Process of Exchanging IS-IS LSPs

Causes of LSP generation

All routers in the IS-IS routing domain can generate LSPs. The following events trigger the generation of a new LSP:

 Neighbor is Up or Down.

 Related interface goes Up or Down.

 Imported IP routes change.

 Inter-area IP routes change.

 Interface is assigned a new metric value.

2016-1-11 Huawei Confidential Page 30 of 1210

 Periodic updates occur.

Processing of a new LSP received from a neighbor

1. The router installs the LSP to its LSDB and marks it for flooding.

2. The router sends the LSP to all interfaces except the interface that initially received the LSP.

3. The neighbors flood the LSP to their neighbors.

LSP flooding

In LSP flooding, a router sends an LSP to its neighbors and then the neighbors send the received LSP to their respective neighbors except the router that first sends the LSP. In this manner, the LSP is flooded among the routers of the same level. LSP flooding allows each router of the same level to have the same LSP information and synchronize its LSDB with each other.

Each LSP has a 4-byte sequence number. When a router is started, the sequence number of the first LSP sent by the router is 1. When a new LSP is generated, the sequence number of the LSP is equal to the sequence number of the previous LSP plus 1. The greater the sequence number, the newer the LSP.

Process of synchronizing LSDBs between a newly added router and DIS on a broadcast link

Figure 2-2-2 Process of updating LSDBs on a broadcast link

1. A new router (RouterC) sends a Hello packet to establish neighbor relationships with the other routers in the broadcast domain.

2. RouterC establishes neighbor relationships with RouterA and RouterB, waits for the timeout of the LSP refresh timer, and then sends its LSP to a multicast address (01-80-C2-00-00-1 in a Level-1 area and 01-80-C2-00-00-15 in a Level-2 area). All neighbors on the network can receive the LSP.

3. The DIS on the network segment adds the received LSP to its LSDB. After the CSNP timer expires, the DIS sends CSNPs to synchronize the LSDBs on the network.

4. RouterC receives the CSNPs from the DIS, checks its LSDB, and sends a PSNP to request the LSPs it does not have.

5. The DIS receives the PSNP and sends RouterC the required LSPs for LSDB synchronization.

The process of updating the LSDB of the DIS is as follows:

1. When the DIS receives an LSP, it searches the LSDB to check whether the same LSP exists. If the DIS does not find the same LSP in its LSDB, the DIS adds the LSP to its LSDB and broadcasts the content of the new LSDB.

2. If the sequence number of the received LSP is greater than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the contents of the new LSDB. If the sequence number of the received LSP is smaller than that of the

corresponding LSP in the LSDB, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.

3. If the sequence number of the received LSP is the same as that of the corresponding LSP in the LSDB, the DIS compares the remaining lifetime of the two LSPs. If the remaining lifetime of the received LSP is smaller than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the contents of the new LSDB. If the remaining lifetime of the received LSP is greater than that of the corresponding LSP, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.

4. If the sequence number and remaining lifetime of the received LSP are the same as those of the corresponding LSP in the LSDB, the DIS compares the checksum of the two LSPs. If the checksum of the received LSP is greater than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the content of the new LSDB. If the checksum of the received LSP is smaller than that of the corresponding LSP, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.

5. If the sequence number, remaining lifetime, and checksum of the received LSP are the same as those of the corresponding LSP in the LSDB, the DIS does not forward the received LSP.

2016-1-11 Huawei Confidential Page 32 of 1210 Process of synchronizing the LSDB on a P2P link

Figure 2-2-3 Process of updating LSDBs on a P2P link 1. RouterA establishes a neighbor relationship with RouterB.

2. RouterA and RouterB send a CSNP to each other. If the LSDB of the neighbor and the received CSNP are not synchronized, the neighbor sends a PSNP to request the required LSP.

3. Figure 2-2-3 assumes that RouterB requests the required LSP from RouterA. RouterA sends the required LSP to RouterB, starts the LSP retransmission timer, and waits for a PSNP from RouterB as an acknowledgement for the received LSP.

4. If RouterA does not receive a PSNP from RouterB after the LSP retransmission timer expires, RouterA resends the LSP until it receives a PSNP from RouterB.

NOTE:

A PSNP on a P2P link is used as follows:

 An ACK packet to acknowledge the received LSP.

 A request packet to acquire LSPs.

The process of updating LSDBs on a P2P link is as follows:

1. If the sequence number of the received LSP is smaller than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor.

If the sequence number of the received LSP is greater than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP.

2. If the sequence number of the received LSP is the same as that of the corresponding LSP in the LSDB, the router compares the remaining lifetime of the two LSPs. If the received LSP has a smaller remaining lifetime than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP. If the received LSP has

a greater remaining lifetime than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor.

3. If the sequence number and remaining lifetime of the received LSP are the same as those of the corresponding LSP in the LSDB, the router compares the checksum of the two LSPs. If the received LSP has a greater checksum than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP. If the received LSP has a smaller checksum than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor.

4. If the sequence number, remaining lifetime, and checksum of the received LSP and the corresponding LSP in the LSDB are the same, the router does not forward the received LSP.

2.3 IS-IS Authentication

To ensure network security, IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets. When a local router receives IS-IS packets from a remote router, the local router discards the packets if the authentication passwords do not match. This protects the local router.

Authentication Types

Based on the types of packets, the authentication is classified as follows:

 Interface authentication: authenticates Level-1 and Level-2 Hello packets sent and received on IS-IS interfaces using the specified authentication mode and password.

NOTE:

You can configure a router to perform interface authentication in the following ways:

 A router sends authentication packets carrying the authentication TLV and verifies the authentication information about the received packets.

 A router sends authentication packets carrying the authentication TLV but does not verify the authentication information about the received packets.

 Area authentication: authenticates Level-1 LSPs and Level-1 SNPs transmitted in an IS-IS area using the specified authentication mode and password.

 Routing domain authentication: authenticates Level-2 LSPs and Level-2 SNPs transmitted in an IS-IS routing domain using the specified authentication mode and password.

NOTE:

In area authentication and routing domain authentication, you can configure a router to authenticate LSPs and SNPs separately in the following ways:

 A router sends LSPs and SNPs carrying the authentication TLV and verifies the authentication information about the received LSPs and SNPs.

2016-1-11 Huawei Confidential Page 34 of 1210

 A router sends LSPs carrying the authentication TLV and verifies the authentication

information about the received LSPs. The router sends SNPs carrying the authentication TLV but does not verify the authentication information about the received SNPs.

 A router sends LSPs carrying the authentication TLV and verifies the authentication

information about the received LSPs. The router sends SNPs without the authentication TLV and does not verify the authentication information about the received SNPs.

 A router sends LSPs and SNPs carrying the authentication TLV but does not verify the authentication information about the received LSPs and SNPs.

Based on the authentication modes of packets, authentication is classified into the following types:

 Plain text authentication: is a simple authentication mode in which passwords are directly added to packets. This authentication is insecure.

 MD5 authentication: uses the MD5 algorithm to encrypt passwords before they are added to packets, which improves password security.

 Keychain authentication: further improves network security with configurable key chain that changes with time.

Mode in Which Authentication Information Is Carried

IS-IS provides a TLV to carry authentication information, with the type of the TLV specified as 10.

 Type: is defined by the ISO as 0, with a length of 1 byte.

 Length: indicates the length of the authentication TLV, which is 1 byte.

 Value: indicates the authentication contents of 1 to 254 bytes, including the authentication type and password.

The authentication type is 1 byte:

 Type 0 is reserved.

 Type 1 indicates plain text authentication.

 Type 54 indicates MD5 authentication.

 Type 255 indicates routing domain private authentication methods.