idnits 2.17.1 draft-ietf-isis-rfc3847bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 944. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 955. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 962. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 968. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3847, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3847, updated by this document, for RFC5378 checks: 2001-09-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 1, 2007) is 6021 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10589' ** Obsolete normative reference: RFC 3373 (Obsoleted by RFC 5303) ** Obsolete normative reference: RFC 3567 (Obsoleted by RFC 5304) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Shand 3 Internet-Draft L. Ginsberg 4 Updates: 3847 (if approved) Cisco Systems 5 Intended status: Standards Track November 1, 2007 6 Expires: May 4, 2008 8 Restart Signaling for Intermediate System to Intermediate System (IS-IS) 9 draft-ietf-isis-rfc3847bis-00.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on May 4, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2007). 40 Abstract 42 This document describes a mechanism for a restarting router to signal 43 to its neighbors that it is restarting, allowing them to reestablish 44 their adjacencies without cycling through the down state, while still 45 correctly initiating database synchronization. 47 This document additionally describes a mechanism for a restarting 48 router to determine when it has achieved LSP database synchronization 49 with its neighbors and a mechanism to optimize LSP database 50 synchronization, while minimizing transient routing disruption when a 51 router starts. 53 Table of Contents 55 1. Conventions used in this Document . . . . . . . . . . . . . . 3 56 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 3.1. Timers . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3.2. Restart TLV . . . . . . . . . . . . . . . . . . . . . . . 5 60 3.2.1. Use of RR and RA Bits . . . . . . . . . . . . . . . . 6 61 3.2.2. Use of the SA Bit . . . . . . . . . . . . . . . . . . 8 62 3.3. Adjacency (Re)Acquisition . . . . . . . . . . . . . . . . 9 63 3.3.1. Adjacency Reacquisition During Restart . . . . . . . . 9 64 3.3.2. Adjacency Acquisition During Start . . . . . . . . . . 11 65 3.3.3. Multiple Levels . . . . . . . . . . . . . . . . . . . 13 66 3.4. Database Synchronization . . . . . . . . . . . . . . . . . 13 67 3.4.1. LSP Generation and Flooding and SPF Computation . . . 14 68 3.4.1.1. Restarting . . . . . . . . . . . . . . . . . . . . 14 69 3.4.1.2. Starting . . . . . . . . . . . . . . . . . . . . . 16 70 4. State Tables . . . . . . . . . . . . . . . . . . . . . . . . . 16 71 4.1. Running Router . . . . . . . . . . . . . . . . . . . . . . 17 72 4.2. Restarting Router . . . . . . . . . . . . . . . . . . . . 18 73 4.3. Starting Router . . . . . . . . . . . . . . . . . . . . . 19 74 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19 75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 76 7. Manageability Considerations . . . . . . . . . . . . . . . . . 20 77 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20 78 9. Normative References . . . . . . . . . . . . . . . . . . . . . 21 79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 80 Intellectual Property and Copyright Statements . . . . . . . . . . 22 82 1. Conventions used in this Document 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in BCP 14, [RFC2119]. 88 If the control and forwarding functions in a router can be maintained 89 independently, it is possible for the forwarding function state to be 90 maintained across a resumption of control function operations. This 91 functionality is assumed when the terms "restart/restarting" are used 92 in this document. 94 The terms "start/starting" are used to refer to a router in which the 95 control function has either commenced operations for the first time 96 or has resumed operations but the forwarding functions have not been 97 maintained in a prior state. 99 The terms "(re)start/(re)starting" are used when the text is 100 applicable to both a "starting" and a "restarting" router. 102 2. Overview 104 The Intermediate System to Intermediate System (IS-IS) routing 105 protocol [RFC1195] [ISO10589] is a link state intra-domain routing 106 protocol. Normally, when an IS-IS router is restarted, temporary 107 disruption of routing occurs due to events in both the restarting 108 router and the neighbors of the restarting router. 110 The router which has been restarted computes its own routes before 111 achieving database synchronization with its neighbors. The results 112 of this computation are likely to be non-convergent with the routes 113 computed by other routers in the area/domain. 115 Neighbors of the restarting router detect the restart event and cycle 116 their adjacencies with the restarting router through the down state. 117 The cycling of the adjacency state causes the neighbors to regenerate 118 their LSPs describing the adjacency concerned. This in turn causes a 119 temporary disruption of routes passing through the restarting router. 121 In certain scenarios, the temporary disruption of the routes is 122 highly undesirable. This document describes mechanisms to avoid or 123 minimize the disruption due to both of these causes. 125 When an adjacency is reinitialized as a result of a neighbor 126 restarting, a router does three things: 128 1. It causes its own LSP(s) to be regenerated, thus triggering SPF 129 runs throughout the area (or in the case of Level 2, throughout 130 the domain). 132 2. It sets SRMflags on its own LSP database on the adjacency 133 concerned. 135 3. In the case of a Point-to-Point link, it transmits a (set of) 136 CSNP(s) over the adjacency. 138 In the case of a restarting router process, the first of these is 139 highly undesirable, but the second is essential in order to ensure 140 synchronization of the LSP database. 142 The third action above minimizes the number of LSPs which must be 143 exchanged and, if made reliable, provides a means of determining when 144 the LSP databases of the neighboring routers have been synchronized. 145 This is desirable whether the router is being restarted or not (so 146 that the overload bit can be cleared in the router's own LSP, for 147 example). 149 This document describes a mechanism for a restarting router to signal 150 that it is restarting to its neighbors, and allow them to reestablish 151 their adjacencies without cycling through the down state, while still 152 correctly initiating database synchronization. 154 This document additionally describes a mechanism for a restarting 155 router to determine when it has achieved LSP database synchronization 156 with its neighbors and a mechanism to optimize LSP database 157 synchronization and minimize transient routing disruption when a 158 router starts. 160 It is assumed that the three-way handshake [RFC3373] is being used on 161 Point-to-Point circuits. 163 3. Approach 165 3.1. Timers 167 Three additional timers, T1, T2, and T3 are required to support the 168 functionality defined in this document. 170 An instance of the timer T1 is maintained per interface, and 171 indicates the time after which an unacknowledged (re)start attempt 172 will be repeated. A typical value might be 3 seconds. 174 An instance of the timer T2 is maintained for each LSP database 175 present in the system, i.e., for a Level1/2 system, there will be an 176 instance of the timer T2 for Level 1 and an instance for Level 2. 177 This is the maximum time that the system will wait for LSPDB 178 synchronization. A typical value might be 60 seconds. 180 A single instance of the timer T3 is maintained for the entire 181 system. It indicates the time after which the router will declare 182 that it has failed to achieve database synchronization (by setting 183 the overload bit in its own LSP). This is initialized to 65535 184 seconds, but is set to the minimum of the remaining times of received 185 IIHs containing a restart TLV with the RA set and an indication that 186 the neighbor has an adjacency in the "UP" state to the restarting 187 router. 189 NOTE: The timer T3 is only used by a restarting router. 191 3.2. Restart TLV 193 A new TLV is defined to be included in IIH PDUs. The presence of 194 this TLV indicates that the sender supports the functionality defined 195 in this document and it carries flags that are used to convey 196 information during a (re)start. All IIHs transmitted by a router 197 that supports this capability MUST include this TLV. 199 Type 211 201 Length # of octets in the value field (1 to (3 + ID Length)) 202 Value 204 No. of octets 205 +-----------------------+ 206 | Flags | 1 207 +-----------------------+ 208 | Remaining Time | 2 209 +-----------------------+ 210 | Restarting Neighbor ID| ID Length 211 +-----------------------+ 213 Flags (1 octet) 215 0 1 2 3 4 5 6 7 216 +--+--+--+--+--+--+--+--+ 217 | Reserved |SA|RA|RR| 218 +--+--+--+--+--+--+--+--+ 220 RR - Restart Request 221 RA - Restart Acknowledgement 222 SA - Suppress adjacency advertisement 224 (Note: Remaining fields are required when the RA bit is set) 226 Remaining Time (2 octets) 228 Remaining holding time (in seconds) 230 Restarting Neighbor System ID (ID Length octets) 232 The system ID of the neighbor to which an RA refers. Note: 233 Implementations based on earlier versions of this document may not 234 include this field in the TLV when the RA is set. In this case, a 235 router which is expecting an RA on a LAN circuit SHOULD assume that 236 the acknowledgement is directed at the local system. 238 3.2.1. Use of RR and RA Bits 240 The RR bit is used by a (re)starting router to signal to its 241 neighbors that a (re)start is in progress, that an existing adjacency 242 SHOULD be maintained even under circumstances when the normal 243 operation of the adjacency state machine would require the adjacency 244 to be reinitialized, to request a set of CSNPs, and to request 245 setting of the SRMflags. 247 The RA bit is sent by the neighbor of a (re)starting router to 248 acknowledge the receipt of a restart TLV with the RR bit set. 250 When the neighbor of a (re)starting router receives an IIH with the 251 restart TLV having the RR bit set, if there exists on this interface 252 an adjacency in state "UP" with the same System ID, and in the case 253 of a LAN circuit, with the same source LAN address, then, 254 irrespective of the other contents of the "Intermediate System 255 Neighbors" option (LAN circuits) or the "Point-to-Point Three-Way 256 Adjacency" option (Point-to-Point circuits): 258 a. the state of the adjacency is not changed. If this is the first 259 IIH with the RR bit set that this system has received associated 260 with this adjacency, then the adjacency is marked as being in 261 "Restart mode" and the adjacency holding time is refreshed - 262 otherwise the holding time is not refreshed. The "remaining 263 time" transmitted according to (b) below MUST reflect the actual 264 time after which the adjacency will now expire. Receipt of a 265 normal IIH with the RR bit reset will clear the "Restart mode" 266 state. This procedure allows the restarting router to cause the 267 neighbor to maintain the adjacency long enough for restart to 268 successfully complete while also preventing repetitive restarts 269 from maintaining an adjacency indefinitely. Whether an adjacency 270 is marked as being in "Restart mode" or not has no effect on 271 adjacency state transitions. 273 b. immediately (i.e., without waiting for any currently running 274 timer interval to expire, but with a small random delay of a few 275 10s of milliseconds on LANs to avoid "storms") transmit over the 276 corresponding interface an IIH including the restart TLV with the 277 RR bit clear and the RA bit set, in the case of Point-to-Point 278 adjacencies having updated the "Point-to-Point Three-Way 279 Adjacency" option to reflect any new values received from the 280 (re)starting router. (This allows a restarting router to quickly 281 acquire the correct information to place in its hellos.) The 282 "Remaining Time" MUST be set to the current time (in seconds) 283 before the holding timer on this adjacency is due to expire. If 284 the corresponding interface is a LAN interface, then the 285 Restarting Neighbor System ID SHOULD be set to the System ID of 286 the router from whom the IIH with the RR bit set was received. 287 This is required to correctly associate the acknowledgement and 288 holding time in the case where multiple systems on a LAN restart 289 at approximately the same time. This IIH SHOULD be transmitted 290 before any LSPs or SNPs are transmitted as a result of the 291 receipt of the original IIH. 293 c. if the corresponding interface is a Point-to-Point interface, or 294 if the receiving router has the highest LnRouterPriority (with 295 highest source MAC address breaking ties) among those routers to 296 which the receiving router has an adjacency in state "UP" on this 297 interface whose IIHs contain the restart TLV, excluding 298 adjacencies to all routers which are considered in "Restart mode" 299 (note the actual DIS is NOT changed by this process), initiate 300 the transmission over the corresponding interface of a complete 301 set of CSNPs, and set SRMflags on the corresponding interface for 302 all LSPs in the local LSP database. 304 Otherwise (i.e., if there was no adjacency in the "UP" state to the 305 system ID in question), process the IIH as normal by reinitializing 306 the adjacency and setting the RA bit in the returned IIH. 308 3.2.2. Use of the SA Bit 310 The SA bit is used by a starting router to request that its neighbor 311 suppress advertisement of the adjacency to the starting router in the 312 neighbor's LSPs. 314 A router which is starting has no maintained forwarding function 315 state. This may or may not be the first time the router has started. 316 If this is not the first time the router has started, copies of LSPs 317 generated by this router in its previous incarnation may exist in the 318 LSP databases of other routers in the network. These copies are 319 likely to appear "newer" than LSPs initially generated by the 320 starting router due to the reinitialization of LSP fragment sequence 321 numbers by the starting router. This may cause temporary blackholes 322 to occur until the normal operation of the update process causes the 323 starting router to regenerate and flood copies of its own LSPs with 324 higher sequence numbers. The temporary blackholes can be avoided if 325 the starting router's neighbors suppress advertising an adjacency to 326 the starting router until the starting router has been able to 327 propagate newer versions of LSPs generated by previous incarnations. 329 When a router receives an IIH with the restart TLV having the SA bit 330 set, if there exists on this interface an adjacency in state "UP" 331 with the same System ID, and in the case of a LAN circuit, with the 332 same source LAN address, then the router MUST suppress advertisement 333 of the adjacency to the neighbor in its own LSPs. Until an IIH with 334 the SA bit clear has been received, the neighbor advertisement MUST 335 continue to be suppressed. If the adjacency transitions to the "UP" 336 state, the new adjacency MUST NOT be advertised until an IIH with the 337 SA bit clear has been received. 339 Note that a router which suppresses advertisement of an adjacency 340 MUST NOT use this adjacency when performing its SPF calculation. In 341 particular, if an implementation follows the example guidelines 342 presented in [ISO10589] Annex C.2.5 Step 0:b) "pre-load TENT with the 343 local adjacency database", the suppressed adjacency MUST NOT be 344 loaded into TENT. 346 3.3. Adjacency (Re)Acquisition 348 Adjacency (re)acquisition is the first step in (re)initialization. 349 Restarting and starting routers will make use of the RR bit in the 350 restart TLV, though each will use it at different stages of the 351 (re)start procedure. 353 3.3.1. Adjacency Reacquisition During Restart 355 The restarting router explicitly notifies its neighbor that the 356 adjacency is being reacquired, and hence that it SHOULD NOT 357 reinitialize the adjacency. This is achieved by setting the RR bit 358 in the restart TLV. When the neighbor of a restarting router 359 receives an IIH with the restart TLV having the RR bit set, if there 360 exists on this interface an adjacency in state "UP" with the same 361 System ID, and in the case of a LAN circuit, with the same source LAN 362 address, then the procedures described in Section 3.2.1 are followed. 364 A router that does not support the restart capability will ignore the 365 restart TLV and reinitialize the adjacency as normal, returning an 366 IIH without the restart TLV. 368 On restarting, a router initializes the timer T3, starts the timer T2 369 for each LSPDB, and for each interface (and in the case of a LAN 370 circuit, for each level) starts the timer T1 and transmits an IIH 371 containing the restart TLV with the RR bit set. 373 On a Point-to-Point circuit the restarting router SHOULD set the 374 "Adjacency Three-Way State" to "Init", because the receipt of the 375 acknowledging IIH (with RA set) MUST cause the adjacency to enter the 376 "UP" state immediately. 378 On a LAN circuit the LAN-ID assigned to the circuit SHOULD be the 379 same as that used prior to the restart. In particular, for any 380 circuits for which the restarting router was previously DIS, the use 381 of a different LAN-ID would necessitate the generation of a new set 382 of pseudonode LSPs, and corresponding changes in all the LSPs 383 referencing them from other routers on the LAN. By preserving the 384 LAN-ID across the restart, this churn can be prevented. To enable a 385 restarting router to learn the LAN-ID used prior to restart, the 386 LAN-ID specified in an IIH with RR set MUST be ignored. 388 Transmission of "normal" IIHs is inhibited until the conditions 389 described below are met (in order to avoid causing an unnecessary 390 adjacency initialization). Upon expiry of the timer T1, it is 391 restarted and the IIH is retransmitted as above. 393 When a restarting router receives an IIH a local adjacency is 394 established as usual, and if the IIH contains a restart TLV with the 395 RA bit set (and on LAN circuits with a Restart Neighbor System ID 396 which matches that of the local system), the receipt of the 397 acknowledgement over that interface is noted. When the RA bit is set 398 and the state of the remote adjacency is "UP", then the timer T3 is 399 set to the minimum of its current value and the value of the 400 "Remaining Time" field in the received IIH. 402 On a Point-to-Point link, receipt of an IIH not containing the 403 restart TLV is also treated as an acknowledgement, since it indicates 404 that the neighbor is not restart capable. However, since no CSNP is 405 guaranteed to be received over this interface, the timer T1 is 406 cancelled immediately without waiting for a complete set of CSNP(s). 407 Synchronization may therefore be deemed complete even though there 408 are some LSPs which are held (only) by this neighbor (see 409 Section 3.4). In this case we also want to be certain that the 410 neighbor will reinitialize the adjacency in order to guarantee that 411 the SRMflags have been set on its database, thus ensuring eventual 412 LSPDB synchronization. This is guaranteed to happen except in the 413 case where the Adjacency Three-Way State in the received IIH is "UP" 414 and the Neighbor Extended Local Circuit ID matches the extended local 415 circuit ID assigned by the restarting router. In this case the 416 restarting router MUST force the adjacency to reinitialize by setting 417 the local Adjacency Three-Way State to "DOWN" and sending a normal 418 IIH. 420 In the case of a LAN interface, receipt of an IIH not containing the 421 restart TLV is unremarkable since synchronization can still occur so 422 long as at least one of the non-restarting neighboring routers on the 423 LAN supports restart. Therefore T1 continues to run in this case. 424 If none of the neighbors on the LAN are restart capable, T1 will 425 eventually expire after the locally defined number of retries. 427 In the case of a Point-to-Point circuit, the "LocalCircuitID" and 428 "Extended Local Circuit ID" information contained in the IIH can be 429 used immediately to generate an IIH containing the correct 3-way 430 handshake information. The presence of "Neighbor Extended Local 431 Circuit ID" information which does not match the value currently in 432 use by the local system is ignored (since the IIH may have been 433 transmitted before the neighbor had received the new value from the 434 restarting router), but the adjacency remains in the initializing 435 state until the correct information is received. 437 In the case of a LAN circuit, the source neighbor information (e.g., 438 SNPAAddress) is recorded and used for adjacency establishment and 439 maintenance as normal. 441 When BOTH a complete set of CSNP(s) (for each active level, in the 442 case of a point-to-point circuit) and an acknowledgement have been 443 received over the interface, the timer T1 is cancelled. 445 Once the timer T1 has been cancelled, subsequent IIHs are transmitted 446 according to the normal algorithms, but including the restart TLV 447 with both RR and RA clear. 449 If a LAN contains a mixture of systems, only some of which support 450 the new algorithm, database synchronization is still guaranteed, but 451 the "old" systems will have reinitialized their adjacencies. 453 If an interface is active, but does not have any neighboring router 454 reachable over that interface, the timer T1 would never be cancelled, 455 and according to Section 3.4.1.1, the SPF would never be run. 456 Therefore timer T1 is cancelled after some pre-determined number of 457 expirations (which MAY be 1). 459 3.3.2. Adjacency Acquisition During Start 461 The starting router wants to ensure that in the event that a 462 neighboring router has an adjacency to the starting router in the 463 "UP" state (from a previous incarnation of the starting router), this 464 adjacency is reinitialized. The starting router also wants 465 neighboring routers to suppress advertisement of an adjacency to the 466 starting router until LSP database synchronization is achieved. This 467 is achieved by sending IIHs with the RR bit clear and the SA bit set 468 in the restart TLV. The RR bit remains clear and the SA bit remains 469 set in subsequent transmissions of IIHs until the adjacency has 470 reached the "UP" state and the initial T1 timer interval (see below) 471 has expired. 473 Receipt of an IIH with the RR bit clear will result in the 474 neighboring router utilizing normal operation of the adjacency state 475 machine. This will ensure that any old adjacency on the neighboring 476 router will be reinitialized. 478 Upon receipt of an IIH with the SA bit set, the behavior described in 479 Section 3.2.2 is followed. 481 Upon starting, a router starts timer T2 for each LSPDB. 483 For each interface (and in the case of a LAN circuit, for each 484 level), when an adjacency reaches the "UP" state, the starting router 485 starts a timer T1 and transmits an IIH containing the restart TLV 486 with the RR bit clear and SA bit set. Upon expiry of the timer T1, 487 it is restarted and the IIH is retransmitted with both RR and SA bits 488 set (only the RR bit has changed state from earlier IIHs). 490 Upon receipt of an IIH with the RR bit set (regardless of whether the 491 SA is set or not), the behavior described in Section 3.2.1 is 492 followed. 494 When an IIH is received by the starting router and the IIH contains a 495 restart TLV with the RA bit set (and on LAN circuits with a Restart 496 Neighbor System ID which matches that of the local system), the 497 receipt of the acknowledgement over that interface is noted. 499 On a Point-to-Point link, receipt of an IIH not containing the 500 restart TLV is also treated as an acknowledgement, since it indicates 501 that the neighbor is not restart capable. Since the neighbor will 502 have reinitialized the adjacency, this guarantees that SRMflags have 503 been set on its database, thus ensuring eventual LSPDB 504 synchronization. However, since no CSNP is guaranteed to be received 505 over this interface, the timer T1 is cancelled immediately without 506 waiting for a complete set of CSNP(s). Synchronization may therefore 507 be deemed complete even though there are some LSPs which are held 508 (only) by this neighbor (see Section 3.4). 510 In the case of a LAN interface, receipt of an IIH not containing the 511 restart TLV is unremarkable since synchronization can still occur so 512 long as at least one of the non-restarting neighboring routers on the 513 LAN supports restart. Therefore T1 continues to run in this case. 514 If none of the neighbors on the LAN are restart capable, T1 will 515 eventually expire after the locally defined number of retries. The 516 usual operation of the update process will ensure that 517 synchronization is eventually achieved. 519 When BOTH a complete set of CSNP(s) (for each active level, in the 520 case of a point-to-point circuit) and an acknowledgement have been 521 received over the interface, the timer T1 is cancelled. Subsequent 522 IIHs sent by the starting router have the RR and RA bits clear and 523 the SA bit set in the restart TLV. 525 Timer T1 is cancelled after some pre-determined number of expirations 526 (which MAY be 1). 528 When the T2 timer(s) are cancelled or expire, transmission of 529 "normal" IIHs (with RR, RA, and SA bits clear) will begin. 531 3.3.3. Multiple Levels 533 A router which is operating as both a Level 1 and a Level 2 router on 534 a particular interface MUST perform the above operations for each 535 level. 537 On a LAN interface, it MUST send and receive both Level 1 and Level 2 538 IIHs and perform the CSNP synchronizations independently for each 539 level. 541 On a point-to-point interface, only a single IIH (indicating support 542 for both levels) is required, but it MUST perform the CSNP 543 synchronizations independently for each level. 545 3.4. Database Synchronization 547 When a router is started or restarted it can expect to receive a (set 548 of) CSNP(s) over each interface. The arrival of the CSNP(s) is now 549 guaranteed, since an IIH with the RR bit set will be retransmitted 550 until the CSNP(s) are correctly received. 552 The CSNPs describe the set of LSPs that are currently held by each 553 neighbor. Synchronization will be complete when all these LSPs have 554 been received. 556 When (re)starting, a router starts an instance of timer T2 for each 557 LSPDB as described in Section 3.3.1 or Section 3.3.2. In addition to 558 normal processing of the CSNPs, the set of LSPIDs contained in the 559 first complete set of CSNP(s) received over each interface is 560 recorded, together with their remaining lifetime. In the case of a 561 LAN interface, a complete set of CSNPs MUST consist of CSNPs received 562 from neighbor(s) which are not restarting. If there are multiple 563 interfaces on the (re)starting router, the recorded set of LSPIDs is 564 the union of those received over each interface. LSPs with a 565 remaining lifetime of zero are NOT so recorded. 567 As LSPs are received (by the normal operation of the update process) 568 over any interface, the corresponding LSPID entry is removed (it is 569 also removed if an LSP arrives before the CSNP containing the 570 reference). When an LSPID has been held in the list for its 571 indicated remaining lifetime, it is removed from the list. When the 572 list of LSPIDs is empty and the timer T1 has been cancelled for all 573 the interfaces that have an adjacency at this level, the timer T2 is 574 cancelled. 576 At this point, the local database is guaranteed to contain all the 577 LSP(s) (either the same sequence number, or a more recent sequence 578 number) that were present in the neighbors' databases at the time of 579 (re)starting. LSPs that arrived in a neighbor's database after the 580 time of (re)starting may or may not be present, but the normal 581 operation of the update process will guarantee that they will 582 eventually be received. At this point, the local database is deemed 583 to be "synchronized". 585 Since LSPs mentioned in the CSNP(s) with a zero remaining lifetime 586 are not recorded, and those with a short remaining lifetime are 587 deleted from the list when the lifetime expires, cancellation of the 588 timer T2 will not be prevented by waiting for an LSP that will never 589 arrive. 591 3.4.1. LSP Generation and Flooding and SPF Computation 593 The operation of a router starting, as opposed to restarting, is 594 somewhat different. These two cases are dealt with separately below. 596 3.4.1.1. Restarting 598 In order to avoid causing unnecessary routing churn in other routers, 599 it is highly desirable that the router's own LSPs generated by the 600 restarting system are the same as those previously present in the 601 network (assuming no other changes have taken place). It is 602 important therefore not to regenerate and flood the LSPs until all 603 the adjacencies have been re-established and any information required 604 for propagation into the local LSPs is fully available. Ideally, the 605 information is loaded into the LSPs in a deterministic way, such that 606 the same information occurs in the same place in the same LSP (and 607 hence the LSPs are identical to their previous versions). If this 608 can be achieved, the new versions may not even cause SPF to be run in 609 other systems. However, provided the same information is included in 610 the set of LSPs (albeit in a different order, and possibly different 611 LSPs), the result of running the SPF will be the same and will not 612 cause churn to the forwarding tables. 614 In the case of a restarting router, none of the router's own LSPs are 615 transmitted, nor are the router's own forwarding tables updated while 616 the timer T3 is running. 618 Redistribution of inter-level information MUST be regenerated before 619 this router's LSP is flooded to other nodes. Therefore, the Level-n 620 non-pseudonode LSP(s) MUST NOT be flooded until the other level's T2 621 timer has expired and its SPF has been run. This ensures that any 622 inter-level information which is to be propagated can be included in 623 the Level-n LSP(s). 625 During this period, if one of the router's own (including 626 pseudonodes) LSPs is received, which the local router does not 627 currently have in its own database, it is NOT purged. Under normal 628 operation, such an LSP would be purged, since the LSP clearly should 629 not be present in the global LSP database. However, in the present 630 circumstances, this would be highly undesirable, because it could 631 cause premature removal of a router's own LSP - and hence churn in 632 remote routers. Even if the local system has one or more of the 633 router's own LSPs (which it has generated, but not yet transmitted), 634 it is still not valid to compare the received LSP against this set, 635 since it may be that as a result of propagation between Level 1 and 636 Level 2 (or vice versa), a further router's own LSP will need to be 637 generated when the LSP databases have synchronized. 639 During this period a restarting router SHOULD send CSNPs as it 640 normally would. Information about the router's own LSPs MAY be 641 included, but if it is included it MUST be based on LSPs which have 642 been received, not on versions which have been generated (but not yet 643 transmitted). This restriction is necessary to prevent premature 644 removal of an LSP from the global LSP database. 646 When the timer T2 expires or is cancelled indicating that 647 synchronization for that level is complete, the SPF for that level is 648 run in order to derive any information which is required to be 649 propagated to another level, but the forwarding tables are not yet 650 updated. 652 Once the other level's SPF has run and any inter-level propagation 653 has been resolved, the router's own LSPs can be generated and 654 flooded. Any own LSPs which were previously ignored, but which are 655 not part of the current set of own LSPs (including pseudonodes) MUST 656 then be purged. Note that it is possible that a Designated Router 657 change may have taken place, and consequently the router SHOULD purge 658 those pseudonode LSPs which it previously owned, but which are now no 659 longer part of its set of pseudonode LSPs. 661 When all the T2 timers have expired or been cancelled, the timer T3 662 is cancelled and the local forwarding tables are updated. 664 If the timer T3 expires before all the T2 timers have expired or been 665 cancelled, this indicates that the synchronization process is taking 666 longer than the minimum holding time of the neighbors. The router's 667 own LSP(s) for levels which have not yet completed their first SPF 668 computation are then flooded with the overload bit set to indicate 669 that the router's LSPDB is not yet synchronized (and therefore other 670 routers MUST NOT compute routes through this router). Normal 671 operation of the update process resumes and the local forwarding 672 tables are updated. In order to prevent the neighbor's adjacencies 673 from expiring, IIHs with the normal interface value for the holding 674 time are transmitted over all interfaces with neither RR nor RA set 675 in the restart TLV. This will cause the neighbors to refresh their 676 adjacencies. The router's own LSP(s) will continue to have the 677 overload bit set until timer T2 has expired or been cancelled. 679 3.4.1.2. Starting 681 In the case of a starting router, as soon as each adjacency is 682 established, and before any CSNP exchanges, the router's own zeroth 683 LSP is transmitted with the overload bit set. This prevents other 684 routers from computing routes through the router until it has 685 reliably acquired the complete set of LSPs. The overload bit remains 686 set in subsequent transmissions of the zeroth LSP (such as will occur 687 if a previous copy of the router's own zeroth LSP is still present in 688 the network) while any timer T2 is running. 690 When all the T2 timers have been cancelled, the router's own LSP(s) 691 MAY be regenerated with the overload bit clear (assuming the router 692 is not in fact overloaded, and there is no other reason, such as 693 incomplete BGP convergence, to keep the overload bit set) and flooded 694 as normal. 696 Other LSPs owned by this router (including pseudonodes) are generated 697 and flooded as normal, irrespective of the timer T2. The SPF is also 698 run as normal and the RIB and FIB updated as routes become available. 700 To avoid the possible formation of temporary blackholes, the starting 701 router sets the SA bit in the restart TLV (as described in 702 Section 3.3.2) in all IIHs that it sends. 704 When all T2 timers have been cancelled, the starting router MUST 705 transmit IIHs with the SA bit clear. 707 4. State Tables 709 This section presents state tables which summarize the behaviors 710 described in this document. Other behaviors, in particular adjacency 711 state transitions and LSP database update operation, are NOT included 712 in the state tables except where this document modifies the behaviors 713 described in [ISO10589] and [RFC3373]. 715 The states named in the columns of the tables below are a mixture of 716 states that are specific to a single adjacency (ADJ suppressed, ADJ 717 Seen RA, ADJ Seen CSNP) and states which are indicative of the state 718 of the protocol instance (Running, Restarting, Starting, SPF Wait). 720 Three state tables are presented from the point of view of a running 721 router, a restarting router, and a starting router. 723 4.1. Running Router 725 Event | Running | ADJ suppressed 726 ============================================================== 727 RX RR | Maintain ADJ State | 728 | Send RA | 729 | Set SRM,send CSNP | 730 | (Note 1) | 731 | Update Hold Time, | 732 | set Restart Mode | 733 | (Note 2) | 734 -------------+----------------------+------------------------- 735 RX RR clr | Clr Restart mode | 736 -------------+----------------------+------------------------- 737 RX SA | Suppress IS neighbor | 738 | TLV in LSP(s) | 739 | Goto ADJ Suppressed | 740 -------------+----------------------+------------------------- 741 RX SA clr | |Unsuppress IS neighbor 742 | | TLV in LSP(s) 743 | |Goto Running 744 ============================================================== 746 Note 1: CSNPs are sent by routers in accordance with Section 3.2.1c 748 Note 2: If Restart Mode clear 750 4.2. Restarting Router 752 Event | Restarting | ADJ Seen | ADJ Seen | SPF Wait 753 | | RA | CSNP | 754 =================================================================== 755 Router | Send IIH/RR | | | 756 restarts | ADJ Init | | | 757 | Start T1,T2,T3 | | | 758 ------------+--------------------+-----------+-----------+------------ 759 RX RR | Send RA | | | 760 ------------+--------------------+-----------+-----------+------------ 761 RX RA | Adjust T3 | | Cancel T1 | 762 | Goto ADJ Seen RA | | Adjust T3 | 763 ----------- +--------------------+-----------+-----------+------------ 764 RX CSNP set| Goto ADJ Seen CSNP | Cancel T1 | | 765 ------------+--------------------+-----------+-----------+------------ 766 RX IIH w/o | Cancel T1 (Point- | | | 767 Restart TLV| to-point only) | | | 768 ------------+--------------------+-----------+-----------+------------ 769 T1 Expires | Send IIH/RR |Send IIH/RR|Send IIH/RR| 770 | Restart T1 | Restart T1| Restart T1| 771 ------------+--------------------+-----------+-----------+------------ 772 T1 Expires | Send IIH/ | Send IIH/ | Send IIH/ | 773 nth time | normal | normal | normal | 774 ------------+--------------------+-----------+-----------+------------ 775 T2 expires | Trigger SPF | | | 776 | Goto SPF Wait | | | 777 ------------+--------------------+-----------+-----------+------------ 778 T3 expires | Set OL | | | 779 | Flood local LSPs | | | 780 | Update fwd plane | | | 781 ------------+--------------------+-----------+-----------+------------ 782 LSP DB Sync| Cancel T2, and T3 | | | 783 | Trigger SPF | | | 784 | Goto SPF wait | | | 785 ------------+--------------------+-----------+-----------+------------ 786 All SPF | | | | Clear OL 787 done | | | | Update fwd 788 | | | | plane 789 | | | | Flood local 790 | | | | LSPs 791 | | | | Goto Running 792 ====================================================================== 794 4.3. Starting Router 796 Event | Starting | ADJ Seen RA| ADJ Seen CSNP 797 ============================================================= 798 Router | Send IIH/SA | | 799 starts | Start T1,T2 | | 800 -------------+-------------------+------------+--------------- 801 RX RR | Send RA | | 802 -------------+-------------------+------------+--------------- 803 RX RA | Goto ADJ Seen RA | | Cancel T1 804 -------------+-------------------+------------+--------------- 805 RX CSNP Set | Goto ADJ Seen CSNP| Cancel T1 | 806 -------------+-------------------+------------+--------------- 807 RX IIH w | Cancel T1 | | 808 no Restart | (Point-to-Point | | 809 TLV | only) | | 810 -------------+-------------------+------------+--------------- 811 ADJ UP | Start T1 | | 812 | Send local LSPs | | 813 | w OL | | 814 -------------+-------------------+------------+--------------- 815 T1 Expires | Send IIH/RR |Send IIH/RR | Send IIH/RR 816 | and SA | and SA | and SA 817 | Restart T1 |Restart T1 | Restart T1 818 -------------+-------------------+------------+--------------- 819 T1 Expires | Send IIH/SA |Send IIH/SA | Send IIH/SA 820 nth time | | | 821 -------------+-------------------+------------+--------------- 822 T2 expires | Clear OL | | 823 | Send IIH normal | | 824 | Goto Running | | 825 -------------+-------------------+------------+--------------- 826 LSP DB Sync | Cancel T2 | | 827 | Clear OL | | 828 | Send IIH normal | | 829 ============================================================== 831 5. Security Considerations 833 Any new security issues raised by the procedures in this document 834 depend upon the ability of an attacker to inject a false but 835 apparently valid IIH, the ease/difficulty of which has not been 836 altered. 838 If the RR bit is set in a false IIH, neighbors who receive such an 839 IIH will continue to maintain an existing adjacency in the "UP" state 840 and may (re)send a complete set of CSNPs. While the latter action is 841 wasteful, neither action causes any disruption in correct protocol 842 operation. 844 If the RA bit is set in a false IIH, a (re)starting router which 845 receives such an IIH may falsely believe that there is a neighbor on 846 the corresponding interface which supports the procedures described 847 in this document. In the absence of receipt of a complete set of 848 CSNPs on that interface, this could delay the completion of (re)start 849 procedures by requiring the timer T1 to time out the locally defined 850 maximum number of retries. This behavior is the same as would occur 851 on a LAN where none of the (re)starting router's neighbors support 852 the procedures in this document and is covered in Sections 3.3.1 and 853 3.3.2. 855 If an SA bit is set in a false IIH, this could cause suppression of 856 the advertisement of an IS neighbor which could either continue for 857 an indefinite period, or occur intermittently with the result being a 858 possible loss of reachability to some destinations in the network 859 and/or increased frequency of LSP flooding and SPF calculation. 861 The possibility of IS-IS PDU spoofing can be reduced by the use of 862 authentication as described in [RFC1195] and [ISO10589], and 863 especially the use of cryptographic authentication as described in 864 [RFC3567]. 866 6. IANA Considerations 868 This document defines the following IS-IS TLV that is listed in the 869 IS-IS TLV code-point registry: 871 Type Description IIH LSP SNP 872 ---- ----------------------------------- --- --- --- 873 211 Restart TLV y n n 875 7. Manageability Considerations 877 These extensions which have been designed, developed and deployed for 878 many years do not have any new impact on management and operation of 879 the ISIS protocol via this standardization process. 881 8. Acknowledgements 883 The authors would like to acknowledge contributions made by Jeff 884 Parker, Radia Perlman, Mark Schaefer, Naiming Shen, Nischal Sheth, 885 Russ White, and Rena Yang. 887 9. Normative References 889 [ISO10589] 890 International Organization for Standardization, 891 "Intermediate system to Intermediate system intra-domain 892 routeing information exchange protocol for use in 893 conjunction with the protocol for providing the 894 connectionless-mode Network Service (ISO 8473)", ISO/ 895 IEC 10589:2002, Second Edition, Nov 2002. 897 [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and 898 dual environments", RFC 1195, December 1990. 900 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 901 Requirement Levels", BCP 14, RFC 2119, March 1997. 903 [RFC3373] Katz, D. and R. Saluja, "Three-Way Handshake for 904 Intermediate System to Intermediate System (IS-IS) Point- 905 to-Point Adjacencies", RFC 3373, September 2002. 907 [RFC3567] Li, T. and R. Atkinson, "Intermediate System to 908 Intermediate System (IS-IS) Cryptographic Authentication", 909 RFC 3567, July 2003. 911 Authors' Addresses 913 Mike Shand 914 Cisco Systems 915 250, Longwater Avenue. 916 Reading, Berks RG2 6GB 917 UK 919 Phone: +44 208 824 8690 920 Email: mshand@cisco.com 922 Les Ginsberg 923 Cisco Systems 924 510 McCarthy Blvd 925 Milpitas, CA 95035 926 USA 928 Email: ginsberg@cisco.com 930 Full Copyright Statement 932 Copyright (C) The IETF Trust (2007). 934 This document is subject to the rights, licenses and restrictions 935 contained in BCP 78, and except as set forth therein, the authors 936 retain all their rights. 938 This document and the information contained herein are provided on an 939 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 940 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 941 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 942 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 943 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 944 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 946 Intellectual Property 948 The IETF takes no position regarding the validity or scope of any 949 Intellectual Property Rights or other rights that might be claimed to 950 pertain to the implementation or use of the technology described in 951 this document or the extent to which any license under such rights 952 might or might not be available; nor does it represent that it has 953 made any independent effort to identify any such rights. Information 954 on the procedures with respect to rights in RFC documents can be 955 found in BCP 78 and BCP 79. 957 Copies of IPR disclosures made to the IETF Secretariat and any 958 assurances of licenses to be made available, or the result of an 959 attempt made to obtain a general license or permission for the use of 960 such proprietary rights by implementers or users of this 961 specification can be obtained from the IETF on-line IPR repository at 962 http://www.ietf.org/ipr. 964 The IETF invites any interested party to bring to its attention any 965 copyrights, patents or patent applications, or other proprietary 966 rights that may cover technology that may be required to implement 967 this standard. Please address the information to the IETF at 968 ietf-ipr@ietf.org. 970 Acknowledgment 972 Funding for the RFC Editor function is provided by the IETF 973 Administrative Support Activity (IASA).