Consider extending OSPF by adding a new, hypothetical LSA type. The number could be anything not currently used or defined – LSA type 53, for example. Now, what if a router running older OSPF software does not recognize the new, hypothetical LSA type 53? Should the router flood the LSA further across the network or should the router simply discard the update? To explain what OSPF does with extensions that the router does not understand, it is necessary to borrow a term from BGP terminology. The term is called transitivity. Certain BGP attributes are transitive as the attributes flow from BGP router to BGP router. But the term can be applied to protocols other than BGP. Transitivity means that if a router cannot interpret a given message, the router will flood the message further across the network anyway. Non-transitive behaviour means that a router does not for- ward an LSA that the router cannot interpret in terms of the LSA payload. OSPF is a strictly non-transitive protocol. OSPF routers will not flood LSA types that the routers themselves do not understand. The ramifications of that are a bit depressing. Non-transitive OSPF behaviour means that a new feature cannot be rolled out unless all OSPF routers in a given link-state domain are updated with the new software. Given the fact that the role of the IGP is changing from the narrow role of distributing NLRI infor- mation towards a wider role with regard to a topology discovery function, it might be necessary for new OSPF features of increasing interest to use the flooding sub-system of OSPF for distributing network-wide information. And this information must be spread all over the network, information that not each OSPF speaker must necessarily see. I won’t flood because I do not understand behaviour is not migration-friendly, and there- fore causes a lot of headache for preparing migrations. Fortunately, the issue of OSPF transitivity has been addressed. RFC 2370, The OSPF Opaque LSA Option, describes an enhancement to base OSPF. A set of opaque LSAs is defined in this RFC that correct the problem with OSPF being non-transitive. Instead of using the BGP terminology of transitive, OSPF uses the concept of an LSA that is visible (and understandable) to some OSPF routes and yet not visible to all OSPF routers. The new LSAs are not transparent to all OSPF routers, but opaque to some routers, routers that must still pass on this LSA type through flooding nonetheless. With RFC 2370, type 9, 10 and 11 LSAs now become the universal transport vehicle for routing and topology-related data that need to get distributed by the flooding sub-system of OSPF. With those extensions in place, arbitrary data, including reachability information from other address families such as IPv6, could theoretically be distributed about an OSPF routing domain. A full discus- sion of opaque LSA types in OSPF is not needed in a book on IS-IS. It is enough to note the presence of opaque LSA types in OSPF for the purposes of extensibility. 11.3 Analysis of IS-IS Extensibility IS-IS uses TLVs to encode Hellos, NLRIs, as well as miscellaneous other information needed for the IS-IS routing protocol to function properly. Virtually all these message elem- ents use Type-Length-Value (TLV) encoding to get their data across to other IS-IS routers. 11.3.1 TLV Format Figure 11.4 shows the basic elements for TLV encoding. Analysis of IS-IS Extensibility 289 The first element of the TLV structure is the Type field. The size of the Type field is 8-bits wide, which gives room for 256 different codes. In fact, a lot of documents call this the Code-Length-Value (CLV) structure instead of TLV. But the TLV terminology is much more common and is therefore used here. Type number 0 is reserved for further expansion of the protocol. The Type field is a well-known field that should be understood by all routers in a given link-state domain (ϭ IS-IS level). Next comes the Length field that indicates the length of the payload data, which is stored in the Value field. Why is the Length field needed if the Type code establishes the format of the information in the Value field? As long as all Type codes are well known, it would seem that the router has enough information to decipher the value that the Type contains. But it is not that simple. Let’s invent an example demonstrating the need for a Length field. Suppose we want to encode an IPv4 prefix. What we need is 8 bytes of space in the TLV. Four bytes are for the prefix itself and four bytes are for the Netmask. Next, let’s give this Value field the hypo- thetical Type number, say 47. Because Type Code #47 is well known by all routers running the IS-IS protocol, one could suppose that there could be a rule in the IS-IS protocol that Code 47 always means an implicit length of 8 bytes for the Value field. However, what happens if a router running older software does not recognize our new hypothetical Type Code 47 Message? How is the Length made know to IS-IS routers that do not know what a Type Code 47 is? Even worse, the section of IS-IS code that parses all the incoming routing messages does not know when other messages-codes beyond the Type Code 47 begin, because the code has no indication when the unknown Type Code 47 message ends. Figure 11.5 illustrates the dilemma of the receiving router’s message parser. So an explicit Length field is always needed for TLVs. The Length field is again 8-bits wide, which leaves room for Values up to 255 bytes. Although this may sound like a small 290 11. TLVs and Sub-TLVs Type Length Value 1–255 Bytes 1 1 1–255 1–255 FIGURE 11.4. Basic information encoding in (T)ype (L)ength (V)alue triplets Type Value 47 Bytes 1 ??? 1 Type Value 53 12 The receiver does not know Type #47, and the length of #47 and therefore does not know where #53 starts FIGURE 11.5. Implicit length fields do not work unless all routers know all the Type codes number (just think of a router that has hundreds of adjacencies to advertise) it has turned out to be a sufficient size for most message types. 11.3.2 TLV Encoding For the case of messages larger than 255 bytes, smaller message elements are scattered across multiple occurrences of a given Type Code. Figure 11.6 shows how a large chunk (30 in this case) of IPv4 prefixes are scattered over two occurrences of Type Code 128 messages. Type Code 128, which is not hypothetical, will be discussed in more detail in Chapter 12. The only thing a router needs to know is that the basic message format of TLV #128 is repeated occurrences of IPv4 prefixes, metrics and net masks having a fixed length of 12 bytes. So each IPv4 prefix consumes 12 bytes space in the message. What the TLV encod- ing engine needs to know is the maximum amount of IPv4 prefix data that can be stored in a 255 bytes sized message. As it turns out, the densest packaging is reached when 21 prefixes are squeezed into one TLV encoded message, filling up the message to 252 bytes. That still results in a TLV message space utilization of 98.4 per cent, which is fine for a routing proto- col. The remaining nine prefixes get stored in a second occurrence of a Type #128 message. Interestingly, IS-IS has a uniform Type Code space for both Hellos and NLRIs. This means that an arbitrary TLV can theoretically be present both in all three IS-IS packet types. The three packet types that IS-IS generates are: • IIHs (Hellos) • SNPs (sequence number PDUs) • LSPs (link-state PDUs) Although this uniform Type Code space makes it easier for humans to memorize the defined TLVs, not all TLVs are present in all three IS-IS PDU types. For instance, for authentication information it makes no sense to limit authentication only to IIH packets, because an attacker can do a lot of harm by forging any of the PDU types. Analysis of IS-IS Extensibility 291 Bytes 30 IPv4 prefixes (30 ϫ 12) ϭ 252 bytes Type Length Value 21 IPv4 prefixes (21 ϫ 12) ϭ 252 bytes 128 1 1 252 252 Value 9 IPv4 prefixes (9 ϫ 12) ϭ 108 bytes 108 Type Length 128 1 1 108 FIGURE 11.6. A large chunk of IPv4 prefixes, not fitting in a single TLV encoded message, is scat- tered across multiple occurrences of the same Type Code 292 T ABLE 11.1. The list of TLVs that modern router OSs support. PDU type 15 16 17 18 20 24 25 26 27 LAN p2p TLV Hello Hello LSP CSNP PSNP IS-IS TLVs # Source L1 L2 L1 L2 L1 L2 L1 L2 Area Address 1 ISO10589 X X X X X IS Reachability 2 ISO10589 X X IS Neighbors 6 ISO10589 X X Padding 8 ISO10589 X X X LSP Entry 9 ISO10589 X X X X Authentication 10 ISO10589, RFC3567 X X X X X X X X X Checksum 12 RFC3358 X X X X X X X Extended IS Reachability 22 RFC3784 X X IS Alias 24 RFC3786 X X IP internal Reachability 128 RFC1195, RFC2966 X X Protocols Supported 129 RFC1195 X X X X X IP external Reachability 130 RFC1195, RFC2966 (*) X(*) X IDRP Information 131 RFC1195 X X IP Interface Address 132 RFC1195 X X X X X TE Router ID 134 RFC3784 X X Extended IP Reachability 135 RFC3784 X X Dynamic hostname 137 RFC2763 X X Shared link risk group 138 draft-ietf-isis-gmpls-extensions-19 X X Restart Signaling 211 RFC3847 X X X Multi Topology IS Reachability 222 draft-ietf-isis-wg-multi-topology-07 X X Multi Topologies Supported 229 draft-ietf-isis-wg-multi-topology-07 X X X X X IPv6 Interface Address 232 draft-ietf-isis-ipv6-06 X X X X X Multi Topology IP Reachability 235 draft-ietf-isis-wg-multi-topology-07 X X IPv6 Reachability 236 draft-ietf-isis-ipv6-05 X X Multi Topology IPv6 Reachability 237 draft-ietf-isis-wg-multi-topology-07 X X p2p adjacency state 240 RFC3373 X IIH Sequence Number 241 draft-shen-isis-iih-sequence-00 X X X Vendor Proprietary 250 draft-ietf-isis-experimental-tlv-01 X X X X X X X X X However, the 3-way handshake TLV on point-to-point (p2p) links, for example, only makes sense in p2p IIHs. This is because the problem that this specific TLV #240 is trying to fix is purely related to p2p Hellos, during the startup procedure. Table 11.1 shows a list of the most important TLVs in IS-IS, and in which packet type the TLV might occur. The Type field is an 8-bit entity, which is a relatively small space, given the fact that routing protocols can live dozens of years. In order to not exhaust the 8-bit space throughout the years the protocol designers carried the TLV orientation further inside the TLVs. This concept is called sub-TLVs. 11.3.3 Sub-TLVs Sub-TLVs are used inside a TLV to encapsulate further message elements. Theoretically a dedicated TLV could be used as well for new message elements. This would, however, quickly exhaust the TLV space. The Extended IS Reachability TLV is a good example for use of sub-TLVs. The Extended IS Reachability TLV describes an IS-IS Adjacency and all sorts of link properties like Maximum Link Bandwidth, Link colours, Neighbours, IP addresses, Traffic Engineering metrics and so on. Tcpdump output The Extended IS Reachability TLV #22 carries an additional 69 bytes of link property infor- mation. 11:36:45.587565 OSI, IS-IS, length: 405 L2 LSP, hlen: 27, v: 1, pdu-v: 1, sys-id-len: 6 (0), max-area: 3 (0) lsp-id: 1921.6800.1019.00-00, seq: 0x000002fd, lifetime: 1198s chksum: 0xe984 (correct), PDU length: 405, L1L2 IS [… ] Extended IS Reachability TLV #22, length: 75 IS Neighbor: 1921.6800.1021.00, Metric: 22000, sub-TLVs present (69) IPv4 interface address subTLV #6, length: 4, 172.16.33.6 IPv4 neighbor address subTLV #8, length: 4, 172.16.33.5 Traffic Engineering Metric subTLV #18, length: 3, 22000 Unreserved bandwidth subTLV #11, length: 32 priority level 0: 9953.280 Mbps priority level 1: 9953.280 Mbps priority level 2: 9953.280 Mbps priority level 3: 9953.280 Mbps priority level 4: 9953.280 Mbps priority level 5: 9953.280 Mbps priority level 6: 9953.280 Mbps priority level 7: 9953.280 Mbps Reservable link bandwidth subTLV #10, length: 4, 9953.280 Mbps Maximum link bandwidth subTLV #9, length: 4, 9953.280 Mbps Administrative groups subTLV #3, length: 4, 0x00000000 [… ] Analysis of IS-IS Extensibility 293 In Table 11.2 you can see all current defined sub-TLVs. Chapter 14, “Traffic Engineering and MPLS”, gives a more thorough discussion of the extended IS Reachability TLV which is just discussed here for the aspect of sub-TLVs. Figure 11.7 shows a real-world example of the Extended IS Reachability TLV. In our example TLV, two adjacencies are reported. The first link adjacency is describing link characteristics to Neighbour 1921.6800.1008.00. The cost of using this link during the SPF cycle is 250,000 as described in the Metric field. After the Metric field each TLV ter- minates with an optional sub-TLV length. If the length field is zero, then no further link characteristic are reported for this adjacency. In our example there is indication that there are 11 further bytes of link properties. The next byte contains the first sub-TLV type. Code-point #8 is used to indicate a remote neighbour’s IP address. The sub-TLV Code is followed by a sub-TLV Length which is set to 4. What finally follows is the value of 4 bytes describing the actual Neighbor IP Address. The encoding of the first sub-TLV consumed 1 ϩ 1 ϩ 4 ϭ 6 bytes. So there is still 5 bytes left of sub-TLV information to decode. The next sub-TLV is code-type 18 and the sub-TLV length field indicates 3 bytes of Metric Information. This sub-TLV carries a kind of metric information that is purely related to constrained based routing (CSPF) which is further illustrated in Chapter 14, “Traffic Engineering and MPLS”. The encoding of the second sub-TLV consumed 1 ϩ 1 ϩ 3 ϭ 5 bytes. The original sub-TLVs field of the IS reach adjacency indicated a total sub-TLV length of 11 bytes. What the router tries to find out next is to determine the remaining size of subTLVs – it does so by subtracting the actual offset from the entire TLV length of 33 bytes. So far 22 bytes (the first TLV plus the two sub-TLVs) have been processed so there must be 11 294 11. TLVs and Sub-TLVs TABLE 11.2. The list of sub-TLVs that modern router OSs support. Sub-TLV IS Reach Sub-TLVs # Source Administrative Group 3 RFC3784 Link Local/Remote Identifier 4 RFC3784, draft-ietf-isis-gmpls-extensions-19 Link Remote Identifier 5 RFC3784 IPv4 interface address 6 RFC3784 IPv4 neighbor address 8 RFC3784 Maximum link bandwidth 9 RFC3784 Reservable link bandwidth 10 RFC3784 Unreserved bandwidth 11 RFC3784 Traffic Engineering Metric 18 RFC3784 Link Protection Type 20 draft-ietf-isis-gmpls-extensions-19 Interface Switching Capability 21 draft-ietf-isis-gmpls-extensions-19 Sub-TLV IP Reach Sub-TLVs # Source 32-Bit Administrative Tag 1 draft-ietf-isis-admin-tags-01 64-Bit Administrative Tag 2 draft-ietf-isis-admin-tags-01 Management Prefix Color 117 draft-ietf-isis-wg-multi-topology-07 Analysis of IS-IS Extensibility 295 bytes left. The parser therefore knows that the next 10 bytes is another IS adjacency pointing to neighbour 1921.6800.1019.00 plus an SPF metric of 22000. This second link is not carrying any sub-TLVs hence the sub-TLV length field is being set to zero. It has already been shown that there are several levels of information packaging inside TLVs. The Extended IS Reachability TLV #22 is a good example. It contains several IS neighbours which may contain further sub-TLVs. There is lots of room for all sort of things that can go wrong here. Just imagine what happens if the sub-TLV length is big- ger than the TLV length. Of course this can be avoided by all sorts of clever boundary checking. However, no specification expresses a mandate for boundary checking. In the next section you will learn about IS-IS TLV sanity checking and how vendors have hardened their implementations to catch corrupted information. 11.3.4 TLV Sanity Checking Jon Postel postulated a famous guidance about protocol interoperability: “Be tolerant of what you receive and strict in what you send!” The background was that a protocol’s implementations should never assume that the receiver will get it right and should encode its information as concisely as possible. On the receiving side the rule mandates that the protocol should support error detection and Type Length Neighbor ID sub LV Value 22 Bytes 1 1 ID Length (6) ϩ 1 3 1 1 1 4 Metric subTLVs Length subTLV Type subTLV Length 33 1921.6800.1008.00 250000 8 4 172.16.33.12 subTLV Value subTLV Type subTLV Length 18 3 12000 1 1 3 Neighbour ID ID Length (6) ϩ 1 3 1 Metric subTLVs Length 1921.6800.1019.00 22000 0 11 FIGURE 11.7. The sub-TLV length field of the Extended IS Reachability TLV #22 determines if there are any sub-TLVs following the basic IS reachability information 296 11. TLVs and Sub-TLVs be tolerant about slightly malformed information structures. Link-state routing protocols do not allow implementers to follow that guidance, because of their highly distributed nature. Consider the following example: A router receives a malformed TLV and detects that TLV is malformed. What should the router do? – further flood it or silently discard it and log an error message? ISO 10589 mandates that flooding should be transparent through- out the area. If the flooding stops what might be the biggest harm? Worst case, a routing loop. What happens if the router floods the LSP containing the malicious LSP further? Worst case, it may crash other routers in the network who do not encompass proper TLV sanity checking. In the past 10 years of IS-IS deployment there have been at least 20 major network meltdowns because corrupted LSPs got flooded further across the network. The first occurrence was back in the NSFNet backbone. Dr Rekhter, now a Distinguished Engineer with Juniper Networks, relates the following story: “One thing that happened in the NSFNET backbone concerns the way my code han- dled ISIS link state updates. When a router received an ISIS link state update, the router would do some processing on that update, then flood the update to its neighbors, and then complete the rest of the processing on this update. Due to some bug in the code the last part (“the rest of the processing”) caused router crash. But since the router crashed after it flooded the link state update to its neighbors, the update also caused the neighbors to crash as well, resulting in the overall network meltdown.” Implementers of the IS-IS protocol decided, because of the high inherent risk, to take a closer look to known TLVs and tightly check their formatting. The most common found TLV format tests are discussed in the next three subsections. 11.3.4.1 Maximum Length Checking Each TLV and sub-TLV reports a certain length. The length field is typically an 8-bit field that can express Value fields between 0 and 255 bytes. However, not all TLVs and sub- TLVs can actually consume the full range of 255 bytes. For example, in March 2001 there was a big meltdown in a large US transit carrier’s network. The root cause was that a failing piece of hardware generated a malformed Area TLV #1. Figure 11.8 illustrates the structure of the Area TLV #1. The TLV contains a set of Area Lengths and their corresponding Area-IDs. In the OSI world only Area-IDs between 1–13 bytes length are supported. If the Area-ID is outside that range, then the entire TLV, if not the entire LSP, is highly likely to be corrupted. After parsing the TLV the receiving router did not check for the maximum Area-ID length and overwrote data structures in the SPF algorithm implementation, which were expecting Area-IDs not larger then 13 bytes. The routing software crash did not manifest itself immediately – there was unfortunately enough time to flood the killer LSP further, enough time to crash the entire network. Since that incident, maximum length checking is employed for the Area TLV #1. Continuing that thought there would be other TLVs that could get checked for Minimum and Maximum Length Fields. Table 11.3 lists the minimum and maximum length values for all TLVs. Analysis of IS-IS Extensibility 297 TLV TLV Length 1 Bytes 1 1 1 1–13 Area Length Area ID 1 1–13 Area Length Area ID FIGURE 11.8. The Area TLV #1 lists all the variable length Area that a router participates T ABLE 11.3. Each TLV, due to its structure, has given minimum and maximum values. TLV name TLV # Min. length Max. length Area Length field 1 1 13 IS Reachability 2 12 254 LSP Entry 9 16 240 Authentication (if Authentication 10 17 17 Type ϭ MD5 (54)) Checksum 12 2 2 Maximum LSP Buffer Size 14 2 2 Extended IS Reachability 22 11 – IS Alias 24 8 – IPv4 Internal Reachability 128 12 252 IPv4 External Reachability 130 12 252 IPv4 Interface Address 132 4 252 Traffic Engineering Router ID 134 4 4 Extended IPv4 Reachability 135 5 – Restart Signaling 211 3 3 Multi Topology Extended IS Reachability 222 13 – IPv6 Interface Address 232 16 240 Multi Topology Extended IPv4 Reachability 235 7 – IPv6 Reachability 236 6 p2p Adjacency State 240 1 15 All implementers are encouraged to check each received TLV against Table 11.1. Checking for the minimum TLEB Length Values reveals if there are broken TLVs around. Checking for the maximum value helps to avoid Buffer overruns. 11.3.4.2 Sub-TLV Overrun Checking A sub-TLV parser should verify at any time that the sum of all parsed sub-TLVs does not get bigger than the original TLV minus the TLV specific overhead. Table 11.4 lists all the TLVs that support sub-TLVs and their maximum value they can grow. 298 11. TLVs and Sub-TLVs TABLE 11.4. The sub-TLVs must not consume more space than the TLV offers. TLV name TLV # Max. length Extended IS Reachability 22 244 IS Alias 24 247 Extended IPv4 Reachability 135 250 Multi Topology Extended IS Reachability 222 242 Multi Topology Extended IPv4 Reachability 235 248 IPv6 Reachability 236 249 A receiving router needs to check for two things. First, is the sub-TLV shorter than the maximum value according to Table 11.4? Then, it needs to verify if the sub-TLV is not bigger than the actual TLV length as encoded in the Length value. 11.3.4.3 Discrete Length Checking Some early ISO 10589 TLVs have a very structured layout. Some of the RFC 1195 IP Reach TLVs copied the ISO 10589 style and hence have a similar structured layout as well. That structured layout allows now to predict certain packet sizes. In the right-hand columns of Table 11.5 there is a small formula for each TLV. The factor N is typically the amount of information elements announced in that TLV. For example, a router with three IP addresses would advertise a N * 4 ϭ 3 * 4 ϭ 12 bytes Length Interface Address TLV #132 in is Hello. The final check tries to verify certain patterns in the information elements. TABLE 11.5. Certain TLVs because of their structure only have discrete sizes. TLV name TLV # Formula IS Reachability 2 N * 11 ϩ 1 LSP Entry 9 N * 16 IPv4 Internal Reachability 128 N * 12 IPv4 External Reachability 130 N * 12 IPv4 Interface Address 132 N * 4 IPv6 Interface Address 232 N * 16 p2p Adjacency State 240 1, 5, 11, 15 11.3.4.4 TLV Content Pattern Checking A good example for a pattern check is the Netmask field in the IPv4 Internal and External Reachability TLVs. Although the Netmask field is a 32-bit field, it only allows 33 certain values covering all permutations of prefix lengths. Another example would be the bandwidth values of some Extended IS-Reach #22 sub-TLVs like the Maximum Link Bandwidth sub-TLV #9 can only carry certain discrete bandwidth values. draft-ietf-isis-gmpls-exten- sion-19 gives good guidance on which values are supported. TLV sanity checking is a new discipline which is in contradiction to the fully trans- parent flooding model of ISO 10589. However, it turned out that service providers are happy to trade better stability against flooding transparency especially the one that experi- enced a full-scale network crash due to bogus TLVs that did not get detected. . processing on that update, then flood the update to its neighbors, and then complete the rest of the processing on this update. Due to some bug in the code the last part ( the rest of the processing”) caused. what might be the biggest harm? Worst case, a routing loop. What happens if the router floods the LSP containing the malicious LSP further? Worst case, it may crash other routers in the network. given the fact that routing protocols can live dozens of years. In order to not exhaust the 8-bit space throughout the years the protocol designers carried the TLV orientation further inside the TLVs.