In making what I thought was a small update to my copy of a quotation of the Robustness Principle, I quickly fell down the rabbit (rat?) hole of documenting as many versions of it as I could find. Here are the fruits of my labor. Full text of the RFCs can be viewed at the RFC Sourcebook. See also my earlier post regarding the Robustness Principle.
The Internet Robustness Principle: "Be liberal in what you accept, and conservative in what you send." Attributed to Jon Postel. See the Postel Center In Memoriam web page.
According to the Postel Center, the principle originated in RFC 760 "DOD STANDARD INTERNET PROTOCOL" (1980) using different wording:
3.2. Discussion
The implementation of a protocol must be robust. Each implementation must expect to interoperate with others created by different individuals. While the goal of this specification is to be explicit about the protocol there is the possibility of differing interpretations. In general, an implementation should be conservative in its sending behavior, and liberal in its receiving behavior. That is, it should be careful to send well-formed datagrams, but should accept any datagram that it can interpret (e.g., not object to technical errors where the meaning is still clear).
This may be the first RFC containing the principle, but two prior "Internet" specs contain the principle as well: IEN 111 "Internet Protocol" (August 1979) and IEN 123 " DOD STANDARD INTERNET PROTOCOL" (December 1979). The context and wording are identical, so the text is not quoted again.
It next appears in RFC 761 "DOD STANDARD TRANSMISSION CONTROL PROTOCOL" (1980), this time with the designation of "Robustness Principle":
2.10. Robustness Principle
TCP implementations should follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.
Notice the switch from "sending behavior" to simply "do" and the switch from "receiving behavior" to "accept".
It also [next?] appears in RFC 791 "Internet Protocol" (1981), which obsoleted RFC 760:
3.2 Discussion
The implementation of a protocol must be robust. Each implementation must expect to interoperate with others created by different individuals. While the goal of this specification is to be explicit about the protocol there is the possibility of differing interpretations. In general, an implementation must be conservative in its sending behavior, and liberal in its receiving behavior. That is, it must accept any datagram that it can interpret (e.g., not object to technical errors where the meaning is still clear).
Notice the change from "should" to "must".
It also [next?] appears in RFC 793 "Transmission Control Protocol" (1981). The context and wording are identical, so the text is not quoted again.
It also [next?] appears in RFC 1122 "Requirements for Internet Hosts -- Communication Layers" (1989):
1.2.2 Robustness Principle
At every layer of the protocols, there is a general rule whose application can lead to enormous benefits in robustness and interoperability [IP:1]:
"Be liberal in what you accept, and conservative in what you send"
Software should be written to deal with every conceivable error, no matter how unlikely; sooner or later a packet will come in with that particular combination of errors and attributes, and unless the software is prepared, chaos can ensue. In general, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect. This assumption will lead to suitable protective design, although the most serious problems in the Internet have been caused by unenvisaged mechanisms triggered by low-probability events; mere human malice would never have taken so devious a course!
Adaptability to change must be designed into all levels of Internet host software. As a simple example, consider a protocol specification that contains an enumeration of values for a particular header field -- e.g., a type field, a port number, or an error code; this enumeration must be assumed to be incomplete. Thus, if a protocol specification defines fourpossible error codes, the software must not break when a fifth code shows up. An undefined code might be logged (see below), but it must not cause a failure.
The second part of the principle is almost as important: software on other hosts may contain deficiencies that make it unwise to exploit legal but obscure protocol features. It is unwise to stray far from the obvious and simple, lest untoward effects result elsewhere. A corollary of this is "watch out for misbehaving hosts"; host software should be prepared, not just to survive other misbehaving hosts, but also to cooperate to limit the amount of disruption such hosts can cause to the shared communication facility.
While it is clear that the quoted text is quoting Jon Postel, it is not clear whose interpretation of that text follows in the remainder of section 1.2.2. The author of the RFC is Robert (Bob) Braden, who worked at ISI with Jon Postel and authored other RFCs with him (e.g., RFC 1009). Note that RFC 1122 is the RFC referenced by the Postel Center In Memoriam page.
What I like about the RFC 1122 version of the Robustness Principle is that it clarifies a common misconception about the Robustness Principle, which is that it makes receiving systems vulnerable to attack. On the contrary, the principle as interpreted in RFC 1122 advises: "In gerneral, it is best to assume that the network is filled with malevolent entities that will send in packets designed to have the worst possible effect. This assumption will lead to suitable protective design..."
Notice also that this version says that it applies at "every layer of the protocols"--including the application layer.
The last [latest?] formulation of the Robustness Principle is in RFC 1958 "Architectural Principles of the Internet" (1996):
3.9 Be strict when sending and tolerant when receiving.
Implementations must follow specifications precisely when sending to the network, and tolerate faulty input from the network. When in doubt, discard faulty input silently, without returning an error message unless this is required by the specification.
I personally think this is a poor version of the principle and leads to much of the misunderstanding about it. It seems to advise a passive approach to "tolerance" and "liberal acceptance".
The Robustness Principle obviously also applies to life. Tim Berners-Lee has made this part of his religious beliefs, see: http://www.w3.org/People/Berners-Lee/UU.html and http://www.w3.org/DesignIssues/Principles.html. I believe it also applies to evolution (see degeneracy and promiscuity -- as in promiscuous proteins). I will have more to say about this someday.
Note also similarity to this principle articulated by Rudolf Carnap in 1956:
"Let us be cautious in making assertions and critical in examining them, but tolerant in permitting linguistic forms"
Posted by: Theo Honohan | January 08, 2008 at 11:20 AM
Theo, Wow! Thanks so much for making that connection between Postel and Carnap! I had no idea. I'm going to add it to my list of favorite quotes.
Posted by: Nick Gall | January 08, 2008 at 01:59 PM
Wow! What a great resource, and interesting potted history of one the most powerful forces and reasons for why the Web exists, and remains as vibrant as it is. Thanks for putting this together!
Posted by: Paul Downey | October 25, 2008 at 08:44 AM
Theo, Wow! Thanks so much for making that connection between Postel and Carnap! I had no idea. I'm going to add it to my list of favorite quotes.
http://www.rapidpig.com
Posted by: Jeffery | August 09, 2010 at 09:45 AM
Theo, Wow! Thanks so much for making that connection between Postel and Carnap! I had no idea. I'm going to add it to my list of favorite quotes.
Posted by: jeffery | August 09, 2010 at 09:46 AM