1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
|
Network Working Group M. Shand
Request for Comments: 5306 L. Ginsberg
Obsoletes: 3847 Cisco Systems
Category: Standards Track October 2008
Restart Signaling for IS-IS
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This document describes a mechanism for a restarting router to signal
to its neighbors that it is restarting, allowing them to reestablish
their adjacencies without cycling through the down state, while still
correctly initiating database synchronization.
This document additionally describes a mechanism for a restarting
router to determine when it has achieved Link State Protocol Data
Unit (LSP) database synchronization with its neighbors and a
mechanism to optimize LSP database synchronization, while minimizing
transient routing disruption when a router starts. This document
obsoletes RFC 3847.
Shand & Ginsberg Standards Track [Page 1]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
Table of Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Timers . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Restart TLV . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.1. Use of RR and RA Bits . . . . . . . . . . . . . . . . 6
3.2.2. Use of the SA Bit . . . . . . . . . . . . . . . . . . 8
3.3. Adjacency (Re)Acquisition . . . . . . . . . . . . . . . . 8
3.3.1. Adjacency Reacquisition during Restart . . . . . . . . 9
3.3.2. Adjacency Acquisition during Start . . . . . . . . . . 11
3.3.3. Multiple Levels . . . . . . . . . . . . . . . . . . . 12
3.4. Database Synchronization . . . . . . . . . . . . . . . . . 13
3.4.1. LSP Generation and Flooding and SPF Computation . . . 14
3.4.1.1. Restarting . . . . . . . . . . . . . . . . . . . . 14
3.4.1.2. Starting . . . . . . . . . . . . . . . . . . . . . 16
4. State Tables . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.1. Running Router . . . . . . . . . . . . . . . . . . . . . . 17
4.2. Restarting Router . . . . . . . . . . . . . . . . . . . . 18
4.3. Starting Router . . . . . . . . . . . . . . . . . . . . . 19
5. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
7. Manageability Considerations . . . . . . . . . . . . . . . . . 20
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
9. Normative References . . . . . . . . . . . . . . . . . . . . . 21
Shand & Ginsberg Standards Track [Page 2]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
1. Overview
The Intermediate System to Intermediate System (IS-IS) routing
protocol [RFC1195] [ISO10589] is a link state intra-domain routing
protocol. Normally, when an IS-IS router is restarted, temporary
disruption of routing occurs due to events in both the restarting
router and the neighbors of the restarting router.
The router that has been restarted computes its own routes before
achieving database synchronization with its neighbors. The results
of this computation are likely to be non-convergent with the routes
computed by other routers in the area/domain.
Neighbors of the restarting router detect the restart event and cycle
their adjacencies with the restarting router through the down state.
The cycling of the adjacency state causes the neighbors to regenerate
their LSPs describing the adjacency concerned. This in turn causes a
temporary disruption of routes passing through the restarting router.
In certain scenarios, the temporary disruption of the routes is
highly undesirable. This document describes mechanisms to avoid or
minimize the disruption due to both of these causes.
When an adjacency is reinitialized as a result of a neighbor
restarting, a router does three things:
1. It causes its own LSP(s) to be regenerated, thus triggering SPF
runs throughout the area (or in the case of Level 2, throughout
the domain).
2. It sets SRMflags on its own LSP database on the adjacency
concerned.
3. In the case of a Point-to-Point link, it transmits a complete set
of Complete Sequence Number PDUs (CSNPs), over the adjacency.
In the case of a restarting router process, the first of these is
highly undesirable, but the second is essential in order to ensure
synchronization of the LSP database.
The third action above minimizes the number of LSPs that must be
exchanged and, if made reliable, provides a means of determining when
the LSP databases of the neighboring routers have been synchronized.
This is desirable whether or not the router is being restarted (so
that the overload bit can be cleared in the router's own LSP, for
example).
Shand & Ginsberg Standards Track [Page 3]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
This document describes a mechanism for a restarting router to signal
that it is restarting to its neighbors, and allow them to reestablish
their adjacencies without cycling through the down state, while still
correctly initiating database synchronization.
This document additionally describes a mechanism for a restarting
router to determine when it has achieved LSP database synchronization
with its neighbors and a mechanism to optimize LSP database
synchronization and minimize transient routing disruption when a
router starts.
It is assumed that the three-way handshake [RFC5303] is being used on
Point-to-Point circuits.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, [RFC2119].
If the control and forwarding functions in a router can be maintained
independently, it is possible for the forwarding function state to be
maintained across a resumption of control function operations. This
functionality is assumed when the terms "restart/restarting" are used
in this document.
The terms "start/starting" are used to refer to a router in which the
control function has either commenced operations for the first time
or has resumed operations, but the forwarding functions have not been
maintained in a prior state.
The terms "(re)start/(re)starting" are used when the text is
applicable to both a "starting" and a "restarting" router.
3. Approach
3.1. Timers
Three additional timers, T1, T2, and T3, are required to support the
functionality defined in this document.
An instance of the timer T1 is maintained per interface, and
indicates the time after which an unacknowledged (re)start attempt
will be repeated. A typical value might be 3 seconds.
Shand & Ginsberg Standards Track [Page 4]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
An instance of the timer T2 is maintained for each LSP database
(LSPDB) present in the system, i.e., for a Level 1/2 system, there
will be an instance of the timer T2 for Level 1 and an instance for
Level 2. This is the maximum time that the system will wait for
LSPDB synchronization. A typical value might be 60 seconds.
A single instance of the timer T3 is maintained for the entire
system. It indicates the time after which the router will declare
that it has failed to achieve database synchronization (by setting
the overload bit in its own LSP). This is initialized to 65535
seconds, but is set to the minimum of the remaining times of received
IS-IS Hellos (IIHs) containing a restart TLV with the Restart
Acknowledgement (RA) set and an indication that the neighbor has an
adjacency in the "UP" state to the restarting router.
NOTE: The timer T3 is only used by a restarting router.
3.2. Restart TLV
A new TLV is defined to be included in IIH PDUs. The presence of
this TLV indicates that the sender supports the functionality defined
in this document and it carries flags that are used to convey
information during a (re)start. All IIHs transmitted by a router
that supports this capability MUST include this TLV.
Type 211
Length: Number of octets in the Value field (1 to (3 + ID Length))
Value
No. of octets
+-----------------------+
| Flags | 1
+-----------------------+
| Remaining Time | 2
+-----------------------+
| Restarting Neighbor ID| ID Length
+-----------------------+
Shand & Ginsberg Standards Track [Page 5]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
Flags (1 octet)
0 1 2 3 4 5 6 7
+--+--+--+--+--+--+--+--+
| Reserved |SA|RA|RR|
+--+--+--+--+--+--+--+--+
RR - Restart Request
RA - Restart Acknowledgement
SA - Suppress adjacency advertisement
(Note: Remaining fields are required when the RA bit is set.)
Remaining Time (2 octets)
Remaining holding time (in seconds)
Restarting Neighbor System ID (ID Length octets)
The System ID of the neighbor to which an RA refers. Note:
Implementations based on earlier versions of this document may not
include this field in the TLV when the RA is set. In this case, a
router that is expecting an RA on a LAN circuit SHOULD assume that
the acknowledgement is directed at the local system.
3.2.1. Use of RR and RA Bits
The RR bit is used by a (re)starting router to signal to its
neighbors that a (re)start is in progress, that an existing adjacency
SHOULD be maintained even under circumstances when the normal
operation of the adjacency state machine would require the adjacency
to be reinitialized, to request a set of CSNPs, and to request
setting of the SRMflags.
The RA bit is sent by the neighbor of a (re)starting router to
acknowledge the receipt of a restart TLV with the RR bit set.
When the neighbor of a (re)starting router receives an IIH with the
restart TLV having the RR bit set, if there exists on this interface
an adjacency in state "UP" with the same System ID, and in the case
of a LAN circuit, with the same source LAN address, then,
irrespective of the other contents of the "Intermediate System
Neighbors" option (LAN circuits) or the "Point-to-Point Three-Way
Adjacency" option (Point-to-Point circuits):
a. the state of the adjacency is not changed. If this is the first
IIH with the RR bit set that this system has received associated
with this adjacency, then the adjacency is marked as being in
Shand & Ginsberg Standards Track [Page 6]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
"Restart mode" and the adjacency holding time is refreshed --
otherwise, the holding time is not refreshed. The "remaining
time" transmitted according to (b) below MUST reflect the actual
time after which the adjacency will now expire. Receipt of a
normal IIH with the RR bit reset will clear the "Restart mode"
state. This procedure allows the restarting router to cause the
neighbor to maintain the adjacency long enough for restart to
successfully complete, while also preventing repetitive restarts
from maintaining an adjacency indefinitely. Whether or not an
adjacency is marked as being in "Restart mode" has no effect on
adjacency state transitions.
b. immediately (i.e., without waiting for any currently running
timer interval to expire, but with a small random delay of a few
tens of milliseconds on LANs to avoid "storms") transmit over the
corresponding interface an IIH including the restart TLV with the
RR bit clear and the RA bit set, in the case of Point-to-Point
adjacencies having updated the "Point-to-Point Three-Way
Adjacency" option to reflect any new values received from the
(re)starting router. (This allows a restarting router to quickly
acquire the correct information to place in its hellos.) The
"Remaining Time" MUST be set to the current time (in seconds)
before the holding timer on this adjacency is due to expire. If
the corresponding interface is a LAN interface, then the
Restarting Neighbor System ID SHOULD be set to the System ID of
the router from which the IIH with the RR bit set was received.
This is required to correctly associate the acknowledgement and
holding time in the case where multiple systems on a LAN restart
at approximately the same time. This IIH SHOULD be transmitted
before any LSPs or SNPs are transmitted as a result of the
receipt of the original IIH.
c. if the corresponding interface is a Point-to-Point interface, or
if the receiving router has the highest LnRouterPriority (with
the highest source MAC (Media Access Control) address breaking
ties) among those routers to which the receiving router has an
adjacency in state "UP" on this interface whose IIHs contain the
restart TLV, excluding adjacencies to all routers which are
considered in "Restart mode" (note the actual DIS is NOT changed
by this process), initiate the transmission over the
corresponding interface of a complete set of CSNPs, and set
SRMflags on the corresponding interface for all LSPs in the local
LSP database.
Otherwise (i.e., if there was no adjacency in the "UP" state to the
System ID in question), process the IIH as normal by reinitializing
the adjacency and setting the RA bit in the returned IIH.
Shand & Ginsberg Standards Track [Page 7]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
3.2.2. Use of the SA Bit
The SA bit is used by a starting router to request that its neighbor
suppress advertisement of the adjacency to the starting router in the
neighbor's LSPs.
A router that is starting has no maintained forwarding function
state. This may or may not be the first time the router has started.
If this is not the first time the router has started, copies of LSPs
generated by this router in its previous incarnation may exist in the
LSP databases of other routers in the network. These copies are
likely to appear "newer" than LSPs initially generated by the
starting router due to the reinitialization of LSP fragment sequence
numbers by the starting router. This may cause temporary blackholes
to occur until the normal operation of the update process causes the
starting router to regenerate and flood copies of its own LSPs with
higher sequence numbers. The temporary blackholes can be avoided if
the starting router's neighbors suppress advertising an adjacency to
the starting router until the starting router has been able to
propagate newer versions of LSPs generated by previous incarnations.
When a router receives an IIH with the restart TLV having the SA bit
set, if there exists on this interface an adjacency in state "UP"
with the same System ID, and in the case of a LAN circuit, with the
same source LAN address, then the router MUST suppress advertisement
of the adjacency to the neighbor in its own LSPs. Until an IIH with
the SA bit clear has been received, the neighbor advertisement MUST
continue to be suppressed. If the adjacency transitions to the "UP"
state, the new adjacency MUST NOT be advertised until an IIH with the
SA bit clear has been received.
Note that a router that suppresses advertisement of an adjacency MUST
NOT use this adjacency when performing its SPF calculation. In
particular, if an implementation follows the example guidelines
presented in [ISO10589], Annex C.2.5, Step 0:b) "pre-load TENT with
the local adjacency database", the suppressed adjacency MUST NOT be
loaded into TENT.
3.3. Adjacency (Re)Acquisition
Adjacency (re)acquisition is the first step in (re)initialization.
Restarting and starting routers will make use of the RR bit in the
restart TLV, though each will use it at different stages of the
(re)start procedure.
Shand & Ginsberg Standards Track [Page 8]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
3.3.1. Adjacency Reacquisition during Restart
The restarting router explicitly notifies its neighbor that the
adjacency is being reacquired, and hence that it SHOULD NOT
reinitialize the adjacency. This is achieved by setting the RR bit
in the restart TLV. When the neighbor of a restarting router
receives an IIH with the restart TLV having the RR bit set, if there
exists on this interface an adjacency in state "UP" with the same
System ID, and in the case of a LAN circuit, with the same source LAN
address, then the procedures described in Section 3.2.1 are followed.
A router that does not support the restart capability will ignore the
restart TLV and reinitialize the adjacency as normal, returning an
IIH without the restart TLV.
On restarting, a router initializes the timer T3, starts the timer T2
for each LSPDB, and for each interface (and in the case of a LAN
circuit, for each level) starts the timer T1 and transmits an IIH
containing the restart TLV with the RR bit set.
On a Point-to-Point circuit, the restarting router SHOULD set the
"Adjacency Three-Way State" to "Init", because the receipt of the
acknowledging IIH (with RA set) MUST cause the adjacency to enter the
"UP" state immediately.
On a LAN circuit, the LAN-ID assigned to the circuit SHOULD be the
same as that used prior to the restart. In particular, for any
circuits for which the restarting router was previously DIS, the use
of a different LAN-ID would necessitate the generation of a new set
of pseudonode LSPs, and corresponding changes in all the LSPs
referencing them from other routers on the LAN. By preserving the
LAN-ID across the restart, this churn can be prevented. To enable a
restarting router to learn the LAN-ID used prior to restart, the
LAN-ID specified in an IIH with RR set MUST be ignored.
Transmission of "normal" IIHs is inhibited until the conditions
described below are met (in order to avoid causing an unnecessary
adjacency initialization). Upon expiry of the timer T1, it is
restarted and the IIH is retransmitted as above.
When a restarting router receives an IIH a local adjacency is
established as usual, and if the IIH contains a restart TLV with the
RA bit set (and on LAN circuits with a Restart Neighbor System ID
that matches that of the local system), the receipt of the
acknowledgement over that interface is noted. When the RA bit is set
and the state of the remote adjacency is "UP", then the timer T3 is
set to the minimum of its current value and the value of the
"Remaining Time" field in the received IIH.
Shand & Ginsberg Standards Track [Page 9]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
On a Point-to-Point link, receipt of an IIH not containing the
restart TLV is also treated as an acknowledgement, since it indicates
that the neighbor is not restart capable. However, since no CSNP is
guaranteed to be received over this interface, the timer T1 is
cancelled immediately without waiting for a complete set of CSNPs.
Synchronization may therefore be deemed complete even though there
are some LSPs which are held (only) by this neighbor (see
Section 3.4). In this case, we also want to be certain that the
neighbor will reinitialize the adjacency in order to guarantee that
the SRMflags have been set on its database, thus ensuring eventual
LSPDB synchronization. This is guaranteed to happen except in the
case where the Adjacency Three-Way State in the received IIH is "UP"
and the Neighbor Extended Local Circuit ID matches the extended local
circuit ID assigned by the restarting router. In this case, the
restarting router MUST force the adjacency to reinitialize by setting
the local Adjacency Three-Way State to "DOWN" and sending a normal
IIH.
In the case of a LAN interface, receipt of an IIH not containing the
restart TLV is unremarkable since synchronization can still occur so
long as at least one of the non-restarting neighboring routers on the
LAN supports restart. Therefore, T1 continues to run in this case.
If none of the neighbors on the LAN are restart capable, T1 will
eventually expire after the locally defined number of retries.
In the case of a Point-to-Point circuit, the "LocalCircuitID" and
"Extended Local Circuit ID" information contained in the IIH can be
used immediately to generate an IIH containing the correct three-way
handshake information. The presence of "Neighbor Extended Local
Circuit ID" information that does not match the value currently in
use by the local system is ignored (since the IIH may have been
transmitted before the neighbor had received the new value from the
restarting router), but the adjacency remains in the initializing
state until the correct information is received.
In the case of a LAN circuit, the source neighbor information (e.g.,
SNPAAddress) is recorded and used for adjacency establishment and
maintenance as normal.
When BOTH a complete set of CSNPs (for each active level, in the case
of a Point-to-Point circuit) and an acknowledgement have been
received over the interface, the timer T1 is cancelled.
Once the timer T1 has been cancelled, subsequent IIHs are transmitted
according to the normal algorithms, but including the restart TLV
with both RR and RA clear.
Shand & Ginsberg Standards Track [Page 10]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
If a LAN contains a mixture of systems, only some of which support
the new algorithm, database synchronization is still guaranteed, but
the "old" systems will have reinitialized their adjacencies.
If an interface is active, but does not have any neighboring router
reachable over that interface, the timer T1 would never be cancelled,
and according to Section 3.4.1.1, the SPF would never be run.
Therefore, timer T1 is cancelled after some predetermined number of
expirations (which MAY be 1).
3.3.2. Adjacency Acquisition during Start
The starting router wants to ensure that in the event that a
neighboring router has an adjacency to the starting router in the
"UP" state (from a previous incarnation of the starting router), this
adjacency is reinitialized. The starting router also wants
neighboring routers to suppress advertisement of an adjacency to the
starting router until LSP database synchronization is achieved. This
is achieved by sending IIHs with the RR bit clear and the SA bit set
in the restart TLV. The RR bit remains clear and the SA bit remains
set in subsequent transmissions of IIHs until the adjacency has
reached the "UP" state and the initial T1 timer interval (see below)
has expired.
Receipt of an IIH with the RR bit clear will result in the
neighboring router utilizing normal operation of the adjacency state
machine. This will ensure that any old adjacency on the neighboring
router will be reinitialized.
Upon receipt of an IIH with the SA bit set, the behavior described in
Section 3.2.2 is followed.
Upon starting, a router starts timer T2 for each LSPDB.
For each interface (and in the case of a LAN circuit, for each
level), when an adjacency reaches the "UP" state, the starting router
starts a timer T1 and transmits an IIH containing the restart TLV
with the RR bit clear and SA bit set. Upon expiry of the timer T1,
it is restarted and the IIH is retransmitted with both RR and SA bits
set (only the RR bit has changed state from earlier IIHs).
Upon receipt of an IIH with the RR bit set (regardless of whether or
not the SA bit is set), the behavior described in Section 3.2.1 is
followed.
Shand & Ginsberg Standards Track [Page 11]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
When an IIH is received by the starting router and the IIH contains a
restart TLV with the RA bit set (and on LAN circuits with a Restart
Neighbor System ID that matches that of the local system), the
receipt of the acknowledgement over that interface is noted.
On a Point-to-Point link, receipt of an IIH not containing the
restart TLV is also treated as an acknowledgement, since it indicates
that the neighbor is not restart capable. Since the neighbor will
have reinitialized the adjacency, this guarantees that SRMflags have
been set on its database, thus ensuring eventual LSPDB
synchronization. However, since no CSNP is guaranteed to be received
over this interface, the timer T1 is cancelled immediately without
waiting for a complete set of CSNPs. Synchronization may therefore
be deemed complete even though there are some LSPs that are held
(only) by this neighbor (see Section 3.4).
In the case of a LAN interface, receipt of an IIH not containing the
restart TLV is unremarkable since synchronization can still occur so
long as at least one of the non-restarting neighboring routers on the
LAN supports restart. Therefore, T1 continues to run in this case.
If none of the neighbors on the LAN are restart capable, T1 will
eventually expire after the locally defined number of retries. The
usual operation of the update process will ensure that
synchronization is eventually achieved.
When BOTH a complete set of CSNPs (for each active level, in the case
of a Point-to-Point circuit) and an acknowledgement have been
received over the interface, the timer T1 is cancelled. Subsequent
IIHs sent by the starting router have the RR and RA bits clear and
the SA bit set in the restart TLV.
Timer T1 is cancelled after some predetermined number of expirations
(which MAY be 1).
When the T2 timer(s) are cancelled or expire, transmission of
"normal" IIHs (with RR, RA, and SA bits clear) will begin.
3.3.3. Multiple Levels
A router that is operating as both a Level 1 and a Level 2 router on
a particular interface MUST perform the above operations for each
level.
On a LAN interface, it MUST send and receive both Level 1 and Level 2
IIHs and perform the CSNP synchronizations independently for each
level.
Shand & Ginsberg Standards Track [Page 12]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
On a Point-to-Point interface, only a single IIH (indicating support
for both levels) is required, but it MUST perform the CSNP
synchronizations independently for each level.
3.4. Database Synchronization
When a router is started or restarted, it can expect to receive a
complete set of CSNPs over each interface. The arrival of the
CSNP(s) is now guaranteed, since an IIH with the RR bit set will be
retransmitted until the CSNP(s) are correctly received.
The CSNPs describe the set of LSPs that are currently held by each
neighbor. Synchronization will be complete when all these LSPs have
been received.
When (re)starting, a router starts an instance of timer T2 for each
LSPDB as described in Section 3.3.1 or Section 3.3.2. In addition to
normal processing of the CSNPs, the set of LSPIDs contained in the
first complete set of CSNPs received over each interface is recorded,
together with their remaining lifetime. In the case of a LAN
interface, a complete set of CSNPs MUST consist of CSNPs received
from neighbors that are not restarting. If there are multiple
interfaces on the (re)starting router, the recorded set of LSPIDs is
the union of those received over each interface. LSPs with a
remaining lifetime of zero are NOT so recorded.
As LSPs are received (by the normal operation of the update process)
over any interface, the corresponding LSPID entry is removed (it is
also removed if an LSP arrives before the CSNP containing the
reference). When an LSPID has been held in the list for its
indicated remaining lifetime, it is removed from the list. When the
list of LSPIDs is empty and the timer T1 has been cancelled for all
the interfaces that have an adjacency at this level, the timer T2 is
cancelled.
At this point, the local database is guaranteed to contain all the
LSP(s) (either the same sequence number or a more recent sequence
number) that were present in the neighbors' databases at the time of
(re)starting. LSPs that arrived in a neighbor's database after the
time of (re)starting may or may not be present, but the normal
operation of the update process will guarantee that they will
eventually be received. At this point, the local database is deemed
to be "synchronized".
Shand & Ginsberg Standards Track [Page 13]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
Since LSPs mentioned in the CSNP(s) with a zero remaining lifetime
are not recorded, and those with a short remaining lifetime are
deleted from the list when the lifetime expires, cancellation of the
timer T2 will not be prevented by waiting for an LSP that will never
arrive.
3.4.1. LSP Generation and Flooding and SPF Computation
The operation of a router starting, as opposed to restarting, is
somewhat different. These two cases are dealt with separately below.
3.4.1.1. Restarting
In order to avoid causing unnecessary routing churn in other routers,
it is highly desirable that the router's own LSPs generated by the
restarting system are the same as those previously present in the
network (assuming no other changes have taken place). It is
important therefore not to regenerate and flood the LSPs until all
the adjacencies have been re-established and any information required
for propagation into the local LSPs is fully available. Ideally, the
information is loaded into the LSPs in a deterministic way, such that
the same information occurs in the same place in the same LSP (and
hence the LSPs are identical to their previous versions). If this
can be achieved, the new versions may not even cause SPF to be run in
other systems. However, provided the same information is included in
the set of LSPs (albeit in a different order, and possibly different
LSPs), the result of running the SPF will be the same and will not
cause churn to the forwarding tables.
In the case of a restarting router, none of the router's own LSPs are
transmitted, nor are the router's own forwarding tables updated while
the timer T3 is running.
Redistribution of inter-level information MUST be regenerated before
this router's LSP is flooded to other nodes. Therefore, the Level-n
non-pseudonode LSP(s) MUST NOT be flooded until the other level's T2
timer has expired and its SPF has been run. This ensures that any
inter-level information that is to be propagated can be included in
the Level-n LSP(s).
During this period, if one of the router's own (including
pseudonodes) LSPs is received, which the local router does not
currently have in its own database, it is NOT purged. Under normal
operation, such an LSP would be purged, since the LSP clearly should
not be present in the global LSP database. However, in the present
circumstances, this would be highly undesirable, because it could
cause premature removal of a router's own LSP -- and hence churn in
remote routers. Even if the local system has one or more of the
Shand & Ginsberg Standards Track [Page 14]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
router's own LSPs (which it has generated, but not yet transmitted),
it is still not valid to compare the received LSP against this set,
since it may be that as a result of propagation between Level 1 and
Level 2 (or vice versa), a further router's own LSP will need to be
generated when the LSP databases have synchronized.
During this period, a restarting router SHOULD send CSNPs as it
normally would. Information about the router's own LSPs MAY be
included, but if it is included it MUST be based on LSPs that have
been received, not on versions that have been generated (but not yet
transmitted). This restriction is necessary to prevent premature
removal of an LSP from the global LSP database.
When the timer T2 expires or is cancelled indicating that
synchronization for that level is complete, the SPF for that level is
run in order to derive any information that is required to be
propagated to another level, but the forwarding tables are not yet
updated.
Once the other level's SPF has run and any inter-level propagation
has been resolved, the router's own LSPs can be generated and
flooded. Any own LSPs that were previously ignored, but that are not
part of the current set of own LSPs (including pseudonodes), MUST
then be purged. Note that it is possible that a Designated Router
change may have taken place, and consequently the router SHOULD purge
those pseudonode LSPs that it previously owned, but that are now no
longer part of its set of pseudonode LSPs.
When all the T2 timers have expired or been cancelled, the timer T3
is cancelled and the local forwarding tables are updated.
If the timer T3 expires before all the T2 timers have expired or been
cancelled, this indicates that the synchronization process is taking
longer than the minimum holding time of the neighbors. The router's
own LSP(s) for levels that have not yet completed their first SPF
computation are then flooded with the overload bit set to indicate
that the router's LSPDB is not yet synchronized (and therefore other
routers MUST NOT compute routes through this router). Normal
operation of the update process resumes, and the local forwarding
tables are updated. In order to prevent the neighbor's adjacencies
from expiring, IIHs with the normal interface value for the holding
time are transmitted over all interfaces with neither RR nor RA set
in the restart TLV. This will cause the neighbors to refresh their
adjacencies. The router's own LSP(s) will continue to have the
overload bit set until timer T2 has expired or been cancelled.
Shand & Ginsberg Standards Track [Page 15]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
3.4.1.2. Starting
In the case of a starting router, as soon as each adjacency is
established, and before any CSNP exchanges, the router's own zeroth
LSP is transmitted with the overload bit set. This prevents other
routers from computing routes through the router until it has
reliably acquired the complete set of LSPs. The overload bit remains
set in subsequent transmissions of the zeroth LSP (such as will occur
if a previous copy of the router's own zeroth LSP is still present in
the network) while any timer T2 is running.
When all the T2 timers have been cancelled, the router's own LSP(s)
MAY be regenerated with the overload bit clear (assuming the router
is not in fact overloaded, and there is no other reason, such as
incomplete BGP convergence, to keep the overload bit set) and flooded
as normal.
Other LSPs owned by this router (including pseudonodes) are generated
and flooded as normal, irrespective of the timer T2. The SPF is also
run as normal and the Routing Information Base (RIB) and Forwarding
Information Base (FIB) updated as routes become available.
To avoid the possible formation of temporary blackholes, the starting
router sets the SA bit in the restart TLV (as described in
Section 3.3.2) in all IIHs that it sends.
When all T2 timers have been cancelled, the starting router MUST
transmit IIHs with the SA bit clear.
4. State Tables
This section presents state tables that summarize the behaviors
described in this document. Other behaviors, in particular adjacency
state transitions and LSP database update operation, are NOT included
in the state tables except where this document modifies the behaviors
described in [ISO10589] and [RFC5303].
The states named in the columns of the tables below are a mixture of
states that are specific to a single adjacency (ADJ suppressed, ADJ
Seen RA, ADJ Seen CSNP) and states that are indicative of the state
of the protocol instance (Running, Restarting, Starting, SPF Wait).
Three state tables are presented from the point of view of a running
router, a restarting router, and a starting router.
Shand & Ginsberg Standards Track [Page 16]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
4.1. Running Router
Event | Running | ADJ suppressed
==============================================================
RX RR | Maintain ADJ State |
| Send RA |
| Set SRM,send CSNP |
| (Note 1) |
| Update Hold Time, |
| set Restart Mode |
| (Note 2) |
-------------+----------------------+-------------------------
RX RR clr | Clr Restart mode |
-------------+----------------------+-------------------------
RX SA | Suppress IS neighbor |
| TLV in LSP(s) |
| Goto ADJ Suppressed |
-------------+----------------------+-------------------------
RX SA clr | |Unsuppress IS neighbor
| | TLV in LSP(s)
| |Goto Running
==============================================================
Note 1: CSNPs are sent by routers in accordance with Section 3.2.1c
Note 2: If Restart Mode clear
Shand & Ginsberg Standards Track [Page 17]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
4.2. Restarting Router
Event | Restarting | ADJ Seen | ADJ Seen | SPF Wait
| | RA | CSNP |
===================================================================
Router | Send IIH/RR | | |
restarts | ADJ Init | | |
| Start T1,T2,T3 | | |
------------+--------------------+-----------+-----------+------------
RX RR | Send RA | | |
------------+--------------------+-----------+-----------+------------
RX RA | Adjust T3 | | Cancel T1 |
| Goto ADJ Seen RA | | Adjust T3 |
----------- +--------------------+-----------+-----------+------------
RX CSNP set| Goto ADJ Seen CSNP | Cancel T1 | |
------------+--------------------+-----------+-----------+------------
RX IIH w/o | Cancel T1 (Point- | | |
Restart TLV| to-point only) | | |
------------+--------------------+-----------+-----------+------------
T1 expires | Send IIH/RR |Send IIH/RR|Send IIH/RR|
| Restart T1 | Restart T1| Restart T1|
------------+--------------------+-----------+-----------+------------
T1 expires | Send IIH/ | Send IIH/ | Send IIH/ |
nth time | normal | normal | normal |
------------+--------------------+-----------+-----------+------------
T2 expires | Trigger SPF | | |
| Goto SPF Wait | | |
------------+--------------------+-----------+-----------+------------
T3 expires | Set overload bit | | |
| Flood local LSPs | | |
| Update fwd plane | | |
------------+--------------------+-----------+-----------+------------
LSP DB Sync| Cancel T2, and T3 | | |
| Trigger SPF | | |
| Goto SPF wait | | |
------------+--------------------+-----------+-----------+------------
All SPF | | | | Clear
done | | | | overload bit
| | | | Update fwd
| | | | plane
| | | | Flood local
| | | | LSPs
| | | | Goto Running
======================================================================
Shand & Ginsberg Standards Track [Page 18]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
4.3. Starting Router
Event | Starting | ADJ Seen RA| ADJ Seen CSNP
=============================================================
Router | Send IIH/SA | |
starts | Start T1,T2 | |
-------------+-------------------+------------+---------------
RX RR | Send RA | |
-------------+-------------------+------------+---------------
RX RA | Goto ADJ Seen RA | | Cancel T1
-------------+-------------------+------------+---------------
RX CSNP Set | Goto ADJ Seen CSNP| Cancel T1 |
-------------+-------------------+------------+---------------
RX IIH w | Cancel T1 | |
no Restart | (Point-to-Point | |
TLV | only) | |
-------------+-------------------+------------+---------------
ADJ UP | Start T1 | |
| Send local LSPs | |
| with overload bit| |
| set | |
-------------+-------------------+------------+---------------
T1 expires | Send IIH/RR |Send IIH/RR | Send IIH/RR
| and SA | and SA | and SA
| Restart T1 |Restart T1 | Restart T1
-------------+-------------------+------------+---------------
T1 expires | Send IIH/SA |Send IIH/SA | Send IIH/SA
nth time | | |
-------------+-------------------+------------+---------------
T2 expires | Clear overload bit| |
| Send IIH normal | |
| Goto Running | |
-------------+-------------------+------------+---------------
LSP DB Sync | Cancel T2 | |
| Clear overload bit| |
| Send IIH normal | |
==============================================================
5. Security Considerations
Any new security issues raised by the procedures in this document
depend upon the ability of an attacker to inject a false but
apparently valid IIH, the ease/difficulty of which has not been
altered.
Shand & Ginsberg Standards Track [Page 19]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
If the RR bit is set in a false IIH, neighbors who receive such an
IIH will continue to maintain an existing adjacency in the "UP" state
and may (re)send a complete set of CSNPs. While the latter action is
wasteful, neither action causes any disruption in correct protocol
operation.
If the RA bit is set in a false IIH, a (re)starting router that
receives such an IIH may falsely believe that there is a neighbor on
the corresponding interface that supports the procedures described in
this document. In the absence of receipt of a complete set of CSNPs
on that interface, this could delay the completion of (re)start
procedures by requiring the timer T1 to time out the locally defined
maximum number of retries. This behavior is the same as would occur
on a LAN where none of the (re)starting router's neighbors support
the procedures in this document and is covered in Sections 3.3.1 and
3.3.2.
If an SA bit is set in a false IIH, this could cause suppression of
the advertisement of an IS neighbor, which could either continue for
an indefinite period or occur intermittently with the result being a
possible loss of reachability to some destinations in the network
and/or increased frequency of LSP flooding and SPF calculation.
The possibility of IS-IS PDU spoofing can be reduced by the use of
authentication as described in [RFC1195] and [ISO10589], and
especially the use of cryptographic authentication as described in
[RFC5304].
6. IANA Considerations
This document defines the following IS-IS TLV that is listed in the
IS-IS TLV codepoint registry:
Type Description IIH LSP SNP
---- ----------------------------------- --- --- ---
211 Restart TLV y n n
7. Manageability Considerations
These extensions that have been designed, developed, and deployed for
many years do not have any new impact on management and operation of
the IS-IS protocol via this standardization process.
8. Acknowledgements
The authors would like to acknowledge contributions made by Jeff
Parker, Radia Perlman, Mark Schaefer, Naiming Shen, Nischal Sheth,
Russ White, and Rena Yang.
Shand & Ginsberg Standards Track [Page 20]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
9. Normative References
[ISO10589] ISO, "Intermediate System to Intermediate System intra-
domain routeing information exchange protocol for use in
conjunction with the protocol for providing the
connectionless-mode network service (ISO 8473)",
International Standard 10589:2002, Second Edition, 2002.
[RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and
dual environments", RFC 1195, December 1990.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5303] Katz, D., Saluja, R., and D. Eastlake 3rd, "Three-Way
Handshake for IS-IS Point-to-Point Adjacencies",
RFC 5303, October 2008.
[RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic
Authentication", RFC 5304, October 2008.
Authors' Addresses
Mike Shand
Cisco Systems
250, Longwater Avenue.
Reading, Berks RG2 6GB
UK
Phone: +44 208 824 8690
EMail: mshand@cisco.com
Les Ginsberg
Cisco Systems
510 McCarthy Blvd
Milpitas, CA 95035
USA
EMail: ginsberg@cisco.com
Shand & Ginsberg Standards Track [Page 21]
^L
RFC 5306 Restart Signaling for IS-IS October 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Shand & Ginsberg Standards Track [Page 22]
^L
|
