idnits 2.17.1 draft-ietf-isis-restart-02.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There is 1 instance of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([2], [3]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Nov 2002) is 7805 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 13 looks like a reference -- Missing reference section? '2' on line 441 looks like a reference -- Missing reference section? '3' on line 441 looks like a reference -- Missing reference section? '4' on line 64 looks like a reference -- Missing reference section? '5' on line 95 looks like a reference Summary: 5 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group M. Shand 2 Internet Draft Cisco Systems 3 Expiration Date: May 2003 4 Nov 2002 6 Restart signaling for IS-IS 7 draft-ietf-isis-restart-02.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026 [1]. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. Internet-Drafts are draft documents valid for a maximum of 18 six months and may be updated, replaced, or obsoleted by other 19 documents at any time. It is inappropriate to use Internet-Drafts as 20 reference material or to cite them other than as "work in progress." 22 The list of current Internet-Drafts can be accessed at 23 http://www.ietf.org/ietf/1id-abstracts.txt 25 The list of Internet-Draft Shadow Directories can be accessed at 26 http://www.ietf.org/shadow.html. 28 1. Abstract 30 The IS-IS routing protocol (RFC 1142 [2], ISO/IEC 10589 [3]) is a 31 link state intra-domain routing protocol. Normally, when an IS-IS 32 router is re-started, the neighboring routers detect the restart 33 event and cycle their adjacencies with the restarting router through 34 the down state. This is necessary in order to invoke the protocol 35 mechanisms to ensure correct re-synchronization of the LSP database. 36 However, the cycling of the adjacency state causes the neighbors to 37 regenerate their LSPs describing the adjacency concerned. This in 38 turn causes temporary disruption of routes passing through the 39 restarting router. 41 In certain scenarios such temporary disruption of the routes is 42 highly undesirable. 44 This draft describes a mechanism for a restarting router to signal 45 that it is restarting to its neighbors, and allow them to re- 46 establish their adjacencies without cycling through the down state, 47 while still correctly initiating database synchronization. 49 When such a router is restarted, it is highly desirable that it does 50 not re-compute its own routes until it has achieved database 51 synchronization with its neighbors. Re-computing its routes before 52 synchronization is achieved will result in its own routes being 53 temporarily incorrect. 55 This draft additionally describes a mechanism for a restarting 56 router to determine when it has achieved synchronization with its 57 neighbors. 59 2. Conventions used in this document 61 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 62 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 63 this document are to be interpreted as described in RFC-2119 [4]. 65 3. Overview 67 There are two related problems with the existing specification of 68 IS-IS with regard to re-synchronization of LSP databases when a 69 router is re-started. 71 Firstly, when a routing process restarts, and an adjacency to a 72 neighboring router is re-initialized the neighboring routing process 73 does three things 75 1. It re-initializes the adjacency and causes its own LSP(s) to be 76 regenerated, thus triggering SPF runs throughout the area (or 77 in the case of Level 2, throughout the domain). 79 2. It sets SRMflags on its own LSP database on the adjacency 80 concerned. 82 3. In the case of a Point-to-Point link it transmits a (set of) 83 CSNP(s) over the adjacency. 85 In the case of a restarting router process, the first of these is 86 highly undesirable, but the second is essential in order to ensure 87 re-synchronization of the LSP database. 89 Secondly, whether or not the router is being re-started, it is 90 desirable to be able to determine when the LSP databases of the 91 neighboring routers have been synchronized (so that the overload bit 92 can be cleared in the router's own LSP, for example). This document 93 describes modifications to achieve this. 95 It is assumed that the three-way handshake [5] is being used on 96 Point-to-Point circuits. 98 4. Approach 100 4.1 Timers 102 A router that is restart capable maintains three additional timers, 103 T1, T2 and T3. 105 An instance of T1 is maintained per interface, and indicates the 106 time after which an unacknowledged restart attempt will be repeated. 107 A typical value might be 3 seconds. 109 An instance of T2 is maintained for each LSP database present in the 110 system. I.e. for a level1/2 system, there will be an instance of T2 111 for Level 1 and one for level 2. This is the maximum time that the 112 system will wait for LSPDB synchronization. A typical value might be 113 60 seconds. 115 A single instance of T3 is maintained for the entire system. It 116 indicates the time after which the router will declare that it has 117 failed to achieve database synchronization (by setting the overload 118 bit in its own LSP). This is initialized to 65535 seconds, but is 119 set to the minimum of the remaining times of received IIHs 120 containing a restart TLV with RA set. 122 4.2 Adjacency re-acquisition 124 Adjacency re-acquisition is the first step in re-initialization. The 125 restarting router explicitly notifies its neighbor that the 126 adjacency is being re-acquired, and hence that it should not re- 127 initialize the adjacency. This is achieved by the inclusion of a new 128 "re-start" option (TLV) in the IIH PDU. The presence of this TLV 129 indicates that the sender supports the new restart capability and it 130 carries flags that are used to convey information during a restart. 131 All IIHs transmitted by a router that supports this capability MUST 132 include this TLV. 134 Type 211 135 Length 3 136 Value (3 octets) 137 Flags (1 octet) 138 Bit 1 - Restart Request (RR) 139 Bit 2 - Restart Acknowledgment (RA) 140 Bits 3-8 � Reserved 141 Remaining Time (2 octets) 142 Remaining holding time (in seconds) 143 (note: only required when RA bit is set) 145 On receipt of an IIH with the "re-start" TLV having the RR bit set, 146 if there exists on this interface an adjacency in state "Up" with 147 the same System ID, and in the case of a LAN circuit, with the same 148 source LAN address, then, irrespective of the other contents of the 149 "Intermediate System Neighbors" option (LAN circuits), or the 150 "Point-to-Point Adjacency State" option (Point-to-Point circuits): - 152 a) Do not change the state of the adjacency. It is an implementation 153 choice whether or not the holding time of the adjacency is 154 refreshed. Not refreshing the holding time preserves the intention 155 of the original holding time. Refreshing it may allow a longer 156 grace period for the completion of the restart process. Whichever 157 option is chosen, the "remaining time" transmitted according 158 to (b) below MUST reflect the actual time after which the 159 adjacency will now expire. 161 b) immediately (i.e. without waiting for any currently running timer 162 interval to expire, but with a small random delay of a few 10s of 163 milliseconds on LANs to avoid "storms"), transmit over the 164 corresponding interface an IIH including the "re-start" TLV with 165 the RR bit clear and the RA bit set, having updated the "Point-to- 166 Point Adjacency State" option to reflect any new values received 167 from the re-starting router. (This allows the restarting router to 168 quickly acquire the correct information to place in its hellos.) 169 The "Remaining Time" MUST be set to the current time (in seconds) 170 before the holding timer on this adjacency is due to expire. This 171 IIH SHOULD be transmitted before any LSPs or SNPs transmitted as a 172 result of the receipt of the original IIH. 174 c) if the corresponding interface is a Point-to-Point interface, or 175 if the receiving router has the highest LnRouterPriority (with 176 highest source MAC address breaking ties) among those routers 177 whose IIHs contain the restart TLV, excluding the transmitting 178 router (note the actual DIS is NOT changed by this process.), 179 initiate the transmission over the corresponding interface of a 180 complete set of CSNPs, and set SRMflags on the corresponding 181 interface for all LSPs in the local LSP database. 183 Otherwise (i.e. if there was no adjacency in the "UP" state to the 184 system ID in question), process the IIH as normal by re-initializing 185 the adjacency, and setting the RA bit in the returned IIH. 187 A router that does not support the re-start capability will ignore 188 the "re-start" TLV and re-initialize the adjacency as normal, 189 returning an IIH without the "re-start" TLV. 191 On starting, a router initializes the timer T3, starts timer T2 for 192 each LSPDB and for each interface (and in the case of a LAN circuit, 193 for each level) starts a timer T1 and transmits an IIH containing 194 the "re-start" TLV with the RR bit set. 196 On a Point-to-Point circuit the "Point-to-Point Adjacency State" 197 SHOULD be set to "Init", because the receipt of the acknowledging 198 IIH (with RA set) MUST cause the adjacency to enter "Up" state 199 immediately. 201 On a LAN circuit the LAN-ID assigned to the circuit SHOULD be the 202 same as that used prior to the re-start. In particular, for any 203 circuits for which the re-starting router was previously DIS, the 204 use of a different LAN-ID would necessitate the generation of a new 205 set of pseudonode LSPs, and corresponding changes in all the LSPs 206 referencing them from other routers on the LAN. By preserving the 207 LAN-ID across the restart, this churn can be prevented. 209 Transmission of "normal" IIHs is inhibited until the conditions 210 described below are met (in order to avoid causing an unnecessary 211 adjacency re-initialization). On expiry of the timer T1, it is 212 restarted and the IIH is re-transmitted as above. 214 On receipt of an IIH by the restarting router, a local adjacency is 215 established as usual, and if the IIH contains a "re-start" TLV with 216 the RA bit set, the receipt of the acknowledgement over that 217 interface is noted. 219 T3 is set to the minimum of its current value and the value of the 220 "Remaining Time" field in the received IIH. 222 Receipt of an IIH not containing the "re-start" option is also 223 treated as an acknowledgement, since it indicates that the neighbor 224 is not re-start capable. In this case the neighbor will have re- 225 initialized the adjacency as normal, which in the case of a Point- 226 to-Point link will guarantee that SRMflags have been set on its 227 database, thus ensuring eventual LSPDB synchronization. In the case 228 of a LAN interface, the usual operation of the update process will 229 also ensure that synchronization is eventually achieved. However, 230 since no CSNP is guaranteed to be received over this interface, T1 231 is cancelled immediately without waiting for a CSNP. Synchronization 232 may therefore be deemed complete even though there are some LSPs 233 which are held (only) by this neighbor (see section 4.3). 235 In the case of a Point-to-Point circuit, the "LocalCircuitID" and 236 "Extended Local Circuit ID" information contained in the IIH can be 237 used immediately to generate an IIH containing the correct 3-way 238 handshake information. The presence of "Neighbor System ID" or 239 "Neighbor Extended Local Circuit ID" information which does not 240 match the values currently in use by the local system is ignored 241 (since the IIH may have been transmitted before the neighbor had 242 received the new values from the re-starting router), but the 243 adjacency remains in the initializing state until the correct 244 information is received. 246 In the case of a LAN circuit the information in the Intermediate 247 Systems Neighbors option is recorded and used for the generation of 248 subsequent IIHs as normal. 250 When BOTH a complete set of CSNP(s) (for each active level, in the 251 case of a pt-pt circuit) and an acknowledgement have been received 252 over the interface, the timer T1 is cancelled. 254 Once T3 has expired or been cancelled, subsequent IIHs are 255 transmitted according to the normal algorithms, but including the 256 "re-start" TLV with both RR and RA clear. 258 If a LAN contains a mixture of systems, only some of which support 259 the new algorithm, database synchronization is still guaranteed, but 260 the "old" systems will have re-initialized their adjacencies. 262 If an interface is active, but does not have any neighboring router 263 reachable over that interface the timer T1 would never be cancelled, 264 and according to clause 4.3.1.2 the SPF would never be run. 265 Therefore timer T1 is cancelled after some pre-determined number of 266 expirations (which MAY be 1). (By this time any existing adjacency 267 on a remote system would probably have expired anyway.) 269 A router which supports re-start SHOULD ensure that the holding time 270 of any IIHs it transmits is greater than the expected time to 271 complete a re-start. However, where this is impracticable or 272 undesirable a router MAY transmit one or more normal IIHs 273 (containing a restart option, but with RR and RA clear) after the 274 initial RR/RA exchange, but before synchronization has been 275 achieved, in order to extend the holding time of the neighbors 276 adjacencies, beyond that indicated in the remaining time field of 277 the neighbors IIH with the RA bit set. 279 4.2.1 Multiple levels 281 A router which is operating as both a level 1 and a level 2 router 282 on a particular interface MUST perform the above operations for each 283 level. 285 On a LAN interface, it MUST send and receive both Level 1 and 286 Level 2 IIHs and perform the CSNP synchronizations independently for 287 each level. 289 On a pt-pt interface, only a single IIH (indicating support for both 290 levels) is required, but it MUST perform the CSNP synchronizations 291 independently for each level. 293 4.3 Database synchronization 295 When a router is started or re-started it can expect to receive a 296 (set of) CSNP(s) over each interface. The arrival of the CSNP(s) is 297 now guaranteed, since the "re-start" IIH with the RR bit set will be 298 retransmitted until the CSNP(s) are correctly received. 300 The CSNPs describe the set of LSPs that are currently held by each 301 neighbor. Synchronization will be complete when all these LSPs have 302 been received. 304 On starting, a router starts the timer T3 and an instance of timer 305 T2 for each LSPDB. In addition to normal processing of the CSNPs, 306 the set of LSPIDs contained in the first complete set of CSNP(s) 307 received over each interface is recorded, together with their 308 remaining lifetime. If there are multiple interfaces on the 309 restarting router, the recorded set of LSPIDs is the union of those 310 received over each interface. LSPs with a remaining lifetime of zero 311 are NOT so recorded. 313 As LSPs are received (by the normal operation of the update process) 314 over any interface, the corresponding LSPID entry is removed (it is 315 also removed if the LSP had arrived before the CSNP containing the 316 reference). When an LSPID has been held in the list for its 317 indicated remaining lifetime, it is removed from the list. When the 318 list of LSPIDs becomes empty, the timer T2 is cancelled. 320 At this point the local database is guaranteed to contain all the 321 LSP(s) (either the same sequence number, or a more recent sequence 322 number) which were present in the neighbors' databases at the time 323 of re-starting. LSPs that arrived in a neighbor's database after the 324 time of re-starting may, or may not, be present, but the normal 325 operation of the update process will guarantee that they will 326 eventually be received. At this point the local database is deemed 327 to be "synchronized". 329 Since LSPs mentioned in the CSNP(s) with a zero remaining lifetime 330 are not recorded, and those with a short remaining lifetime are 331 deleted from the list when the lifetime expires, cancellation of the 332 timer T2 will not be prevented by waiting for an LSP that will never 333 arrive. 335 4.3.1 LSP generation and flooding and SPF computation 337 The operation of a router starting, as opposed to re-starting is 338 somewhat different. These two cases are dealt with separately below. 340 4.3.1.1. Starting for the first time 342 In the case of a starting router, as soon as each adjacency is 343 established, and before any CSNP exchanges, the router's own zeroth 344 LSP is transmitted with the overload bit set. This prevents other 345 routers from computing routes through the router until it has 346 reliably acquired the complete set of LSPs. The overload bit remains 347 set in subsequent transmissions of the zeroth LSP (such as will 348 occur if a previous copy of the routers LSP is still present in the 349 network) while any timer T2 is running. 351 When all the T2 timers have been cancelled, the own LSP(s) MAY be 352 regenerated with the overload bit clear (assuming the router isn't 353 in fact overloaded, and there is no other reason, such as incomplete 354 BGP convergence, to keep the overload bit set), and flooded as 355 normal. 357 Other 'own' LSPs (including pseudonodes) are generated and flooded 358 as normal, irrespective of the timer T2. The SPF is also run as 359 normal and the RIB and FIB updated as routes become available. 361 4.3.1.2. Re-starting 363 In order to avoid causing unnecessary routing churn in other 364 routers, it is highly desirable that the own LSPs generated by the 365 restarting system are the same as those previously present in the 366 network (assuming no other changes have taken place). It is 367 important therefore not to regenerate and flood the LSPs until all 368 the adjacencies have been re-established and any information 369 required for propagation into the local LSPs is fully available. 370 Ideally, the information should be loaded into the LSPs in a 371 deterministic way, such that the same information occurs in the same 372 place in the same LSP (and hence the LSPs are identical to their 373 previous versions). If this can be achieved, the new versions will 374 not even cause SPF to be run in other systems. However, provided the 375 same information is included in the set of LSPs (albeit in a 376 different order, and possibly different LSPs), the result of running 377 the SPF will be the same and will not cause churn to the forwarding 378 tables. 380 In the case of a re-starting router, none of the router's own non- 381 pseudonode LSPs are transmitted, nor are the router's own forwarding 382 tables updated while the timer T3 is running. 384 Redistribution of inter-level information must be regenerated before 385 this router's LSP is flooded to other nodes. Therefore the level-n 386 non-pseudonode LSP(s) should not be flooded until the other level's 387 T2 timer has expired and its SPF has been run. This ensures that any 388 inter-level information that should be propagated can be included in 389 the level-n LSP(s). 391 During this period, if one of the router's own (including 392 pseudonodes) LSPs is received, which the local router does not 393 currently have in its own database, it is NOT purged. Under normal 394 operation, such an LSP would be purged, since the LSP clearly should 395 not be present in the global LSP database. However, in the present 396 circumstances, this would be highly undesirable, because it could 397 cause premature removal of an own LSP -- and hence churn in remote 398 routers. Even if the local system has one or more own LSPs (which it 399 has generated, but not yet transmitted) it is still not valid to 400 compare the received LSP against this set, since it may be that as a 401 result of propagation between level 1 and level 2 (or vice versa) a 402 further own LSP will need to be generated when the LSP databases 403 have synchronized. 405 When the timer T2 expires, or is cancelled indicating that 406 synchronization for that level is complete, the SPF for that level 407 is run in order to derive any information which is required to be 408 propagated to another level, but the forwarding tables are not yet 409 updated. 411 Once the other level's SPF has run and any inter-level propagation 412 has been resolved, the 'own' LSPs can be generated and flooded. Any 413 'own' LSPs which were previously ignored, but which are not part of 414 the current set of 'own' LSPs (including pseudonodes) should then be 415 purged. Note that it is possible that a Designated Router change may 416 have taken place, and consequently the router should purge those 417 pseudonode LSPs which it previously owned, but which are now no 418 longer part of its set of pseudonode LSPs. 420 When all the T2 timers have expired or been cancelled, the timer T3 421 is cancelled and the local forwarding tables are updated. 423 If the timer T3 expires before all the T2 timers have expired, this 424 indicates that the synchronization process is taking longer than 425 minimum holding time of the neighbors. The router's own LSP(s) for 426 levels which have not yet completed their first SPF computation are 427 then flooded with the overload bit set to indicate that the router's 428 LSPDB is not yet synchronized (and other routers should therefore 429 not compute routes through this router). In order to prevent the 430 neighbor's adjacencies from expiring, IIHs with the normal interface 431 value for the holding time are transmitted over all interfaces with 432 neither RR nor RA set in the restart TLV. This will cause the 433 neighbors to refresh their adjacencies. The own LSP(s) will continue 434 to have the overload bit set until timer T2 has been cancelled as in 435 the case of starting for the first time described in section 4.3.1.1 437 5. Security Considerations 439 This memo does not create any new security issues for the IS-IS 440 protocol. Security considerations for the base IS-IS protocol are 441 covered in [2] and [3]. 443 6. References 445 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP 446 9, RFC 2026, October 1996. 448 2 Callon, R., "OSI IS-IS for IP and Dual Environment," RFC 1195, 449 December 1990. 451 3 ISO, "Intermediate system to Intermediate system routeing 452 information exchange protocol for use in conjunction with the 453 Protocol for providing the Connectionless-mode Network Service 454 (ISO 8473)," ISO/IEC 10589:1992. 456 4 Bradner, S., "Key words for use in RFCs to Indicate Requirement 457 Levels", BCP 14, RFC 2119, March 1997 459 5 Katz, D., "Three-Way Handshake for IS-IS Point-to-Point 460 Adjacencies", draft-ietf-isis-3way-03.txt, July 2000 462 7. Acknowledgments 464 The author would like to acknowledge contributions made by Radia 465 Perlman, Mark Schaefer, Naiming Shen, Nischal Sheth, Russ White, and 466 Rena Yang. 468 8. Author's Address 470 Mike Shand 471 Cisco Systems 472 4, The Square, 473 Stockley Park, 474 UXBRIDGE, 475 Middlesex 476 UB11 1BN, UK 478 Phone: +44 208 824 8690 479 Email: mshand@cisco.com