idnits 2.17.1 draft-ietf-lsr-isis-rfc5306bis-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 19, 2019) is 1680 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO10589' Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IS-IS for IP Internets L. Ginsberg 3 Internet-Draft P. Wells 4 Obsoletes: 5306 (if approved) Cisco Systems, Inc. 5 Intended status: Standards Track September 19, 2019 6 Expires: March 22, 2020 8 Restart Signaling for IS-IS 9 draft-ietf-lsr-isis-rfc5306bis-09 11 Abstract 13 This document describes a mechanism for a restarting router to signal 14 to its neighbors that it is restarting, allowing them to reestablish 15 their adjacencies without cycling through the down state, while still 16 correctly initiating database synchronization. 18 This document additionally describes a mechanism for a router to 19 signal its neighbors that it is preparing to initiate a restart while 20 maintaining forwarding plane state. This allows the neighbors to 21 maintain their adjacencies until the router has restarted, but also 22 allows the neighbors to bring the adjacencies down in the event of 23 other topology changes. 25 This document additionally describes a mechanism for a restarting 26 router to determine when it has achieved Link State Protocol Data 27 Unit (LSP) database synchronization with its neighbors and a 28 mechanism to optimize LSP database synchronization, while minimizing 29 transient routing disruption when a router starts. 31 This document obsoletes RFC 5306. 33 Requirements Language 35 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 36 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 37 "OPTIONAL" in this document are to be interpreted as described in BCP 38 14 [RFC2119] [RFC8174] when, and only when, they appear in all 39 capitals, as shown here. 41 Status of This Memo 43 This Internet-Draft is submitted in full conformance with the 44 provisions of BCP 78 and BCP 79. 46 Internet-Drafts are working documents of the Internet Engineering 47 Task Force (IETF). Note that other groups may also distribute 48 working documents as Internet-Drafts. The list of current Internet- 49 Drafts is at https://datatracker.ietf.org/drafts/current/. 51 Internet-Drafts are draft documents valid for a maximum of six months 52 and may be updated, replaced, or obsoleted by other documents at any 53 time. It is inappropriate to use Internet-Drafts as reference 54 material or to cite them other than as "work in progress." 56 This Internet-Draft will expire on March 22, 2020. 58 Copyright Notice 60 Copyright (c) 2019 IETF Trust and the persons identified as the 61 document authors. All rights reserved. 63 This document is subject to BCP 78 and the IETF Trust's Legal 64 Provisions Relating to IETF Documents 65 (https://trustee.ietf.org/license-info) in effect on the date of 66 publication of this document. Please review these documents 67 carefully, as they describe your rights and restrictions with respect 68 to this document. Code Components extracted from this document must 69 include Simplified BSD License text as described in Section 4.e of 70 the Trust Legal Provisions and are provided without warranty as 71 described in the Simplified BSD License. 73 Table of Contents 75 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 76 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 77 3. Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 4 78 3.1. Timers . . . . . . . . . . . . . . . . . . . . . . . . . 4 79 3.2. Restart TLV . . . . . . . . . . . . . . . . . . . . . . . 5 80 3.2.1. Use of RR and RA Bits . . . . . . . . . . . . . . . . 7 81 3.2.2. Use of the SA Bit . . . . . . . . . . . . . . . . . . 8 82 3.2.3. Use of PR and PA Bits . . . . . . . . . . . . . . . . 9 83 3.3. Adjacency (Re)Acquisition . . . . . . . . . . . . . . . . 11 84 3.3.1. Adjacency Reacquisition during Restart . . . . . . . 11 85 3.3.2. Adjacency Acquisition during Start . . . . . . . . . 13 86 3.3.3. Multiple Levels . . . . . . . . . . . . . . . . . . . 15 87 3.4. Database Synchronization . . . . . . . . . . . . . . . . 15 88 3.4.1. LSP Generation and Flooding and SPF Computation . . . 16 89 4. State Tables . . . . . . . . . . . . . . . . . . . . . . . . 19 90 4.1. Running Router . . . . . . . . . . . . . . . . . . . . . 19 91 4.2. Restarting Router . . . . . . . . . . . . . . . . . . . . 20 92 4.3. Starting Router . . . . . . . . . . . . . . . . . . . . . 22 93 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 94 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 95 7. Manageability Considerations . . . . . . . . . . . . . . . . 24 96 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24 97 9. Normative References . . . . . . . . . . . . . . . . . . . . 24 98 Appendix A. Summary of Changes from RFC 5306 . . . . . . . . . . 25 99 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 101 1. Overview 103 The Intermediate System to Intermediate System (IS-IS) routing 104 protocol [RFC1195] [ISO10589] is a link state intra-domain routing 105 protocol. Normally, when an IS-IS router is restarted, temporary 106 disruption of routing occurs due to events in both the restarting 107 router and the neighbors of the restarting router. 109 The router that has been restarted computes its own routes before 110 achieving database synchronization with its neighbors. The results 111 of this computation are likely to be non-convergent with the routes 112 computed by other routers in the area/domain. 114 Neighbors of the restarting router detect the restart event and cycle 115 their adjacencies with the restarting router through the down state. 116 The cycling of the adjacency state causes the neighbors to regenerate 117 their LSPs describing the adjacency concerned. This in turn causes a 118 temporary disruption of routes passing through the restarting router. 120 In certain scenarios, the temporary disruption of the routes is 121 highly undesirable. This document describes mechanisms to avoid or 122 minimize the disruption due to both of these causes. 124 When an adjacency is reinitialized as a result of a neighbor 125 restarting, a router does three things: 127 1. It causes its own LSP(s) to be regenerated, thus triggering SPF 128 runs throughout the area (or in the case of Level 2, throughout 129 the domain). 131 2. It sets SRMflags on its own LSP database on the adjacency 132 concerned. 134 3. In the case of a Point-to-Point link, it transmits a complete set 135 of Complete Sequence Number PDUs (CSNPs), over the adjacency. 137 In the case of a restarting router process, the first of these is 138 highly undesirable, but the second is essential in order to ensure 139 synchronization of the LSP database. 141 The third action above minimizes the number of LSPs that must be 142 exchanged and, if made reliable, provides a means of determining when 143 the LSP databases of the neighboring routers have been synchronized. 145 This is desirable whether or not the router is being restarted (so 146 that the overload bit can be cleared in the router's own LSP, for 147 example). 149 This document describes a mechanism for a restarting router to signal 150 to its neighbors that it is restarting. The mechanism further allows 151 the neighbors to reestablish their adjacencies with the restarting 152 router without cycling through the down state, while still correctly 153 initiating database synchronization. 155 This document additionally describes a mechanism for a restarting 156 router to determine when it has achieved LSP database synchronization 157 with its neighbors and a mechanism to optimize LSP database 158 synchronization and minimize transient routing disruption when a 159 router starts. 161 It is assumed that the three-way handshake [RFC5303] is being used on 162 Point-to-Point circuits. 164 2. Conventions Used in This Document 166 If the control and forwarding functions in a router can be maintained 167 independently, it is possible for the forwarding function state to be 168 maintained across a resumption of control function operations. This 169 functionality is assumed when the terms "restart/restarting" are used 170 in this document. 172 The terms "start/starting" are used to refer to a router in which the 173 control function has either commenced operations for the first time 174 or has resumed operations, but the forwarding functions have not been 175 maintained in a prior state. 177 The terms "(re)start/(re)starting" are used when the text is 178 applicable to both a "starting" and a "restarting" router. 180 The terms "normal IIH" or "IIH normal" refer to IS-IS Hellos (IIHs) 181 in which the Restart TLV (defined later in this document) has no 182 flags set. 184 3. Approach 186 3.1. Timers 188 Three additional timers, T1, T2, and T3, are required to support the 189 mechanisms defined in this document. Timers T1 and T2 are used both 190 by a restarting router and a starting router. Timer T3 is used only 191 by a restarting router. 193 NOTE: These timers are NOT applicable to a router which is preparing 194 to do a planned restart. 196 An instance of the timer T1 is maintained per interface, and 197 indicates the time after which an unacknowledged (re)start attempt 198 will be repeated. A typical value is 3 seconds. 200 An instance of the timer T2 is maintained for each LSP database 201 (LSPDB) present in the system. For example, for a Level 1/2 system, 202 there will be an instance of the timer T2 for Level 1 and an instance 203 for Level 2. This is the maximum time that the system will wait for 204 LSPDB synchronization. A typical value is 60 seconds. 206 A single instance of the timer T3 is maintained for the entire 207 system. It indicates the time after which the router will declare 208 that it has failed to achieve database synchronization (by setting 209 the overload bit in its own LSP). This is initialized to 65535 210 seconds, but is set to the minimum of the remaining times of received 211 IIHs containing a restart TLV with the Restart Acknowledgement (RA) 212 set and an indication that the neighbor has an adjacency in the "UP" 213 state to the restarting router. (See Section 3.2.1a.) 215 3.2. Restart TLV 217 A new TLV is defined to be included in IIH PDUs. The TLV includes 218 flags that are used to convey information during a (re)start. The 219 absence of this TLV indicates that the sender supports none of the 220 functionality defined in this document. Therefore, if a router 221 supports any of the functionality defined in this document it MUST 222 include this TLV in all transmitted IIHs. 224 Type 211 226 Length: Number of octets in the Value field (1 to (3 + ID Length)) 228 Value 230 No. of octets 231 +-----------------------+ 232 | Flags | 1 233 +-----------------------+ 234 | Remaining Time | 2 235 +-----------------------+ 236 | Restarting Neighbor ID| ID Length 237 +-----------------------+ 239 Flags (1 octet) 240 0 1 2 3 4 5 6 7 241 +--+--+--+--+--+--+--+--+ 242 |Reserved|PA|PR|SA|RA|RR| 243 +--+--+--+--+--+--+--+--+ 245 RR - Restart Request 246 RA - Restart Acknowledgement 247 SA - Suppress adjacency advertisement 248 PR - Restart is planned 249 PA - Planned restart acknowledgement 251 Remaining Time (2 octets) 253 Remaining holding time (in seconds). 255 Required when the RA, PR, or PA bit is set. Otherwise 256 this field SHOULD be omitted when sent and 257 MUST be ignored when received. 259 Restarting Neighbor System ID (ID Length octets) 261 The System ID of the neighbor to which an RA/PA refers. 263 Required when the RA or PA bit is set. Otherwise 264 this field SHOULD be omitted when sent and 265 MUST be ignored when received. 267 Note: Very early draft versions of the restart functionality 268 did not include the Restarting Neighbor System ID in the TLV. 269 RFC 5306 allowed for the possibility of interoperating with 270 legacy implementations by stating that a router that 271 is expecting an RA on a LAN circuit should assume that the 272 acknowledgement is directed at the local system if the TLV 273 is received with RA set and Restarting Neighbor System ID 274 is not present. It is an implementation choice whether to 275 continue to accept (on a LAN) a TLV with RA set and 276 Restarting Neighbor System ID absent. Note that the omission 277 of the Restarting Neighbor System ID only introduces ambiguity 278 in the case where there are multiple systems on a LAN 279 simultaneously performing restart. 281 The RR and SA flags may both be set in the TLV under the conditions 282 described in Section 3.3.2. All other combinations where multiple 283 flags are set are invalid and MUST NOT be transmitted. Received TLVs 284 which have invalid flag combinations set MUST be ignored. 286 3.2.1. Use of RR and RA Bits 288 The RR bit is used by a (re)starting router to signal to its 289 neighbors that a (re)start is in progress, that an existing adjacency 290 SHOULD be maintained even under circumstances when the normal 291 operation of the adjacency state machine would require the adjacency 292 to be reinitialized, to request a set of CSNPs, and to request 293 setting of the SRMflags. 295 The RA bit is sent by the neighbor of a (re)starting router to 296 acknowledge the receipt of a restart TLV with the RR bit set. 298 When the neighbor of a (re)starting router receives an IIH with the 299 restart TLV having the RR bit set, if there exists on this interface 300 an adjacency in state "UP" with the same System ID, and in the case 301 of a LAN circuit, with the same source LAN address, then, 302 irrespective of the other contents of the "Intermediate System 303 Neighbors" option (LAN circuits) or the "Point-to-Point Three-Way 304 Adjacency" option (Point-to-Point circuits): 306 a. the state of the adjacency is not changed. If this is the first 307 IIH with the RR bit set that this system has received associated 308 with this adjacency, then the adjacency is marked as being in 309 "Restart mode" and the adjacency holding time is refreshed -- 310 otherwise, the holding time is not refreshed. The "remaining 311 time" transmitted according to (b) below MUST reflect the actual 312 time after which the adjacency will now expire. Receipt of an 313 IIH with the RR bit reset will clear the "Restart mode" state. 314 This procedure allows the restarting router to cause the neighbor 315 to maintain the adjacency long enough for restart to successfully 316 complete, while also preventing repetitive restarts from 317 maintaining an adjacency indefinitely. Whether or not an 318 adjacency is marked as being in "Restart mode" has no effect on 319 adjacency state transitions. 321 b. immediately (i.e., without waiting for any currently running 322 timer interval to expire, but with a small random delay of a few 323 tens of milliseconds on LANs to avoid "storms") transmit over the 324 corresponding interface an IIH including the restart TLV with the 325 RR bit clear and the RA bit set, in the case of Point-to-Point 326 adjacencies having updated the "Point-to-Point Three-Way 327 Adjacency" option to reflect any new values received from the 328 (re)starting router. (This allows a restarting router to quickly 329 acquire the correct information to place in its hellos.) The 330 "Remaining Time" MUST be set to the current time (in seconds) 331 before the holding timer on this adjacency is due to expire. If 332 the corresponding interface is a LAN interface, then the 333 Restarting Neighbor System ID SHOULD be set to the System ID of 334 the router from which the IIH with the RR bit set was received. 335 This is required to correctly associate the acknowledgement and 336 holding time in the case where multiple systems on a LAN restart 337 at approximately the same time. This IIH SHOULD be transmitted 338 before any LSPs or SNPs are transmitted as a result of the 339 receipt of the original IIH. 341 c. if the corresponding interface is a Point-to-Point interface, or 342 if the receiving router has the highest LnRouterPriority (with 343 the highest source MAC (Media Access Control) address breaking 344 ties) among those routers to which the receiving router has an 345 adjacency in state "UP" on this interface whose IIHs contain the 346 restart TLV, excluding adjacencies to all routers which are 347 considered in "Restart mode" (note the actual DIS is NOT changed 348 by this process), initiate the transmission over the 349 corresponding interface of a complete set of CSNPs, and set 350 SRMflags on the corresponding interface for all LSPs in the local 351 LSP database. 353 Otherwise (i.e., if there was no adjacency in the "UP" state to the 354 System ID in question), process the IIH as normal by reinitializing 355 the adjacency and setting the RA bit in the returned IIH. 357 3.2.2. Use of the SA Bit 359 The SA bit is used by a starting router to request that its neighbor 360 suppress advertisement of the adjacency to the starting router in the 361 neighbor's LSPs. 363 A router that is starting has no maintained forwarding function 364 state. This may or may not be the first time the router has started. 365 If this is not the first time the router has started, copies of LSPs 366 generated by this router in its previous incarnation may exist in the 367 LSP databases of other routers in the network. These copies are 368 likely to appear "newer" than LSPs initially generated by the 369 starting router due to the reinitialization of LSP fragment sequence 370 numbers by the starting router. This may cause temporary blackholes 371 to occur until the normal operation of the update process causes the 372 starting router to regenerate and flood copies of its own LSPs with 373 higher sequence numbers. The temporary blackholes can be avoided if 374 the starting router's neighbors suppress advertising an adjacency to 375 the starting router until the starting router has been able to 376 propagate newer versions of LSPs generated by previous incarnations. 378 When a router receives an IIH with the restart TLV having the SA bit 379 set, if there exists on this interface an adjacency in state "UP" 380 with the same System ID, and in the case of a LAN circuit, with the 381 same source LAN address, then the router MUST suppress advertisement 382 of the adjacency to the neighbor in its own LSPs. Until an IIH with 383 the SA bit clear has been received, the neighbor advertisement MUST 384 continue to be suppressed. If the adjacency transitions to the "UP" 385 state, the new adjacency MUST NOT be advertised until an IIH with the 386 SA bit clear has been received. 388 Note that a router that suppresses advertisement of an adjacency MUST 389 NOT use this adjacency when performing its SPF calculation. In 390 particular, if an implementation follows the example guidelines 391 presented in [ISO10589], Annex C.2.5, Step 0:b) "pre-load TENT with 392 the local adjacency database", the suppressed adjacency MUST NOT be 393 loaded into TENT. 395 3.2.3. Use of PR and PA Bits 397 The PR bit is used by a router which is planning to initiate a 398 restart to signal to its neighbors that it will be restarting. The 399 router sending an IIH with PR bit set SHOULD set the "remaining time" 400 to a value greater than the expected control plane restart time. The 401 PR bit SHOULD remain set in IIHs until the restart is initiated. 403 The PA bit is sent by the neighbor of a router planning to restart to 404 acknowledge receipt of a restart TLV with the PR bit set. 406 When the neighbor of a router planning a restart receives an IIH with 407 the restart TLV having the PR bit set, if there exists on this 408 interface an adjacency in state "UP" with the same System ID, and in 409 the case of a LAN circuit, with the same source LAN address, then: 411 a. if this is the first IIH with the PR bit set that this system has 412 received associated with this adjacency, then the adjacency is 413 marked as being in "Planned Restart state" and the adjacency 414 holding time is refreshed -- otherwise, the holding time is not 415 refreshed. The holding time SHOULD be set to the "remaining 416 time" specified in the received IIH with PR set. The "remaining 417 time" transmitted according to (b) below MUST reflect the actual 418 time after which the adjacency will now expire. Receipt of an 419 IIH with the PR bit reset will clear the "Planned Restart state" 420 and cause the receiving router to set the adjacency hold time to 421 the locally configured value. This procedure allows the router 422 planning a restart to cause the neighbor to maintain the 423 adjacency long enough for restart to successfully complete. 424 Whether or not an adjacency is marked as being in "Planned 425 Restart state" has no effect on adjacency state transitions. 427 b. immediately (i.e., without waiting for any currently running 428 timer interval to expire, but with a small random delay of a few 429 tens of milliseconds on LANs to avoid "storms") transmit over the 430 corresponding interface an IIH including the restart TLV with the 431 PR bit clear and the PA bit set. The "Remaining Time" MUST be 432 set to the current time (in seconds) before the holding timer on 433 this adjacency is due to expire. If the corresponding interface 434 is a LAN interface, then the Restarting Neighbor System ID SHOULD 435 be set to the System ID of the router from which the IIH with the 436 PR bit set was received. This is required to correctly associate 437 the acknowledgement and holding time in the case where multiple 438 systems on a LAN are planning a restart at approximately the same 439 time. 441 NOTE: Receipt of an IIH with PA bit set indicates to the router 442 planning a restart that the neighbor is aware of the planned restart 443 and - in the absence of topology changes as described below - will 444 maintain the adjacency for the "remaining time" included in the IIH 445 with PA set. 447 By definition, a restarting router maintains forwarding state across 448 the control plane restart (see Section 2). But while a control plane 449 restart is in progress it is expected that the restarting router will 450 be unable to respond to topology changes. It is therefore useful to 451 signal a planned restart so that the neighbors of the restarting 452 router can determine whether it is safe to maintain the adjacency if 453 other topology changes occur prior to the completion of the restart. 454 Signalling a planned restart in the absence of maintained forwarding 455 plane state is likely to lead to significant traffic loss and MUST 456 NOT be done. 458 Neighbors of the router which has signaled planned restart SHOULD 459 maintain the adjacency in a planned restart state until it receives 460 an IIH with the RR bit set, receives an IIH with both PR and RR bits 461 clear, or the adjacency holding time expires - whichever occurs 462 first. Neighbors which choose not to follow the recommended behavior 463 need to consider the impact on traffic delivery of not using the 464 restarting router for forwarding traffic during the restart period. 466 While the adjacency is in planned restart state some or all of the 467 following actions MAY be taken: 469 a. if additional topology changes occur, the adjacency which is in 470 planned restart state MAY be brought down even though the hold 471 time has not yet expired. Given that the neighbor which has 472 signaled a planned restart is not expected to update its 473 forwarding plane in response to signalling of the topology 474 changes (since it is restarting) traffic which transits that node 475 is at risk of being improperly forwarded. On a LAN circuit, if 476 the router in planned restart state is the DIS at any supported 477 level, the adjacency(ies) SHOULD be brought down whenever any LSP 478 update is either generated or received, so as to trigger a new 479 DIS election. Failure to do so will compromise the reliability 480 of the Update Process on that circuit. What other criteria are 481 used to determine what topology changes will trigger bringing the 482 adjacency down is a local implementation decision. 484 b. if a BFD [RFC5880] session to the neighbor which signals a 485 planned restart is in the UP state and subsequently goes DOWN, 486 the event MAY be ignored since it is possible this is an expected 487 side effect of the restart. Use of the Control Plane Independent 488 state as signalled in BFD control packets SHOULD be considered in 489 the decision to ignore a BFD Session DOWN event. 491 c. on a Point-to-Point circuit, transmission of LSPs, CSNPs, and 492 PSNPs MAY be suppressed. It is expected that the PDUs will not 493 be received. 495 Use of the PR bit provides a means to safely support restart periods 496 which are significantly longer than standard holdtimes. 498 3.3. Adjacency (Re)Acquisition 500 Adjacency (re)acquisition is the first step in (re)initialization. 501 Restarting and starting routers will make use of the RR bit in the 502 restart TLV, though each will use it at different stages of the 503 (re)start procedure. 505 3.3.1. Adjacency Reacquisition during Restart 507 The restarting router explicitly notifies its neighbor that the 508 adjacency is being reacquired, and hence that it SHOULD NOT 509 reinitialize the adjacency. This is achieved by setting the RR bit 510 in the restart TLV. When the neighbor of a restarting router 511 receives an IIH with the restart TLV having the RR bit set, if there 512 exists on this interface an adjacency in state "UP" with the same 513 System ID, and in the case of a LAN circuit, with the same source LAN 514 address, then the procedures described in Section 3.2.1 are followed. 516 A router that does not support the restart capability will ignore the 517 restart TLV and reinitialize the adjacency as normal, returning an 518 IIH without the restart TLV. 520 On restarting, a router initializes the timer T3, starts the timer T2 521 for each LSPDB, and for each interface (and in the case of a LAN 522 circuit, for each level) starts the timer T1 and transmits an IIH 523 containing the restart TLV with the RR bit set. 525 On a Point-to-Point circuit, the restarting router SHOULD set the 526 "Adjacency Three-Way State" to "Init", because the receipt of the 527 acknowledging IIH (with RA set) MUST cause the adjacency to enter the 528 "UP" state immediately. 530 On a LAN circuit, the LAN-ID assigned to the circuit SHOULD be the 531 same as that used prior to the restart. In particular, for any 532 circuits for which the restarting router was previously DIS, the use 533 of a different LAN-ID would necessitate the generation of a new set 534 of pseudonode LSPs, and corresponding changes in all the LSPs 535 referencing them from other routers on the LAN. By preserving the 536 LAN-ID across the restart, this churn can be prevented. To enable a 537 restarting router to learn the LAN-ID used prior to restart, the LAN- 538 ID specified in an IIH with RR set MUST be ignored. 540 Transmission of "normal IIHs" is inhibited until the conditions 541 described below are met (in order to avoid causing an unnecessary 542 adjacency initialization). Upon expiry of the timer T1, it is 543 restarted and the IIH is retransmitted as above. 545 When a restarting router receives an IIH a local adjacency is 546 established as usual, and if the IIH contains a restart TLV with the 547 RA bit set (and on LAN circuits with a Restart Neighbor System ID 548 that matches that of the local system), the receipt of the 549 acknowledgement over that interface is noted. When the RA bit is set 550 and the state of the remote adjacency is "UP", then the timer T3 is 551 set to the minimum of its current value and the value of the 552 "Remaining Time" field in the received IIH. 554 On a Point-to-Point link, receipt of an IIH not containing the 555 restart TLV is also treated as an acknowledgement, since it indicates 556 that the neighbor is not restart capable. However, since no CSNP is 557 guaranteed to be received over this interface, the timer T1 is 558 cancelled immediately without waiting for a complete set of CSNPs. 559 Synchronization may therefore be deemed complete even though there 560 are some LSPs which are held (only) by this neighbor (see 561 Section 3.4). In this case, we also want to be certain that the 562 neighbor will reinitialize the adjacency in order to guarantee that 563 the SRMflags have been set on its database, thus ensuring eventual 564 LSPDB synchronization. This is guaranteed to happen except in the 565 case where the Adjacency Three-Way State in the received IIH is "UP" 566 and the Neighbor Extended Local Circuit ID matches the extended local 567 circuit ID assigned by the restarting router. In this case, the 568 restarting router MUST force the adjacency to reinitialize by setting 569 the local Adjacency Three-Way State to "DOWN" and sending a normal 570 IIH. 572 In the case of a LAN interface, receipt of an IIH not containing the 573 restart TLV is unremarkable since synchronization can still occur so 574 long as at least one of the non-restarting neighboring routers on the 575 LAN supports restart. Therefore, T1 continues to run in this case. 576 If none of the neighbors on the LAN are restart capable, T1 will 577 eventually expire after the locally defined number of retries. 579 In the case of a Point-to-Point circuit, the "LocalCircuitID" and 580 "Extended Local Circuit ID" information contained in the IIH can be 581 used immediately to generate an IIH containing the correct three-way 582 handshake information. The presence of "Neighbor Extended Local 583 Circuit ID" information that does not match the value currently in 584 use by the local system is ignored (since the IIH may have been 585 transmitted before the neighbor had received the new value from the 586 restarting router), but the adjacency remains in the initializing 587 state until the correct information is received. 589 In the case of a LAN circuit, the source neighbor information (e.g., 590 SNPAAddress) is recorded and used for adjacency establishment and 591 maintenance as normal. 593 When BOTH a complete set of CSNPs (for each active level, in the case 594 of a Point-to-Point circuit) and an acknowledgement have been 595 received over the interface, the timer T1 is cancelled. 597 Once the timer T1 has been cancelled, subsequent IIHs are transmitted 598 according to the normal algorithms, but including the restart TLV 599 with both RR and RA clear. 601 If a LAN contains a mixture of systems, only some of which support 602 the new algorithm, database synchronization is still guaranteed, but 603 the "old" systems will have reinitialized their adjacencies. 605 If an interface is active, but does not have any neighboring router 606 reachable over that interface, the timer T1 would never be cancelled, 607 and according to Section 3.4.1.1, the SPF would never be run. 608 Therefore, timer T1 is cancelled after some predetermined number of 609 expirations (which MAY be 1). 611 3.3.2. Adjacency Acquisition during Start 613 The starting router wants to ensure that in the event that a 614 neighboring router has an adjacency to the starting router in the 615 "UP" state (from a previous incarnation of the starting router), this 616 adjacency is reinitialized. The starting router also wants 617 neighboring routers to suppress advertisement of an adjacency to the 618 starting router until LSP database synchronization is achieved. This 619 is achieved by sending IIHs with the RR bit clear and the SA bit set 620 in the restart TLV. The RR bit remains clear and the SA bit remains 621 set in subsequent transmissions of IIHs until the adjacency has 622 reached the "UP" state and the initial T1 timer interval (see below) 623 has expired. 625 Receipt of an IIH with the RR bit clear will result in the 626 neighboring router utilizing normal operation of the adjacency state 627 machine. This will ensure that any old adjacency on the neighboring 628 router will be reinitialized. 630 Upon receipt of an IIH with the SA bit set, the behavior described in 631 Section 3.2.2 is followed. 633 Upon starting, a router starts timer T2 for each LSPDB. 635 For each interface (and in the case of a LAN circuit, for each 636 level), when an adjacency reaches the "UP" state, the starting router 637 starts a timer T1 and transmits an IIH containing the restart TLV 638 with the RR bit clear and SA bit set. Upon expiry of the timer T1, 639 it is restarted and the IIH is retransmitted with both RR and SA bits 640 set (only the RR bit has changed state from earlier IIHs). 642 Upon receipt of an IIH with the RR bit set (regardless of whether or 643 not the SA bit is set), the behavior described in Section 3.2.1 is 644 followed. 646 When an IIH is received by the starting router and the IIH contains a 647 restart TLV with the RA bit set (and on LAN circuits with a Restart 648 Neighbor System ID that matches that of the local system), the 649 receipt of the acknowledgement over that interface is noted. 651 On a Point-to-Point link, receipt of an IIH not containing the 652 restart TLV is also treated as an acknowledgement, since it indicates 653 that the neighbor is not restart capable. Since the neighbor will 654 have reinitialized the adjacency, this guarantees that SRMflags have 655 been set on its database, thus ensuring eventual LSPDB 656 synchronization. However, since no CSNP is guaranteed to be received 657 over this interface, the timer T1 is cancelled immediately without 658 waiting for a complete set of CSNPs. Synchronization may therefore 659 be deemed complete even though there are some LSPs that are held 660 (only) by this neighbor (see Section 3.4). 662 In the case of a LAN interface, receipt of an IIH not containing the 663 restart TLV is unremarkable since synchronization can still occur so 664 long as at least one of the non-restarting neighboring routers on the 665 LAN supports restart. Therefore, T1 continues to run in this case. 666 If none of the neighbors on the LAN are restart capable, T1 will 667 eventually expire after the locally defined number of retries. The 668 usual operation of the update process will ensure that 669 synchronization is eventually achieved. 671 When BOTH a complete set of CSNPs (for each active level, in the case 672 of a Point-to-Point circuit) and an acknowledgement have been 673 received over the interface, the timer T1 is cancelled. Subsequent 674 IIHs sent by the starting router have the RR and RA bits clear and 675 the SA bit set in the restart TLV. 677 Timer T1 is cancelled after some predetermined number of expirations 678 (which MAY be 1). 680 When the T2 timer(s) are cancelled or expire, transmission of "normal 681 IIHs" will begin. 683 3.3.3. Multiple Levels 685 A router that is operating as both a Level 1 and a Level 2 router on 686 a particular interface MUST perform the above operations for each 687 level. 689 On a LAN interface, it MUST send and receive both Level 1 and Level 2 690 IIHs and perform the CSNP synchronizations independently for each 691 level. 693 On a Point-to-Point interface, only a single IIH (indicating support 694 for both levels) is required, but it MUST perform the CSNP 695 synchronizations independently for each level. 697 3.4. Database Synchronization 699 When a router is started or restarted, it can expect to receive a 700 complete set of CSNPs over each interface. The arrival of the 701 CSNP(s) is now guaranteed, since an IIH with the RR bit set will be 702 retransmitted until the CSNP(s) are correctly received. 704 The CSNPs describe the set of LSPs that are currently held by each 705 neighbor. Synchronization will be complete when all these LSPs have 706 been received. 708 When (re)starting, a router starts an instance of timer T2 for each 709 LSPDB as described in Section 3.3.1 or Section 3.3.2. In addition to 710 normal processing of the CSNPs, the set of LSPIDs contained in the 711 first complete set of CSNPs received over each interface is recorded, 712 together with their remaining lifetime. In the case of a LAN 713 interface, a complete set of CSNPs MUST consist of CSNPs received 714 from neighbors that are not restarting. If there are multiple 715 interfaces on the (re)starting router, the recorded set of LSPIDs is 716 the union of those received over each interface. LSPs with a 717 remaining lifetime of zero are NOT so recorded. 719 As LSPs are received (by the normal operation of the update process) 720 over any interface, the corresponding LSPID entry is removed (it is 721 also removed if an LSP arrives before the CSNP containing the 722 reference). When an LSPID has been held in the list for its 723 indicated remaining lifetime, it is removed from the list. When the 724 list of LSPIDs is empty and the timer T1 has been cancelled for all 725 the interfaces that have an adjacency at this level, the timer T2 is 726 cancelled. 728 At this point, the local database is guaranteed to contain all the 729 LSP(s) (either the same sequence number or a more recent sequence 730 number) that were present in the neighbors' databases at the time of 731 (re)starting. LSPs that arrived in a neighbor's database after the 732 time of (re)starting may or may not be present, but the normal 733 operation of the update process will guarantee that they will 734 eventually be received. At this point, the local database is deemed 735 to be "synchronized". 737 Since LSPs mentioned in the CSNP(s) with a zero remaining lifetime 738 are not recorded, and those with a short remaining lifetime are 739 deleted from the list when the lifetime expires, cancellation of the 740 timer T2 will not be prevented by waiting for an LSP that will never 741 arrive. 743 3.4.1. LSP Generation and Flooding and SPF Computation 745 The operation of a router starting, as opposed to restarting, is 746 somewhat different. These two cases are dealt with separately below. 748 3.4.1.1. Restarting 750 In order to avoid causing unnecessary routing churn in other routers, 751 it is highly desirable that the router's own LSPs generated by the 752 restarting system are the same as those previously present in the 753 network (assuming no other changes have taken place). It is 754 important therefore not to regenerate and flood the LSPs until all 755 the adjacencies have been re-established and any information required 756 for propagation into the local LSPs is fully available. Ideally, the 757 information is loaded into the LSPs in a deterministic way, such that 758 the same information occurs in the same place in the same LSP (and 759 hence the LSPs are identical to their previous versions). If this 760 can be achieved, the new versions may not even cause SPF to be run in 761 other systems. However, provided the same information is included in 762 the set of LSPs (albeit in a different order, and possibly different 763 LSPs), the result of running the SPF will be the same and will not 764 cause churn to the forwarding tables. 766 In the case of a restarting router, none of the router's own LSPs are 767 transmitted, nor are the router's own forwarding tables updated while 768 the timer T3 is running. 770 Redistribution of inter-level information MUST be regenerated before 771 this router's LSP is flooded to other nodes. Therefore, the Level-n 772 non-pseudonode LSP(s) MUST NOT be flooded until the other level's T2 773 timer has expired and its SPF has been run. This ensures that any 774 inter-level information that is to be propagated can be included in 775 the Level-n LSP(s). 777 During this period, if one of the router's own (including 778 pseudonodes) LSPs is received, which the local router does not 779 currently have in its own database, it is NOT purged. Under normal 780 operation, such an LSP would be purged, since the LSP clearly should 781 not be present in the global LSP database. However, in the present 782 circumstances, this would be highly undesirable, because it could 783 cause premature removal of a router's own LSP -- and hence churn in 784 remote routers. Even if the local system has one or more of the 785 router's own LSPs (which it has generated, but not yet transmitted), 786 it is still not valid to compare the received LSP against this set, 787 since it may be that as a result of propagation between Level 1 and 788 Level 2 (or vice versa), a further router's own LSP will need to be 789 generated when the LSP databases have synchronized. 791 During this period, a restarting router SHOULD send CSNPs as it 792 normally would. Information about the router's own LSPs MAY be 793 included, but if it is included it MUST be based on LSPs that have 794 been received, not on versions that have been generated (but not yet 795 transmitted). This restriction is necessary to prevent premature 796 removal of an LSP from the global LSP database. 798 When the timer T2 expires or is cancelled indicating that 799 synchronization for that level is complete, the SPF for that level is 800 run in order to derive any information that is required to be 801 propagated to another level, but the forwarding tables are not yet 802 updated. 804 Once the other level's SPF has run and any inter-level propagation 805 has been resolved, the router's own LSPs can be generated and 806 flooded. Any own LSPs that were previously ignored, but that are not 807 part of the current set of own LSPs (including pseudonodes), MUST 808 then be purged. Note that it is possible that a Designated Router 809 change may have taken place, and consequently the router SHOULD purge 810 those pseudonode LSPs that it previously owned, but that are now no 811 longer part of its set of pseudonode LSPs. 813 When all the T2 timers have expired or been cancelled, the timer T3 814 is cancelled and the local forwarding tables are updated. 816 If the timer T3 expires before all the T2 timers have expired or been 817 cancelled, this indicates that the synchronization process is taking 818 longer than the minimum holding time of the neighbors. The router's 819 own LSP(s) for levels that have not yet completed their first SPF 820 computation are then flooded with the overload bit set to indicate 821 that the router's LSPDB is not yet synchronized (and therefore other 822 routers MUST NOT compute routes through this router). Normal 823 operation of the update process resumes, and the local forwarding 824 tables are updated. In order to prevent the neighbor's adjacencies 825 from expiring, IIHs with the normal interface value for the holding 826 time are transmitted over all interfaces with neither RR nor RA set 827 in the restart TLV. This will cause the neighbors to refresh their 828 adjacencies. The router's own LSP(s) will continue to have the 829 overload bit set until timer T2 has expired or been cancelled. 831 3.4.1.2. Starting 833 In the case of a starting router, as soon as each adjacency is 834 established, and before any CSNP exchanges, the router's own zeroth 835 LSP is transmitted with the overload bit set. This prevents other 836 routers from computing routes through the router until it has 837 reliably acquired the complete set of LSPs. The overload bit remains 838 set in subsequent transmissions of the zeroth LSP (such as will occur 839 if a previous copy of the router's own zeroth LSP is still present in 840 the network) while any timer T2 is running. 842 When all the T2 timers have been cancelled, the router's own LSP(s) 843 MAY be regenerated with the overload bit clear (assuming the router 844 is not in fact overloaded, and there is no other reason, such as 845 incomplete BGP convergence, to keep the overload bit set) and flooded 846 as normal. 848 Other LSPs owned by this router (including pseudonodes) are generated 849 and flooded as normal, irrespective of the timer T2. The SPF is also 850 run as normal and the Routing Information Base (RIB) and Forwarding 851 Information Base (FIB) updated as routes become available. 853 To avoid the possible formation of temporary blackholes, the starting 854 router sets the SA bit in the restart TLV (as described in 855 Section 3.3.2) in all IIHs that it sends. 857 When all T2 timers have been cancelled, the starting router MUST 858 transmit IIHs with the SA bit clear. 860 4. State Tables 862 This section presents state tables that summarize the behaviors 863 described in this document. Other behaviors, in particular adjacency 864 state transitions and LSP database update operation, are NOT included 865 in the state tables except where this document modifies the behaviors 866 described in [ISO10589] and [RFC5303]. 868 The states named in the columns of the tables below are a mixture of 869 states that are specific to a single adjacency (ADJ suppressed, ADJ 870 Seen RA, ADJ Seen CSNP) and states that are indicative of the state 871 of the protocol instance (Running, Restarting, Starting, SPF Wait). 873 Three state tables are presented from the point of view of a running 874 router, a restarting router, and a starting router. 876 4.1. Running Router 877 Event | Running | ADJ suppressed 878 ============================================================== 879 RX PR | Set Planned Restart | 880 | state. | 881 | Update hold time 882 | Send PA | 883 -------------+----------------------+------------------------- 884 RX PR clr | Clear Planned | 885 and RR clr | Restart State | 886 | Restore holdtime to | 887 | local value | 888 -------------+----------------------+------------------------- 889 RX RR | Maintain ADJ State | 890 | Send RA | 891 | Set SRM,send CSNP | 892 | (Note 1) | 893 | Update Hold Time, | 894 | set Restart Mode | 895 | (Note 2) | 896 -------------+----------------------+------------------------- 897 RX RR clr | Clr Restart mode | 898 -------------+----------------------+------------------------- 899 RX SA | Suppress IS neighbor | 900 | TLV in LSP(s) | 901 | Goto ADJ Suppressed | 902 -------------+----------------------+------------------------- 903 RX SA clr | |Unsuppress IS neighbor 904 | | TLV in LSP(s) 905 | |Goto Running 906 ============================================================== 908 Note 1: CSNPs are sent by routers in accordance with Section 3.2.1c 910 Note 2: If Restart Mode clear 912 4.2. Restarting Router 914 Event | Restarting | ADJ Seen | ADJ Seen | SPF Wait 915 | | RA | CSNP | 916 =================================================================== 917 Restart | Send PR | | | 918 planned | | | | 919 ------------+--------------------+-----------+-----------+------------ 920 Planned | Send PR clr | | | 921 restart | | | | 922 canceled | | | | 923 ------------+--------------------+-----------+-----------+------------ 924 RX PA | Proceed with | | | 925 | planned restart | | | 926 ------------+--------------------+-----------+-----------+------------ 927 Router | Send IIH/RR | | | 928 restarts | ADJ Init | | | 929 | Start T1,T2,T3 | | | 930 ------------+--------------------+-----------+-----------+------------ 931 RX RR | Send RA | | | 932 ------------+--------------------+-----------+-----------+------------ 933 RX RA | Adjust T3 | | Cancel T1 | 934 | Goto ADJ Seen RA | | Adjust T3 | 935 ----------- +--------------------+-----------+-----------+------------ 936 RX CSNP set| Goto ADJ Seen CSNP | Cancel T1 | | 937 ------------+--------------------+-----------+-----------+------------ 938 RX IIH w/o | Cancel T1 (Point- | | | 939 Restart TLV| to-point only) | | | 940 ------------+--------------------+-----------+-----------+------------ 941 T1 expires | Send IIH/RR |Send IIH/RR|Send IIH/RR| 942 | Restart T1 | Restart T1| Restart T1| 943 ------------+--------------------+-----------+-----------+------------ 944 T1 expires | Send IIH/ | Send IIH/ | Send IIH/ | 945 nth time | normal | normal | normal | 946 ------------+--------------------+-----------+-----------+------------ 947 T2 expires | Trigger SPF | | | 948 | Goto SPF Wait | | | 949 ------------+--------------------+-----------+-----------+------------ 950 T3 expires | Set overload bit | | | 951 | Flood local LSPs | | | 952 | Update fwd plane | | | 953 ------------+--------------------+-----------+-----------+------------ 954 LSP DB Sync| Cancel T2, and T3 | | | 955 | Trigger SPF | | | 956 | Goto SPF wait | | | 957 ------------+--------------------+-----------+-----------+------------ 958 All SPF | | | | Clear 959 done | | | | overload bit 960 | | | | Update fwd 961 | | | | plane 962 | | | | Flood local 963 | | | | LSPs 964 | | | | Goto Running 965 ====================================================================== 967 4.3. Starting Router 969 Event | Starting | ADJ Seen RA| ADJ Seen CSNP 970 ============================================================= 971 Router | Send IIH/SA | | 972 starts | Start T1,T2 | | 973 -------------+-------------------+------------+--------------- 974 RX RR | Send RA | | 975 -------------+-------------------+------------+--------------- 976 RX RA | Goto ADJ Seen RA | | Cancel T1 977 -------------+-------------------+------------+--------------- 978 RX CSNP Set | Goto ADJ Seen CSNP| Cancel T1 | 979 -------------+-------------------+------------+--------------- 980 RX IIH w | Cancel T1 | | 981 no Restart | (Point-to-Point | | 982 TLV | only) | | 983 -------------+-------------------+------------+--------------- 984 ADJ UP | Start T1 | | 985 | Send local LSPs | | 986 | with overload bit| | 987 | set | | 988 -------------+-------------------+------------+--------------- 989 T1 expires | Send IIH/RR |Send IIH/RR | Send IIH/RR 990 | and SA | and SA | and SA 991 | Restart T1 |Restart T1 | Restart T1 992 -------------+-------------------+------------+--------------- 993 T1 expires | Send IIH/SA |Send IIH/SA | Send IIH/SA 994 nth time | | | 995 -------------+-------------------+------------+--------------- 996 T2 expires | Clear overload bit| | 997 | Send IIH normal | | 998 | Goto Running | | 999 -------------+-------------------+------------+--------------- 1000 LSP DB Sync | Cancel T2 | | 1001 | Clear overload bit| | 1002 | Send IIH normal | | 1003 ============================================================== 1005 5. IANA Considerations 1007 This document defines the following IS-IS TLV that is listed in the 1008 IS-IS TLV codepoint registry: 1010 Type Description IIH LSP SNP Purge 1011 ---- ------------------------------ --- --- --- ----- 1012 211 Restart TLV y n n n 1014 IANA is requested to update the entry in registry to point to this 1015 document. 1017 6. Security Considerations 1019 Any new security issues raised by the procedures in this document 1020 depend upon the ability of an attacker to inject a false but 1021 apparently valid IIH, the ease/difficulty of which has not been 1022 altered. 1024 If the RR bit is set in a false IIH, neighbors who receive such an 1025 IIH will continue to maintain an existing adjacency in the "UP" state 1026 and may (re)send a complete set of CSNPs. While the latter action is 1027 wasteful, neither action causes any disruption in correct protocol 1028 operation. 1030 If the RA bit is set in a false IIH, a (re)starting router that 1031 receives such an IIH may falsely believe that there is a neighbor on 1032 the corresponding interface that supports the procedures described in 1033 this document. In the absence of receipt of a complete set of CSNPs 1034 on that interface, this could delay the completion of (re)start 1035 procedures by requiring the timer T1 to time out the locally defined 1036 maximum number of retries. This behavior is the same as would occur 1037 on a LAN where none of the (re)starting router's neighbors support 1038 the procedures in this document and is covered in Sections 3.3.1 and 1039 3.3.2. 1041 If the SA bit is set in a false IIH, this could cause suppression of 1042 the advertisement of an IS neighbor, which could either continue for 1043 an indefinite period or occur intermittently with the result being a 1044 possible loss of reachability to some destinations in the network 1045 and/or increased frequency of LSP flooding and SPF calculation. 1047 If the PR bit is set in a false IIH, neighbors who receive such an 1048 IIH could modify the holding time of an existing adjacency 1049 inappropriately. In the event of topology changes, the neighbor 1050 might also choose to not flood the topology updates and/or bring the 1051 adjacency down in the false belief that the forwarding plane of the 1052 router identified as the source of the false IIH is not currently 1053 processing announced topology changes. This would result in 1054 unnecessary forwarding disruption. 1056 If the PA bit is set in a false IIH, a router that receives such an 1057 IIH may falsely believe that the neighbor on the corresponding 1058 interface supports the planned restart procedures defined in this 1059 document. If such a router is planning to restart it might then 1060 proceed to initiate a restart in the false expectation that the 1061 neighbor has updated its holding time as requested. This may result 1062 in the neighbor bringing down the adjacency while the receiving 1063 router is restarting, causing unnecessary disruption to forwarding. 1065 The possibility of IS-IS PDU spoofing can be reduced by the use of 1066 authentication as described in [RFC1195] and [ISO10589], and 1067 especially the use of cryptographic authentication as described in 1068 [RFC5304] and [RFC5310]. 1070 7. Manageability Considerations 1072 These extensions that have been designed, developed, and deployed for 1073 many years do not have any new impact on management and operation of 1074 the IS-IS protocol via this standardization process. 1076 8. Acknowledgements 1078 For RFC 5306 the authors acknowledged contributions made by Jeff 1079 Parker, Radia Perlman, Mark Schaefer, Naiming Shen, Nischal Sheth, 1080 Russ White, and Rena Yang. 1082 The authors of this updated version acknowledge the contribution of 1083 Mike Shand, co-auther of RFC 5306. 1085 9. Normative References 1087 [ISO10589] 1088 International Organization for Standardization, 1089 "Intermediate system to Intermediate system intra-domain 1090 routeing information exchange protocol for use in 1091 conjunction with the protocol for providing the 1092 connectionless-mode Network Service (ISO 8473)", ISO/ 1093 IEC 10589:2002, Second Edition, Nov 2002. 1095 [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and 1096 dual environments", RFC 1195, DOI 10.17487/RFC1195, 1097 December 1990, . 1099 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1100 Requirement Levels", BCP 14, RFC 2119, 1101 DOI 10.17487/RFC2119, March 1997, 1102 . 1104 [RFC5303] Katz, D., Saluja, R., and D. Eastlake 3rd, "Three-Way 1105 Handshake for IS-IS Point-to-Point Adjacencies", RFC 5303, 1106 DOI 10.17487/RFC5303, October 2008, 1107 . 1109 [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic 1110 Authentication", RFC 5304, DOI 10.17487/RFC5304, October 1111 2008, . 1113 [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., 1114 and M. Fanto, "IS-IS Generic Cryptographic 1115 Authentication", RFC 5310, DOI 10.17487/RFC5310, February 1116 2009, . 1118 [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection 1119 (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, 1120 . 1122 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1123 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1124 May 2017, . 1126 Appendix A. Summary of Changes from RFC 5306 1128 This document extends RFC 5306 by introducing support for signalling 1129 the neighbors of a restarting router that a planned restart is about 1130 to occur. This allows the neighbors to be aware of the state of the 1131 restarting router so that appropriate action may be taken if other 1132 topology changes occur while the planned restart is in progress. 1133 Since the forwarding plane of the restarting router is maintained 1134 based upon the pre-restart state of the network, additional topology 1135 changes introduce the possibility that traffic may be lost if paths 1136 via the restarting router continue to be used while the restart is in 1137 progress. 1139 In support of this new functionality two new flags have been 1140 introduced: 1142 PR - Restart is planned 1143 PA - Planned restart acknowledgement 1145 No changes to the post restart exchange between the restarting router 1146 and its neighbors have been introduced. 1148 Authors' Addresses 1150 Les Ginsberg 1151 Cisco Systems, Inc. 1153 Email: ginsberg@cisco.com 1154 Paul Wells 1155 Cisco Systems, Inc. 1157 Email: pauwells@cisco.com