Internet DRAFT - draft-housley-implementer-obligations

draft-housley-implementer-obligations







INTERNET-DRAFT                                                R. Housley
Intended Status: Informational                            Vigil Security
Expires: 10 November 2014                                    10 May 2014


             Expectations of Implementers of IETF Protocols
               <draft-housley-implementer-obligations-02>


Abstract

   By choosing to implement an IETF protocol, one is expected to follow
   the specification, associated best current practices, and IANA
   registry practices.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

Copyright and License Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Housley                                                         [Page 1]

INTERNET-DRAFT                                               10 May 2014


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction

   This document provides advice to implementers of IETF protocols to
   improve interoperability of their implementations.

   IETF protocols foster interoperability.  This interoperability brings
   great benefits.  IETF protocols are building blocks for many products
   and services, and they enable innovation.  Yet, IETF standards are
   voluntary standards.  No one is required to implement them.
   Implementation is a choice.  By making this choice, an implementor is
   expected to:

      (1) Follow the protocol specification;
      (2) Follow associated Best Current Practices (BCPs); and
      (3) Follow associated IANA registry practices.

   When implementers meet these expectations, protocols interoperate as
   intended by the IETF.

   These expectations reflect the fundamental philosophy of the IETF.
   That is, interoperability is achieved when people choose to
   cooperate.  By taking these actions one can expect to achieve greater
   interoperability with others.

2.  First Expectation: Follow the Protocol Specification

   To repeat, IETF protocols foster interoperability, and this
   interoperability brings great benefits.  If one does not follow the
   protocol specification, then interoperability is jeopardized.

   Of course, one should follow Postel's Law while implementing the
   specification:

      In general, an implementation should be conservative in its
      sending behavior, and liberal in its receiving behavior. [RFC760]

   Following Postel's Law simply increases interoperability.  One should
   be careful to send well-formed protocol data units and carefully
   follow elements of procedure; which avoids surprises for
   communicating peers that use other implementations.  On the other
   hand, one should accept any protocol data unit that can be
   interpreted, which heightens interoperability in the face of
   technical errors by others.

   Many protocol specifications are living documents; things that change



Housley                                                         [Page 2]

INTERNET-DRAFT                                               10 May 2014


   over time.  An implementer should plan to maintain their
   implementation.  It is not sufficient to do an initial implementation
   of the protocol.  One needs to apply changes as they come out.  The
   most obvious and urgent example involves specification revisions that
   fix security issues that are found after the initial publication of a
   protocol specification.

3.  Second Expectation: Follow Associated Best Current Practices

   Best Current Practices (BCPs) about IETF protocols (not the BCPs that
   define IETF processes and procedures) are intended to standardize
   practices.

   The Internet is composed of networks operated by a great variety of
   organizations, with diverse goals and rules.  By following the BCPs,
   implementers, operators, and administrators are able to provide a
   common experience when using the protocol, regardless of their point
   of attachment to the Internet.

   Sometimes BCPs are referenced in the protocol specification.  Often
   the implementer needs to look through the BCP index to find related
   BCPs.

4.  Third Expectation: Follow Associated IANA Registry Practices

   Many IETF protocols use identifiers consisting of constants and other
   well-known values.  Even after a protocol has been defined and
   deployed, new values may be needed.  To ensure that such quantities
   have consistent values and interpretations across all
   implementations, assignment is administered by a central authority,
   the Internet Assigned Numbers Authority (IANA).  In order to manage a
   namespace (which might also be called an assigned number, an assigned
   value, a code point, a a protocol constant, or a protocol parameter)
   in support of a particular IETF protocol, IANA is given instructions
   and conditions under which new values should be assigned or when
   modifications to existing values can be made.

   Implementers are expected to follow the IANA registry practices
   associated with the protocol, especially in the assignment of new
   values.  By following these practices, other implementations will
   learn about new values and make the appropriate updates to handle
   them properly.

   Note that IP addresses and the top levels of the DNS name hierarchy
   are managed in IANA registries [RFC2860].  Please follow the IANA
   registry practices for the assignment of special IP addresses and
   top-level DNS names in the rare cases where such values are needed.




Housley                                                         [Page 3]

INTERNET-DRAFT                                               10 May 2014


5.  Security Considerations

   This document calls for implementers to follow the protocol
   specification, follow associated best current practices, and follow
   IANA registry practices.  These actions improve interoperability, and
   these actions may also reduce security incidents due to incomplete
   protocol implementations.

   It is not sufficient to do an initial implementation of the protocol.
   Maintenance is needed to apply changes as they come out in the
   future, especially to fix security issues that are found after the
   initial publication of a protocol specification.

   Security processing is an exception to Postel's Law.  For example, a
   password that is close, but not exactly right, is not sufficient to
   gain access.  Processing associated with integrity, authentication,
   access control, and confidentiality mechanisms cannot be forgiving.

6.  IANA Considerations

   This document has no actions for IANA.

7.  Acknowledgements

   Thanks to the people that reviewed this document and suggested
   important improvements, including Bernard Aboba, Richard Barnes,
   Scott Brim, Randy Bush, John Curran, Lars Eggert, Adrian Farrel,
   Stephen Farrell, and Joel Jaeggli.

8.  Normative References

   [RFC2860]  Carpenter, B., Baker, F., and M. Roberts, "Memorandum of
              Understanding Concerning the Technical Work of the
              Internet Assigned Numbers Authority", RFC 2860, June 2000.

9.  Informative References

   [RFC760]   Postel, J., "DoD standard Internet Protocol", RFC 760,
              January 1980.












Housley                                                         [Page 4]

INTERNET-DRAFT                                               10 May 2014


Author's Address

   Russ Housley
   Vigil Security, LLC
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA

   EMail: housley@vigilsec.com










































Housley                                                         [Page 5]