Skip to main content

Which RFCs should be cited as internet standards?



It's extremely common for RFCs to be cited in support of opinions (including Serverfault Q&A's), but the average IT employee has a very poor understanding in regards to which RFCs define standards and which ones are purely informative. This should be no surprise: system administrators of all experience levels typically avoid glazing their eyes at RFCs unless they have no choice but to.



On a site like ours, it is extremely important that we don't perpetuate common misunderstandings in our upvoted answers. Random users cruising in from search engines are going to assume that upvotes with no disputing comments are sufficient indicators of vetting. Recently I stumbled across an answer from 2011 making it apparent that this is definitely not getting caught in some cases as we upvote and probably warrants some efforts to inform our community and the internet at large.



So without further ado, how does one differentiate between a RFC that is quotable as an internet standard and one that is purely informative?


Answer




Only RFCs on the standards track can be cited as defining a standard. For the reader in passing, these are the main points to understand:




  • Some of the older RFCs are not clearly labeled. When in doubt, plug it into the search box at http://www.rfc-editor.org/ and pay attention to the Status column. Be very cautious with anything labeled as Unknown, as they are effectively abandoned and not considered relevant.

  • Any RFC with a designation of Historic has been obsoleted, regardless of how it was originally classified.

  • Any RFC with a status of Proposed Standard, or Internet Standard can be used as a technical reference for the applicable internet standard. This is somewhat counter-intuitive and will be touched on below.

  • In all other cases, the RFC cannot be considered a binding, authoritative source of information relative to Internet Standards.




    • That said, RFCs with a designation of Best Current Practice (BCP) should be considered as carrying significant advisory weight. They are not binding in the way that a standard is, but they are heavily vetted and undergo some of the same scrutiny that RFCs in the standards track receive. Ignoring them doesn't violate a standard, but usually it's a bad idea.


    • Informational RFCs lacking the BCP identifier are best likened to an article you come across in an IT magazine. You wouldn't pull out an editorial piece out of your desk and tell a director that it defines a standard, right?

    • Experimental RFCs can only be used as a reference for the experimental features that they describe, and not as a reference for the standard that they are associated with. They exist in a vacuum until promoted to the standards track.

    • Occasionally a technical reference may be published as an Informational RFC prior to being incorporated as an Internet Standard. DMARC (RFC 7489) is one of the most widely known modern examples of this. For all intents and purposes, treat these as you would an Experimental RFC. They exist in a vacuum and describe an optional feature.


  • Even once you've navigated this maze, be aware that newer RFCs may have obsoleted significant parts of the RFC that you are quoting from! It is strongly recommended to use tools providing hyperlinks to RFCs that update the one you're viewing, such as those provided by http://tools.ietf.org/ and http://www.rfc-editor.org/.





Those are the bullet points. Now we're going to get into specifics.




RFC 1796 is a good primer for most people who don't want to spend a day staring at RFCs. It clearly and concisely explains the common misconception of people assuming that a RFC is always defining an internet standard of some sort. Pay special note to the part where vendors are occasionally guilty of abusing this ignorance when pushing their products.



BCP 9 defines the internet standards track, most notably the progression from Proposed Standard to Internet Standard. It should be noted that this is a concatenation of several RFCs, beginning with RFC 2026.



Reading RFC 2026 by itself in a vacuum is common occurrence but also a terrible idea:




  • RFC 6410 eliminates the concept of Draft Standards entirely.

  • RFC 7127 is a more recent (2014) update to BCP 9 making it clear that many Proposed Standards are never promoted to Internet Standard despite widespread implementation and high stability. This is in large part due to the higher vetting standards that modern Proposed Standards are subjected to prior to being classified as such. This RFC effectively retracts the prior statement by RFC 2026 that "Implementors should treat Proposed Standards as immature specifications". Never quote that line to anyone.




In short, if a RFC document is on the internet standards track at all, it has sufficient maturity to be used as a technical reference until such a point that a future RFC updates it.



Disclaimer



As the above demonstrates, the internet standards track defined by BCP 9 is a moving target. This answer is a snapshot in time and may require updating in the future. Given its community wiki status, feel free to do so or improve upon it in any way.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more