, counters and configuration parameters that are
   relevant.  There are a number of information models contained in
   protocol WG RFCs.  Some examples:

   o  [RFC3060] - Policy Core Information Model version 1

   o  [RFC3290] - An Informal Management Model for DiffServ Routers

   o  [RFC3460] - Policy Core Information Model Extensions

   o  [RFC3585] - IPsec Configuration Policy Information Model

   o  [RFC3644] - Policy Quality of Service Information Model

   o  [RFC3670] - Information Model for Describing Network Device QoS
      Datapath Mechanisms

   o  [RFC3805] - Printer MIB v2 (contains both an IM and a DM

   Management protocol standards and management data model standards
   often contain compliance clauses to ensure interoperability.
   Manageability considerations should include discussion of which level
   of compliance is expected to be supported for interoperability.

4.2.  Management Information

   A management information model should include a discussion of what is
   manageable, which aspects of the protocol need to be configured, what
   types of operations are allowed, what protocol-specific events might
   occur, which events can be counted, and for which events should an
   operator be notified.




Harrington              Expires January 15, 2009               [Page 13]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   Operators find it important to be able to make a clear distinction
   between configuration data, operational state, and statistics.  They
   need to determine which parameters were administrative configured and
   which parameters have changed since configuration as the result of
   mechanisms such as routing protocols.

   It is important to be able to separately fetch configuration data,
   operational state data, and statistics from devices, and to be able
   to compare current state to initial state, and to compare data
   between devices.

   What is typically difficult to work through are relationships between
   abstract objects.  Ideally an information model would describe the
   relationships between the objects and concepts in the information
   model.

   Is there always just one instance of this object or can there be
   multiple instances?  Does this object relate to exactly one other
   object or may it relate to multiple?  When is it possible to change a
   relationship?

   Do objects (such as rows in tables) share fate?  For example, if a
   row in table A must exist before a related row in table B can be
   created, what happens to the row in table B if the related row in
   table A is deleted?  Does the existence of relationships between
   objects have an impact on fate sharing?

4.3.  Fault Management

   The protocol designer should consider how faults information will be
   propagated.  Will it be done using asynchronous notifications or
   polling of health indicators?

   If notifications are used to alert operators to certain conditions,
   then the protocol designer should discuss mechanisms to throttle
   notifications to prevent congestion and duplications of event
   notifications.  Will there be a hierarchy of faults, and will the
   fault reporting be done by each fault in the hierarchy, or will only
   the lowest fault be reported and the higher levels be suppressed?
   should there be aggregated status indicators based on concatenation
   of propagated faults from a given domain or device?

   SNMP notifications and SYSLOG messages can alert an operator when an
   aspect of the new protocol fails or encounters an error or failure
   condition, and SNMP is frequently used as a heartbeat monitor.
   Should the event reporting be reliable?  [DISCUSS: what is reliable?]
   Can we poll the latest events in the box?




Harrington              Expires January 15, 2009               [Page 14]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


4.3.1.  Liveness Detection and Monitoring

   Liveness detection and monitoring applies both to the control plane
   and the data plane.  Mechanisms for detecting faults in the control
   plane or for monitoring its liveness are usually built into the
   control plane protocols or inherited from underlying data plane or
   forwarding plane protocols.  These mechanisms do not typically
   require additional management capabilities.  However, when a system
   detects a control plane fault, there is often a requirement to
   coordinate recovery action through management applications or at
   least to record the fact in an event log.  [DISCUSS: can somebody
   provide an example?]

   Where the protocol is responsible for establishing data or user plane
   connectivity, liveness detection and monitoring usually need to be
   achieved through other mechanisms.  In some cases, these mechanisms
   already exist within other protocols responsible for maintaining
   lower layer connectivity, but it will often be the case that new
   procedures are required to detect failures in the data path and to
   report rapidly, allowing remedial action to be taken.

   Protocol designers should always build in basic testing features
   (e.g.  ICMP echo, UDP/TCP echo service, NULL RPC calls) that can be
   used to test for liveness, with an option to enable and disable them.

4.3.2.  Fault Determination

   It can be helpful to describe how faults can be pinpointed using
   management information.  For example, counters might record instances
   of error conditions.  Some faults might be able to be pinpointed by
   comparing the outputs of one device and the inputs of another device
   looking for anomalies.

   [DISCUSS: Ralf: While this sounds good, how do you distinguish
   between faulty messages and good messages?  It might require complex
   functions such as deviation from normal, are you sure you want to
   implement those at the device level?]

   [DISCUSS: Well, deviation from normal is certainly an NMS tasks,
   while two neighbor interfaces could exchange simple fault counters in
   PERCENTAGES that would give the neighbor a hint about issues.  E.g.
   if CRC errors are greater than 1% of total traffic both the neighbor
   and the NMS could be notified to setup an alternative path/link, if
   possible.]







Harrington              Expires January 15, 2009               [Page 15]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


4.3.3.  Fault Isolation

   It might be useful to isolate faults, such as a system that emits
   malformed messages necessary to coordinate connections properly.
   Spanning tree comes to mind.  This might be able to be done by
   configuring next-hop devices to drop the faulty messages to prevent
   them from entering the rest of the network.

4.3.4.  Corrective Action

   What sort of corrective action can be taken by an operator for each
   of the fault conditions that are being identified?

   [DISCUSS: this should be expanded or eliminated.  If parallel paths
   exist between two neighbor devices they could be activated.  Not sure
   how much further we can take the idea of automated correction
   actions.]

   [DISCUSS: Somewhere in the fault management section, we should have
   pointers to some threshold-based mechanisms, such as RMON events/
   alarms or the EVENT-MIB, with the message that we don't need to have
   SNMP notifications for all events if we have the right counters that
   can be polled as needed.]

4.4.  Configuration Management

   RFC3139 [RFC3139] discusses requirements for configuration
   management.  This document includes discussion of different levels of
   management, including high-level-policies, network-wide configuration
   data, and device-local configuration.

   A number of efforts have existed in the IETF to develop policy-based
   management.  RFC3198 [RFC3198] was written to standardize the
   terminology for policy-based management across these efforts.

   It is highly desirable that text processing tools such as diff, and
   version management tools such as RCS or CVS or SVN, can be used to
   process configurations.  This approach simplifies comparing the
   current operational state to the initial configuration.

   With structured text such as XML, simple text diffs may be found to
   be inadequate and more sophisticated tools may be needed to make any
   useful comparison of versions.

   To simplify such configuration comparisons, devices should not
   arbitrarily reorder data such as access control lists.  If a protocol
   designer defines mechanisms for configuration, it would be desirable
   to standardize the order of elements for consistency of configuration



Harrington              Expires January 15, 2009               [Page 16]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   and of reporting across vendors, and across releases from vendors.

   [DISCUSS: Ralf: Well, there are two parts to it: 1.  An NMS system
   could optimize ACLs for performance reasons 2.  Unless the device/NMS
   systems has correct rules/a lot of experience, reordering ACLs can
   lead to a huge security issue, therefore I would rephrase this
   paragraph.]

   Network wide configurations are ideally stored in central master
   databases and transformed into formats that can be pushed to devices,
   either by generating sequences of CLI commands or complete
   configuration files that are pushed to devices.  There is no common
   database schema for network configuration, although the models used
   by various operators are probably very similar.  It is desirable to
   extract, document, and standardize the common parts of these network
   wide configuration database schemas.  A protocol designer should
   consider how to standardize the common parts of configuring the new
   protocol, while recognizing the vendors will likely have proprietary
   aspects of their configurations.

   It is important to distinguish between the distribution of
   configurations and the activation of a certain configuration.
   Devices should be able to hold multiple configurations.  NETCONF
   [RFC4741], for example, differentiates between the "running"
   configuration and "candidate" configurations.

   [DISCUSS: Also add: backup configurations, i.e. version n-1 and auto-
   fallback solutions that automatically return to the previous known
   good configuration or adding a backdoor for the operator.  One of the
   worst scenarios is remote device configuration where the new running
   configuration does not work as expected and unlocks the admin.
   Vendors may have ways to avoid unlocking the operator but this does
   not have to be vendor specific.]

   [DISCUSS: 1.  Describe the concept of a "Gold config" and updating it
   frequently 2.  Describe a "backdoor" undo strategy ]

   It is important to enable operators to concentrate on the
   configuration of the network as a whole rather than individual
   devices.  Support for configuration transactions across a number of
   devices would significantly simplify network configuration
   management.  The ability to distribute configurations to multiple
   devices, or modify "candidate configurations on multiple devices, and
   then activate them in a near-simultaneous manner might help.

   [DISCUSS: Ralf: This might be a good place for adding the description
   of configuration-templates.]




Harrington              Expires January 15, 2009               [Page 17]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   Consensus of the 2002 IAB Workshop was that textual configuration
   files should be able to contain international characters.  Human-
   readable strings should utilize UTF-8, and protocol elements should
   be in case insensitive ASCII.

   A mechanism to dump and restore configurations is a primitive
   operation needed by operators.  Standards for pulling and pushing
   configurations from/to devices are desirable.

   Given configuration A and configuration B, it should be possible to
   generate the operations necessary to get from A to B with minimal
   state changes and effects on network and systems.  It is important to
   minimize the impact caused by configuration changes.

   Many protocol specifications include timers that are used as part of
   operation of the protocol.  These timers may need default values
   suggested in the protocol specification and do not need to be
   otherwise configurable.  [DISCUSS: mention NTP?]

4.4.1.  Verifying Correct Operation

   An important function that should be provided is a tool set for
   verifying the correct operation of a protocol.  This may be achieved
   to some extent through access to information and data models that
   report the status of the protocol and the state installed on network
   devices.  It may also be valuable to provide techniques for testing
   the effect that the protocol has had on the network by sending data
   through the network and observing its behavior.  [DISCUSS: Before
   deploying?  Before operating?  How to achieve this?]

   Protocol designers should consider how to test the correct end-to-end
   operation of the network, and how to verify the correct data or
   forwarding plane function of each network element.

4.4.2.  Control of Function and Policy

   A protocol designer should consider the configurable items that exist
   for the control of function via the protocol elements described in
   the protocol specification.  For example, Sometimes the protocol
   requires that timers can be configured by the operator to ensure
   specific policy-based behavior by the implementation.

4.5.  Accounting Management

   A protocol designer should consider whether it would be appropriate
   to collect usage information related to this protocol, and if so,
   what usage information would be appropriate to collect?




Harrington              Expires January 15, 2009               [Page 18]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   RFC2975 [RFC2975] Introduction to Accounting Management discusses a
   number of factors relevant to monitoring usage of protocols for
   purposes of capacity and trend analysis, cost allocation, auditing,
   and billing.  This document also discusses how RADIUS [RFC2865],
   TACACS+ [RFC1492], SNMP, IPFIX, and PSAMP protocols can be used for
   these purposes.  These factors should be considered when designing a
   protocol whose usage might need to be monitored, or when recommending
   a protocol to do usage accounting.

4.6.  Performance Management

   Consider information that would be useful when trying to determine
   the performance characteristics of a deployed system using the target
   protocol.

   What are the principal performance factors that need to be looked at
   when measuring the operational performance of the protocol
   implementations?  Is it important to measure setup times? throughput?
   quality versus throughput? interruptions? end-to-end throughput? end-
   to-end quality? hop-to-hop throughput?

   Consider scalability, such as whether performance will be affected by
   the number of protocol connections.  If so, then it might be useful
   to provide information about the maximum number of table entries that
   should be expected to be modeled, how many entries an implementation
   can support, the current number of instances, and the expected
   behavior when the current instances exceed the capacity of the
   implementation.  This should be considered in a data-modeling
   independent manner - what makes managed-protocol sense, not what
   makes management-protocol-sense.  If it is not managed-protocol-
   dependent, then it should be left for the management-protocol data
   modelers to decide.  For example, VLAN identifiers have a range of
   1..4095 because of the VLAN standards.  A MIB implementing a VLAN
   table should be able to support 4096 entries because the content
   being modeled requires it.

   Consider operational activity, such as the number of message in and
   the messages out, the number of received messages rejected due to
   format problems, the expected behaviors when a malformed message is
   received.

   Consider the expected behaviors for counters - what is a reasonable
   maximum value for expected usage? should they stop counting at the
   maximum value and retain the maximum value, or should they rollover?
   How can users determine if a rollover has occurred, and how can users
   determine if more than one rollover has occurred?

   What information should be maintained across reboots of the device,



Harrington              Expires January 15, 2009               [Page 19]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   or restarts of the management system?

   Could events, such as hot-swapping a blade in a chassis, cause
   discontinuities in information?  Does this make any difference in
   evaluating the performance of a protocol?

   Consider whether multiple management applications will share a
   counter; if so, then no one management application should be allowed
   to reset the value to zero since this will impact other applications.

   For performance monitoring, it is often important to report the time
   spent in a state rather than the current state.  Snapshots are of
   less value for performance monitoring.  [DISCUSS: please elaborate]

   The Benchmarking Methodology WG (bmwg) has defined recommendations
   for the measurement of the performance characteristics of various
   internetworking technologies in a laboratory environment, including
   the systems or services that are built from these technologies.  Each
   recommendation describes the class of equipment, system, or service
   being addressed; discuss the performance characteristics that are
   pertinent to that class; clearly identify a set of metrics that aid
   in the description of those characteristics; specify the
   methodologies required to collect said metrics; and lastly, present
   the requirements for the common, unambiguous reporting of
   benchmarking results.

   [DISCUSS: there are several parts to performance management.  Device
   monitoring (with the impact of the new protocol/service activation),
   protocol monitoring, and services monitoring.  This section might
   benefit from being broken into different pieces.]

4.7.  Security Management

   Protocol designers should consider how to monitor and to manage
   security aspects and vulnerabilities of the new protocol.

   There will be security considerations related to the new protocol.
   To make it possible for operators to be aware of security-related
   events, it is recommended that system logs should record events, such
   as failed logins, but the logs must be secured.

   Should a system automatically notify operators of every event
   occurrence, or should an operator-defined threshold control when a
   notification is sent to an operator?

   Should certain statistics be collected about the operation of the new
   protocol that might be useful for detecting attacks, such as the
   receipt of malformed messages, or messages out of order, or messages



Harrington              Expires January 15, 2009               [Page 20]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   with invalid timestamps?  If such statistics are collected, is it
   important to count them separately for each sender to help identify
   the source of attacks?

   Manageability considerations that are security-oriented might include
   discussion of the security implications when no monitoring is in
   place, the regulatory implications of absence of audit-trail or logs
   in enterprises, exceeding the capacity of logs, and security
   exposures present in chosen / recommended management mechanisms.

   The granularity of access control needed on management interfaces
   needs to match operational needs.  Typical requirements are a role-
   based access control model and the principle of least privilege,
   where a user can be given only the minimum access necessary to
   perform a required task.

   It must be possible to do consistency checks of access control lists
   across devices.  Protocol designers should consider information
   models to promote comparisons across devices and across vendors to
   permit checking the consistency of security configurations.

   Protocol designers should consider how to provide a secure transport,
   authentication, identity, and access control which integrates well
   with existing key and credential management infrastructure.  It is a
   good idea to start with defining the threat model for the protocol,
   and from that deducing what is required.

   Protocol designers should consider how access control lists are
   maintained and updated.

   Standard SNMP notifications or SYSLOG messages
   [I-D.ietf-syslog-protocol] might already exist, or can be defined, to
   alert operators to the conditions identified in the security
   considerations for the new protocol.  [DISCUSS: can somebody provide
   an example of an existing notifications or syslog messages related to
   security, other than SNMPv3-specific notifications?]

   An analysis of existing counters might help operators recognize the
   conditions identified in the security considerations for the new
   protocol before they can impact the network.

   RADIUS and DIAMETER can provide authentication and authorization.  A
   protocol designer should consider which attributes would be
   appropriate for their protocol.

   Different protocols use different assumptions about message security
   and data access controls.  A protocol designer that recommends using
   different protocols should consider how security will be applied in a



Harrington              Expires January 15, 2009               [Page 21]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   balanced manner across multiple management interfaces.  SNMP access
   control is data-oriented, while CLI access control is usually command
   (task) oriented.  Depending on the management function, sometimes
   data-oriented or task-oriented access control makes more sense.
   Protocol designers should consider both data-oriented and task-
   oriented access control.

5.  Documentation Guidelines

   The purpose of this document is to provide guidance about what to
   consider when thinking about the management and deployment of a new
   protocol, and to provide guidance about documenting the
   considerations.  The following guidelines are designed to help
   writers provide a reasonably consistent format for such
   documentation.  Separate manageability and operational considerations
   sections are desirable in many cases, but their structure and
   location is a decision that can be made from case to case.

   We want to avoid seeming to impose a solution by putting in place a
   strict terminology - for example implying that a formal data model,
   or even using a management protocol is mandatory.  If protocol
   designers conclude that its technology can be managed solely by using
   proprietary CLIs, and no structured or standardized data model needs
   to be in place, this might be fine, but it is a decision that should
   be explicit in a manageability discussion, that this is how the
   protocol will need to be operated and managed.  Protocol designers
   should avoid having manageability pushed for a later/never phase of
   the development of the standard.

   Making a Management Considerations section a mandatory publication
   requirement for IETF documents is the responsibility of the IESG, or
   specific area directors, or working groups, and this document avoids
   recommending any mandatory publication requirements.  For a complex
   protocol, a completely separate draft on operations and management
   might be appropriate, or even a completely separate WG effort.

   This document is focused on what to think about, and how to document
   the considerations of the protocol designer.

5.1.  Recommended Discussions

   A Manageability Considerations section should include discussion of
   the management and operations topics raised in this document, and
   when one or more of these topics is not relevant, it would be useful
   to contain a simple statement explaining why the topic is not
   relevant for the new protocol.  Of course, additional relevant topics
   should be included as well.




Harrington              Expires January 15, 2009               [Page 22]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   Existing protocols and data models can provide the management
   functions identified in the previous section.  Protocol designers
   should consider how using existing protocols and data models might
   impact network operations.

5.2.  Null Manageability Considerations Sections

   A protocol designer may seriously consider the manageability
   requirements of a new protocol, and determine that no management
   functionality is needed by the new protocol.  It would be helpful to
   those who may update or write extensions to the protocol in the
   future or to those deploying the new protocol to know the thinking of
   the working regarding the manageability of the protocol at the time
   of its design.

   If there are no new manageability or deployment considerations, it is
   recommended that a Manageability Considerations section contain a
   simple statement such as "There are no new manageability requirements
   introduced by this document," and a brief explanation of why that is
   the case.  The presence of such a Manageability Considerations
   section would indicate to the reader that due consideration has been
   given to manageability and operations.

   In the case where the new protocol is an extension, and the base
   protocol discusses all the relevant operational and manageability
   considerations, it would be helpful to point out the considerations
   section in the base document.

5.3.  Placement of Operations and Manageability Considerations Sections

   If a protocol designer develops a Manageability Considerations
   section for a new protocol, it is recommended that the section be
   placed immediately before the Security Considerations section.
   Reviewers interested in such sections could find it easily, and this
   placement could simplify the development of tools to detect the
   presence of such a section.

6.  IANA Considerations

   This document does not introduce any new codepoints or name spaces
   for registration with IANA.  Note to RFC Editor: this section may be
   removed on publication as an RFC.

7.  Security Considerations

   This document is informational and provides guidelines for
   considering manageability and operations.  It introduces no new
   security concerns.



Harrington              Expires January 15, 2009               [Page 23]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


8.  Acknowledgements

   This document started from an earlier document edited by Adrian
   Farrel, which itself was based on work exploring the need for
   Manageability Considerations sections in all Internet-Drafts produced
   within the Routing Area of the IETF.  That earlier work was produced
   by Avri Doria, Loa Andersson, and Adrian Farrel, with valuable
   feedback provided by Pekka Savola and Bert Wijnen.

   Some of the discussion about designing for manageability came from
   private discussions between Dan Romascanu, Bert Wijnen, Juergen
   Schoenwaelder, Andy Bierman, and David Harrington.

9.  Informative References

   [I-D.ietf-syslog-protocol]  Gerhards, R., "The syslog Protocol",
                               draft-ietf-syslog-protocol-23 (work in
                               progress), September 2007.

   [RFC1034]                   Mockapetris, P., "Domain names - concepts
                               and facilities", STD 13, RFC 1034,
                               November 1987.

   [RFC1052]                   Cerf, V., "IAB recommendations for the
                               development of Internet network
                               management standards", RFC 1052,
                               April 1988.

   [RFC1492]                   Finseth, C., "An Access Control Protocol,
                               Sometimes Called TACACS", RFC 1492,
                               July 1993.

   [RFC2119]                   Bradner, S., "Key words for use in RFCs
                               to Indicate Requirement Levels", BCP 14,
                               RFC 2119, March 1997.

   [RFC2205]                   Braden, B., Zhang, L., Berson, S.,
                               Herzog, S., and S. Jamin, "Resource
                               ReSerVation Protocol (RSVP) -- Version 1
                               Functional Specification", RFC 2205,
                               September 1997.

   [RFC2439]                   Villamizar, C., Chandra, R., and R.
                               Govindan, "BGP Route Flap Damping",
                               RFC 2439, November 1998.

   [RFC2578]                   McCloghrie, K., Ed., Perkins, D., Ed.,
                               and J. Schoenwaelder, Ed., "Structure of



Harrington              Expires January 15, 2009               [Page 24]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


                               Management Information Version 2
                               (SMIv2)", STD 58, RFC 2578, April 1999.

   [RFC2821]                   Klensin, J., "Simple Mail Transfer
                               Protocol", RFC 2821, April 2001.

   [RFC2863]                   McCloghrie, K. and F. Kastenholz, "The
                               Interfaces Group MIB", RFC 2863,
                               June 2000.

   [RFC2865]                   Rigney, C., Willens, S., Rubens, A., and
                               W. Simpson, "Remote Authentication Dial
                               In User Service (RADIUS)", RFC 2865,
                               June 2000.

   [RFC2975]                   Aboba, B., Arkko, J., and D. Harrington,
                               "Introduction to Accounting Management",
                               RFC 2975, October 2000.

   [RFC3060]                   Moore, B., Ellesson, E., Strassner, J.,
                               and A. Westerinen, "Policy Core
                               Information Model -- Version 1
                               Specification", RFC 3060, February 2001.

   [RFC3084]                   Chan, K., Seligson, J., Durham, D., Gai,
                               S., McCloghrie, K., Herzog, S.,
                               Reichmeyer, F., Yavatkar, R., and A.
                               Smith, "COPS Usage for Policy
                               Provisioning (COPS-PR)", RFC 3084,
                               March 2001.

   [RFC3139]                   Sanchez, L., McCloghrie, K., and J.
                               Saperia, "Requirements for Configuration
                               Management of IP-based Networks",
                               RFC 3139, June 2001.

   [RFC3198]                   Westerinen, A., Schnizlein, J.,
                               Strassner, J., Scherling, M., Quinn, B.,
                               Herzog, S., Huynh, A., Carlson, M.,
                               Perry, J., and S. Waldbusser,
                               "Terminology for Policy-Based
                               Management", RFC 3198, November 2001.

   [RFC3290]                   Bernet, Y., Blake, S., Grossman, D., and
                               A. Smith, "An Informal Management Model
                               for Diffserv Routers", RFC 3290,
                               May 2002.




Harrington              Expires January 15, 2009               [Page 25]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


   [RFC3410]                   Case, J., Mundy, R., Partain, D., and B.
                               Stewart, "Introduction and Applicability
                               Statements for Internet-Standard
                               Management Framework", RFC 3410,
                               December 2002.

   [RFC3444]                   Pras, A. and J. Schoenwaelder, "On the
                               Difference between Information Models and
                               Data Models", RFC 3444, January 2003.

   [RFC3460]                   Moore, B., "Policy Core Information Model
                               (PCIM) Extensions", RFC 3460,
                               January 2003.

   [RFC3535]                   Schoenwaelder, J., "Overview of the 2002
                               IAB Network Management Workshop",
                               RFC 3535, May 2003.

   [RFC3585]                   Jason, J., Rafalow, L., and E. Vyncke,
                               "IPsec Configuration Policy Information
                               Model", RFC 3585, August 2003.

   [RFC3644]                   Snir, Y., Ramberg, Y., Strassner, J.,
                               Cohen, R., and B. Moore, "Policy Quality
                               of Service (QoS) Information Model",
                               RFC 3644, November 2003.

   [RFC3670]                   Moore, B., Durham, D., Strassner, J.,
                               Westerinen, A., and W. Weiss,
                               "Information Model for Describing Network
                               Device QoS Datapath Mechanisms",
                               RFC 3670, January 2004.

   [RFC3805]                   Bergman, R., Lewis, H., and I. McDonald,
                               "Printer MIB v2", RFC 3805, June 2004.

   [RFC4741]                   Enns, R., "NETCONF Configuration
                               Protocol", RFC 4741, December 2006.

   [RFC5105]                   Lendl, O., "ENUM Validation Token Format
                               Definition", RFC 5105, December 2007.

Appendix A.  Review Checklist

   This appendix provides a quick summary of issues to consider.






Harrington              Expires January 15, 2009               [Page 26]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


A.1.  General Document Checklist

      Is the document readable?

      Does it contain nits?

      Is the document class appropriate?

      Is the problem well stated?

      Is the problem really a problem?

      Does the document consider existing solutions?

      Does the solution break existing technology?

      Does the solution preclude future activity?

      Is the specification complete?  Can multiple interoperable
      implementations be built based on the specification?

A.2.  Operations and Management Checklist

      Is the proposed specification deployable?  If not, how could it be
      improved?  Does the document include a description of the
      operational model - how is this protocol or technology going to be
      deployed and managed? will it use centralized or distributed
      management? will it require remote and/or local management
      applications?

      Is the solution sufficiently configurable? are configuration
      parameters clearly identified? are configuration parameters
      normalized? does each configuration parameter have a reasonable
      default value?  Will configuration be pushed to a device by a
      configuration manager, or pulled by a device from a configuration
      server?  How will the devices and managers find and authenticate
      each other?

      Does the solution have failure modes that are difficult to
      diagnose or correct?  Are faults and alarms reported and logged?

      is protocol state information exposed to the user?  How? are
      significant state transitions logged?

      Does the protocol have an impact on network traffic and network
      devices? is protocol performance information exposed to the user?
      Can performance be measured?  Does the solution scale well?  Does
      the proposed approach have any scaling issues that could affect



Harrington              Expires January 15, 2009               [Page 27]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


      usability for large scale operation?

      Are there any backward compatibility issues?

      Do you anticipate any manageability issues with the specification?

      Does the specification introduce new potential security risks or
      avenues for fraud?

      Does the proposed protocol have a significant operational impact
      on the Internet.  If it does, and the document under review
      targets standards track, is their enough proof of implementation
      and/or operational experience to grant Proposed Standard status?

Appendix B.  Open Issues

      Identify bullets for appendix checklist

      align checklist order and guidelines order

      Is section 2 needed? it seems too management-centric.

      Need more reviews and suggested text, especially on operational
      considerations

      [DISCUSS: How much of RFC 3535 and RFC 3139 should be repeated
      (and updated) in these guidelines?  There are many best current
      practices mentioned in those documents.  Should we bring them
      together into this document and expand on how they should
      influence ops/mgmt considerations for a new protocol?  Many of the
      points relate to NM protocol design, but there are also many
      points about operational and management considerations.]

Appendix C.  DISCUSSES that have yet to be discussed

   All of these discusses have been copied from the text.  They all need
   discussion and proposed text before the editor will know what needs
   to be put into the document.

      [DISCUSS: examples, list of current protocols characteristics and
      their impact on the network. e.g., burst traffic impact on network
      congestion.]

      [DISCUSS: would the example of inconsistency between MIB counters
      that cannot be reset and CLI counters that can be rest be useful
      here?]





Harrington              Expires January 15, 2009               [Page 28]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


      [DISCUSS: this could use a good example of when a protocol
      designer should consider future extensions to the management.  Are
      we talking about writing extensible data models? ]

      [DISCUSS: is this paragraph really about protocol design for
      operability or about operational practice?  If this stays, it
      probably needs a bit more discussion on database driven
      configurations, and how protocol design would be impacted by the
      expectation of database-driven configuration. ]

      [DISCUSS: this needs rewording to better describe consistency
      checking 1) over time, and 2) between ends of a link. probably
      needs a bit more discussion on the need to be able to understand
      and check what it is happening on the wire actually matches what
      the Operator tried to configure.  Basically, complexity is your
      enemy here, and that cannot be stressed often enough (no idea how
      you can verify whether for example a SIP application is actually
      doing what it is supposed to do due to the complexity).]

      [DISCUSS: Is a section on P2P vs. central management called for
      here?]

      [DISCUSS: what is reliable?]

      [DISCUSS: can somebody provide an example?]

      [DISCUSS: Ralf: While this sounds good, how do you distinguish
      between faulty messages and good messages?  It might require
      complex functions such as deviation from normal, are you sure you
      want to implement those at the device level?]

      [DISCUSS: Well, deviation from normal is certainly an NMS tasks,
      while two neighbor interfaces could exchange simple fault counters
      in PERCENTAGES that would give the neighbor a hint about issues.
      E.g. if CRC errors are greater than 1% of total traffic both the
      neighbor and the NMS could be notified to setup an alternative
      path/link, if possible.]

      [DISCUSS: this should be expanded or eliminated.  If parallel
      paths exist between two neighbor devices they could be activated.
      Not sure how much further we can take the idea of automated
      correction actions.]

      [DISCUSS: Somewhere in the fault management section, we should
      have pinters to some threshold-based mechanisms, such as RMON
      events/alarms or the EVENT-MIB, with the message that we don't
      need to have SNMP notifications for all events if we have the
      right counters that can be polled as needed.]



Harrington              Expires January 15, 2009               [Page 29]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


      [DISCUSS: Ralf: Well, there are two parts to it: 1.  An NMS system
      could optimize ACLs for performance reasons 2.  Unless the device/
      NMS systems has correct rules/a lot of experience, reordering ACLs
      can lead to a huge security issue, therefore I would rephrase this
      paragraph.]

      [DISCUSS: Also add: backup configurations, i.e. version n-1 and
      auto-fallback solutions that automatically return to the previous
      known good configuration or adding a backdoor for the operator.
      One of the worst scenarios is remote device configuration where
      the new running configuration does not work as expected and
      unlocks the admin.  Vendors may have ways to avoid unlocking the
      operator but this does not have to be vendor specific.]

      [DISCUSS: 1.  Describe the concept of a "Gold config" and updating
      it frequently 2.  Describe a "backdoor" undo strategy ]

      [DISCUSS: Ralf: This might be a good place for adding the
      description of configuration-templates.]

      [DISCUSS: mention NTP?]

      [DISCUSS: Before deploying?  Before operating?  How to achieve
      this?]

      [DISCUSS: please elaborate]

      [DISCUSS: there are several parts to performance management.
      Device monitoring (with the impact of the new protocol/service
      activation), protocol monitoring, and services monitoring.  This
      section might benefit from being broken into different pieces.]

      [DISCUSS: can somebody provide an example of an existing
      notifications or syslog messages related to security, other than
      SNMPv3-specific notifications?]

      [DISCUSS: How much of RFC 3535 and RFC 3139 should be repeated
      (and updated) in these guidelines?  There are many best current
      practices mentioned in those documents.  Should we bring them
      together into this document and expand on how they should
      influence ops/mgmt considerations for a new protocol?  Many of the
      points relate to NM protocol design, but there are also many
      points about operational and management considerations.]








Harrington              Expires January 15, 2009               [Page 30]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


Appendix D.  Change Log

   Changes from opsawg-02 to opsawg-03

   From reviews by Lixia Zhang and feedback from WG Chairs' Lunch.

      added discussion of impact on the Internet to checklist

      spell check

      added examples

      added discussion of default values

      added discussion of database-driven configuration

      fixed some references

      expanded the checklist

   Changes from opsawg-01 to opsawg-02

      moved survey of protocols and data models to separate document

      changed "working group" to "protocol designer" throughout, as
      applicable.

      modified wording from negative to positive spin in places.

      updated based on comments from Ralf Wolter and David Kessens

   Changes from opsawg-00 to opsawg-01

      moved Proposed Standard data models to appendix

      moved advice out of data model survey and into considerations
      section

      addressed comments from Adrian and Dan

      modified the Introduction and Section 2 in response to many
      comments.

      expanded radius and syslog discussion, added psamp and VCCV,
      modified ipfix,

   Changes from harrington-01 to opsawg-00




Harrington              Expires January 15, 2009               [Page 31]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


      added text regarding operational models to be managed.

      Added checklist appendix (to be filled in after consensus is
      reached on main text )

   Changes from harrington-00 to harrington-01

      modified unclear text in "Design for Operations and Management"

      Expanded discussion of counters

      Removed some redundant text

      Added ACLs to Security Management

      Expanded discussion of the status of COPS-PR, SPPI, and PIBs.

      Expanded comparison of RADIUS and Diameter.

      Added placeholders for EPP and XCAP protocols.

      Added Change Log and Open Issues

Author's Address

   David Harrington
   Huawei Technologies USA
   1700 Alma Dr, Suite 100
   Plano, TX  75075
   USA

   Phone: +1 603 436 8634
   Fax:
   EMail: dharrington@huawei.com
   URI:
















Harrington              Expires January 15, 2009               [Page 32]


Internet-Draft           Ops and Mgmt Guidelines               July 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.












Harrington              Expires January 15, 2009               [Page 33]