RFC : | rfc9681 |
Title: | DNS Security Extensions (DNSSEC) |
Date: | November 2024 |
Status: | EXPERIMENTAL |
Internet Engineering Task Force (IETF) B. Decraene
Request for Comments: 9681 Orange
Category: Experimental L. Ginsberg
ISSN: 2070-1721 Cisco Systems
T. Li
Juniper Networks, Inc.
G. Solignac
M. Karasek
Cisco Systems
G. Van de Velde
Nokia
T. Przygienda
Juniper
November 2024
IS-IS Fast Flooding
Abstract
Current Link State PDU flooding rates are much slower than what
modern networks can support. The use of IS-IS at larger scale
requires faster flooding rates to achieve desired convergence goals.
This document discusses the need for faster flooding, the issues
around faster flooding, and some example approaches to achieve faster
flooding. It also defines protocol extensions relevant to faster
flooding.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are candidates for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9681.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
2. Requirements Language
3. Historical Behavior
4. Flooding Parameters TLV
4.1. LSP Burst Size Sub-TLV
4.2. LSP Transmission Interval Sub-TLV
4.3. LSPs per PSNP Sub-TLV
4.4. Flags Sub-TLV
4.5. PSNP Interval Sub-TLV
4.6. Receive Window Sub-TLV
4.7. Operation on a LAN Interface
5. Performance Improvement on the Receiver
5.1. Rate of LSP Acknowledgments
5.2. Packet Prioritization on Receive
6. Congestion and Flow Control
6.1. Overview
6.2. Congestion and Flow Control Algorithm
6.3. Transmitter-Based Congestion Control Approach
7. IANA Considerations
7.1. Flooding Parameters TLV
7.2. Registry: IS-IS Sub-TLV for Flooding Parameters TLV
7.3. Registry: IS-IS Bit Values for Flooding Parameters Flags
Sub-TLV
8. Security Considerations
9. References
9.1. Normative References
9.2. Informative References
Acknowledgments
Contributors
Authors' Addresses
1. Introduction
Link state IGPs such as Intermediate System to Intermediate System
(IS-IS) depend upon having consistent Link State Databases (LSDBs) on
all Intermediate Systems (ISs) in the network in order to provide
correct forwarding of data packets. When topology changes occur,
new/updated Link State PDUs (LSPs) are propagated network-wide. The
speed of propagation is a key contributor to convergence time.
IS-IS base specification [ISO10589] does not use flow or congestion
control but static flooding rates. Historically, flooding rates have
been conservative -- on the order of tens of LSPs per second. This
is the result of guidance in the base specification and early
deployments when the CPU and interface speeds were much slower and
the area scale was much smaller than they are today.
As IS-IS is deployed in greater scale both in the number of nodes in
an area and in the number of neighbors per node, the impact of the
historic flooding rates becomes more significant. Consider the
bring-up or failure of a node with 1000 neighbors. This will result
in a minimum of 1000 LSP updates. At typical LSP flooding rates used
today (33 LSPs per second), it would take more than 30 seconds simply
to send the updated LSPs to a given neighbor. Depending on the
diameter of the network, achieving a consistent LSDB on all nodes in
the network could easily take a minute or more.
Therefore, increasing the LSP flooding rate becomes an essential
element of supporting greater network scale.
Improving the LSP flooding rate is complementary to protocol
extensions that reduce LSP flooding traffic by reducing the flooding
topology such as Mesh Groups [RFC2973] or Dynamic Flooding [RFC9667].
Reduction of the flooding topology does not alter the number of LSPs
required to be exchanged between two nodes, so increasing the overall
flooding speed is still beneficial when such extensions are in use.
It is also possible that the flooding topology can be reduced in ways
that prefer the use of neighbors that support improved flooding
performance.
With the goal of supporting faster flooding, this document introduces
the signaling of additional flooding related parameters (Section 4),
specifies some performance improvements on the receiver (Section 5)
and introduces the use of flow and/or congestion control (Section 6).
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Historical Behavior
The base specification for IS-IS [ISO10589] was first published in
1992 and updated in 2002. The update made no changes in regards to
suggested timer values. Convergence targets at the time were on the
order of seconds, and the specified timer values reflect that. Here
are some examples:
| minimumLSPGenerationInterval - This is the minimum time interval
| between generation of Link State PDUs. A source Intermediate
| system shall wait at least this long before regenerating one of
| its own Link State PDUs. [...]
|
| A reasonable value is 30 s.
|
| minimumLSPTransmissionInterval - This is the amount of time an
| Intermediate system shall wait before further propagating
| another Link State PDU from the same source system. [...]
|
| A reasonable value is 5 s.
|
| partialSNPInterval - This is the amount of time between periodic
| action for transmission of Partial Sequence Number PDUs. It
| shall be less than minimumLSPTransmissionInterval. [...]
|
| A reasonable value is 2 s.
Most relevant to a discussion of the LSP flooding rate is the
recommended interval between the transmission of two different LSPs
on a given interface.
For broadcast interfaces, [ISO10589] states:
| minimumBroadcastLSPTransmissionInterval indicates the minimum
| interval between PDU arrivals which can be processed by the
| slowest Intermediate System on the LAN.
The default value was defined as 33 milliseconds. It is permitted to
send multiple LSPs back to back as a burst, but this was limited to
10 LSPs in a one-second period.
Although this value was specific to LAN interfaces, this has commonly
been applied by implementations to all interfaces though that was not
the original intent of the base specification. In fact,
Section 12.1.2.4.3 of [ISO10589] states:
| On point-to-point links the peak rate of arrival is limited only
| by the speed of the data link and the other traffic flowing on
| that link.
Although modern implementations have not strictly adhered to the
33-millisecond interval, it is commonplace for implementations to
limit the flooding rate to the same order of magnitude: tens of
milliseconds, and not the single digits or fractions of milliseconds
that are needed today.
In the past 20 years, significant work on achieving faster
convergence, more specifically sub-second convergence, has resulted
in implementations modifying a number of the above timers in order to
support faster signaling of topology changes. For example,
minimumLSPGenerationInterval has been modified to support millisecond
intervals, often with a backoff algorithm applied to prevent LSP
generation storms in the event of rapid successive oscillations.
However, the flooding rate has not been fundamentally altered.
4. Flooding Parameters TLV
This document defines a new Type-Length-Value (TLV) tuple called the
"Flooding Parameters TLV" that may be included in IS-IS Hellos (IIHs)
or Partial Sequence Number PDUs (PSNPs). It allows IS-IS
implementations to advertise flooding-related parameters and
capabilities that may be used by the peer to support faster flooding.
Type: 21
Length: variable; the size in octets of the Value field
Value: one or more sub-TLVs
Several sub-TLVs are defined in this document. The support of any
sub-TLV is OPTIONAL.
For a given IS-IS adjacency, the Flooding Parameters TLV does not
need to be advertised in each IIH or PSNP. An IS uses the latest
received value for each parameter until a new value is advertised by
the peer. However, as IIHs and PSNPs are not reliably exchanged and
may never be received, parameters SHOULD be sent even if there is no
change in value since the last transmission. For a parameter that
has never been advertised, an IS uses its local default value. That
value SHOULD be configurable on a per-node basis and MAY be
configurable on a per-interface basis.
4.1. LSP Burst Size Sub-TLV
The LSP Burst Size sub-TLV advertises the maximum number of LSPs that
the node can receive without an intervening delay between LSP
transmissions.
Type: 1
Length: 4 octets
Value: number of LSPs that can be received back to back
4.2. LSP Transmission Interval Sub-TLV
The LSP Transmission Interval sub-TLV advertises the minimum
interval, in microseconds, between LSPs arrivals that can be
sustained on this receiving interface.
Type: 2
Length: 4 octets
Value: minimum interval, in microseconds, between two consecutive
LSPs received after LSP Burst Size LSPs have been received
The LSP Transmission Interval is an advertisement of the receiver's
sustainable LSP reception rate. This rate may be safely used by a
sender that does not support the flow control or congestion
algorithm. It may also be used as the minimal safe rate by flow
control or congestion algorithms in unexpected cases, e.g., when the
receiver is not acknowledging LSPs anymore.
4.3. LSPs per PSNP Sub-TLV
The LSP per PSNP (LPP) sub-TLV advertises the number of received LSPs
that triggers the immediate sending of a PSNP to acknowledge them.
Type: 3
Length: 2 octets
Value: number of LSPs acknowledged per PSNP
A node advertising this sub-TLV with a value for LPP MUST send a PSNP
once LPP LSPs have been received and need to be acknowledged.
4.4. Flags Sub-TLV
The sub-TLV Flags advertises a set of flags.
Type: 4
Length: Indicates the length in octets (1-8) of the Value field.
The length SHOULD be the minimum required to send all bits
that are set.
Value: list of flags
0 1 2 3 4 5 6 7 ...
+-+-+-+-+-+-+-+-+...
|O| ...
+-+-+-+-+-+-+-+-+...
An LSP receiver sets the O-flag (Ordered acknowledgment) to indicate
to the LSP sender that it will acknowledge the LSPs in the order as
received. A PSNP acknowledging N LSPs is acknowledging the N oldest
LSPs received. The order inside the PSNP is meaningless. If the
sender keeps track of the order of LSPs sent, this indication allows
for fast detection of the loss of an LSP. This MUST NOT be used to
alter the retransmission timer for any LSP. This MAY be used to
trigger a congestion signal.
4.5. PSNP Interval Sub-TLV
The PSNP Interval sub-TLV advertises the amount of time in
milliseconds between periodic action for transmission of PSNPs. This
time will trigger the sending of a PSNP even if the number of
unacknowledged LSPs received on a given interface does not exceed LPP
(Section 4.3). The time is measured from the reception of the first
unacknowledged LSP.
Type: 5
Length: 2 octets
Value: partialSNPInterval in milliseconds
A node advertising this sub-TLV SHOULD send a PSNP at least once per
PSNP Interval if one or more unacknowledged LSPs have been received
on a given interface.
4.6. Receive Window Sub-TLV
The Receive Window (RWIN) sub-TLV advertises the maximum number of
unacknowledged LSPs that the node can receive for a given adjacency.
Type: 6
Length: 2 octets
Value: maximum number of unacknowledged LSPs
4.7. Operation on a LAN Interface
On a LAN interface, all LSPs are link-level multicasts. Each LSP
sent will be received by all ISs on the LAN, and each IS will receive
LSPs from all transmitters. In this section, we clarify how the
flooding parameters should be interpreted in the context of a LAN.
An LSP receiver on a LAN will communicate its desired flooding
parameters using a single Flooding Parameters TLV, which will be
received by all LSP transmitters. The flooding parameters sent by
the LSP receiver MUST be understood as instructions from the LSP
receiver to each LSP transmitter about the desired maximum transmit
characteristics of each transmitter. The receiver is aware that
there are multiple transmitters that can send LSPs to the receiver
LAN interface. The receiver might want to take that into account by
advertising more conservative values, e.g., a higher LSP Transmission
Interval. When the transmitters receive the LSP Transmission
Interval value advertised by an LSP receiver, the transmitters should
rate-limit LSPs according to the advertised flooding parameters.
They should not apply any further interpretation to the flooding
parameters advertised by the receiver.
A given LSP transmitter will receive multiple flooding parameter
advertisements from different receivers that may include different
flooding parameter values. A given transmitter SHOULD use the most
conservative value on a per-parameter basis. For example, if the
transmitter receives multiple LSP Burst Size values, it should use
the smallest value.
The Designated Intermediate System (DIS) plays a special role in the
operation of flooding on the LAN as it is responsible for responding
to PSNPs sent on the LAN circuit that are used to request LSPs that
the sender of the PSNP does not have. If the DIS does not support
faster flooding, this will impact the maximum flooding speed that
could occur on a LAN. Use of LAN priority to prefer a node that
supports faster flooding in the DIS election may be useful.
Note: The focus of work used to develop the example algorithms
discussed later in this document focused on operation over point-to-
point interfaces. A full discussion of how best to do faster
flooding on a LAN interface is therefore out of scope for this
document.
5. Performance Improvement on the Receiver
This section defines two behaviors that SHOULD be implemented on the
receiver.
5.1. Rate of LSP Acknowledgments
On point-to-point networks, PSNPs provide acknowledgments for
received LSPs. [ISO10589] suggests using some delay when sending
PSNPs. This provides some optimization as multiple LSPs can be
acknowledged by a single PSNP.
Faster LSP flooding benefits from a faster feedback loop. This
requires a reduction in the delay in sending PSNPs.
For the generation of PSNPs, the receiver SHOULD use a
partialSNPInterval smaller than the one defined in [ISO10589]. The
choice of this lower value is a local choice. It may depend on the
available processing power of the node, the number of adjacencies,
and the requirement to synchronize the LSDB more quickly. 200 ms
seems to be a reasonable value.
In addition to the timer-based partialSNPInterval, the receiver
SHOULD keep track of the number of unacknowledged LSPs per circuit
and level. When this number exceeds a preset threshold of LSPs per
PSNP (LPP), the receiver SHOULD immediately send a PSNP without
waiting for the PSNP timer to expire. In the case of a burst of
LSPs, this allows more frequent PSNPs, giving faster feedback to the
sender. Outside of the burst case, the usual timer-based PSNP
approach comes into effect.
The smaller the LPP is, the faster the feedback to the sender and
possibly the higher the rate if the rate is limited by the end-to-end
RTT (link RTT + time to acknowledge). This may result in an increase
in the number of PSNPs sent, which may increase CPU and IO load on
both the sender and receiver. The LPP should be less than or equal
to 90 as this is the maximum number of LSPs that can be acknowledged
in a PSNP at common MTU sizes; hence, waiting longer would not reduce
the number of PSNPs sent but would delay the acknowledgments. LPP
should not be chosen too high as the congestion control starts with a
congestion window of LPP + 1. Based on experimental evidence, 15
unacknowledged LSPs is a good value, assuming that the Receive Window
is at least 30. More frequent PSNPs give the transmitter more
feedback on receiver progress, allowing the transmitter to continue
transmitting while not burdening the receiver with undue overhead.
By deploying both the timer-based and the threshold-based PSNP
approaches, the receiver can be adaptive to both LSP bursts and
infrequent LSP updates.
As PSNPs also consume link bandwidth, packet-queue space, and
protocol-processing time on receipt, the increased sending of PSNPs
should be taken into account when considering the rate at which LSPs
can be sent on an interface.
5.2. Packet Prioritization on Receive
There are three classes of PDUs sent by IS-IS:
* Hellos
* LSPs
* SNPs (Complete Sequence Number PDUs (CSNPs) and PSNPs)
Implementations today may prioritize the reception of Hellos over
LSPs and Sequence Number PDUs (SNPs) in order to prevent a burst of
LSP updates from triggering an adjacency timeout, which in turn would
require additional LSPs to be updated.
CSNPs and PSNPs serve to trigger or acknowledge the transmission of
specified LSPs. On a point-to-point link, PSNPs acknowledge the
receipt of one or more LSPs. For this reason, [ISO10589] specifies a
delay (partialSNPInterval) before sending a PSNP so that the number
of PSNPs required to be sent is reduced. On receipt of a PSNP, the
set of LSPs acknowledged by that PSNP can be marked so that they do
not need to be retransmitted.
If a PSNP is dropped on reception, the set of LSPs advertised in the
PSNP cannot be marked as acknowledged, and this results in needless
retransmissions that further delay transmission of other LSPs that
are yet to be transmitted. It may also make it more likely that a
receiver becomes overwhelmed by LSP transmissions.
Therefore, implementations SHOULD prioritize IS-IS PDUs on the way
from the incoming interface to the IS-IS process. The relative
priority of packets in decreasing order SHOULD be: Hellos, SNPs, and
LSPs. Implementations MAY also prioritize IS-IS packets over other
protocols, which are less critical for the router or network, less
sensitive to delay, or more bursty (e.g., BGP).
6. Congestion and Flow Control
6.1. Overview
Ensuring the goodput between two entities is a Layer 4 responsibility
as per the OSI model. A typical example is the TCP protocol defined
in [RFC9293] that provides flow control, congestion control, and
reliability.
Flow control creates a control loop between a transmitter and a
receiver so that the transmitter does not overwhelm the receiver.
TCP provides a means for the receiver to govern the amount of data
sent by the sender through the use of a sliding window.
Congestion control prevents the set of transmitters from overwhelming
the path of the packets between two IS-IS implementations. This path
typically includes a point-to-point link between two IS-IS neighbors,
which is usually oversized compared to the capability of the IS-IS
speakers, but potentially also includes some internal elements inside
each neighbor such as switching fabric, line card CPU, and forwarding
plane buffers that may experience congestion. These resources may be
shared across multiple IS-IS adjacencies for the system, and it is
the responsibility of congestion control to ensure that these are
shared reasonably.
Reliability provides loss detection and recovery. IS-IS already has
mechanisms to ensure the reliable transmission of LSPs. This is not
changed by this document.
Sections 6.2 and 6.3 provide two flow and/or congestion control
algorithms that may be implemented by taking advantage of the
extensions defined in this document. The signal that these IS-IS
extensions (defined in Sections 4 and 5) provide is generic and is
designed to support different sender-side algorithms. A sender can
unilaterally choose a different algorithm to use.
6.2. Congestion and Flow Control Algorithm
6.2.1. Flow Control
A flow control mechanism creates a control loop between a single
transmitter and a single receiver. This section uses a mechanism
similar to the TCP receive window to allow the receiver to govern the
amount of data sent by the sender. This receive window (RWIN)
indicates an allowed number of LSPs that the sender may transmit
before waiting for an acknowledgment. The size of the receive
window, in units of LSPs, is initialized with the value advertised by
the receiver in the Receive Window sub-TLV. If no value is
advertised, the transmitter should initialize RWIN with its locally
configured value for this receiver.
When the transmitter sends a set of LSPs to the receiver, it
subtracts the number of LSPs sent from RWIN. If the transmitter
receives a PSNP, then RWIN is incremented for each acknowledged LSP.
The transmitter must ensure that the value of RWIN never goes
negative.
The RWIN value is of importance when the RTT is the limiting factor
for the throughput. In this case, the optimal size is the desired
LSP rate multiplied by the RTT. The RTT is the addition of the link
RTT plus the time taken by the receiver to acknowledge the first
received LSP in its PSNP. The values 50 or 100 may be reasonable
default numbers for RWIN. As an example, an RWIN of 100 requires a
control plane input buffer of 150 kbytes per neighbor (assuming an
IS-IS MTU of 1500 octets) and limits the throughput to 10000 LSPs per
second and per neighbor for a link RTT of 10 ms. With the same RWIN,
the throughput limitation is 2000 LSPs per second when the RTT is 50
ms. That's the maximum throughput assuming no other limitations such
as CPU limitations.
Equally, RTT is of importance for the performance. That is why the
performance improvements on the receiver specified in Section 5 are
important to achieve good throughput. If the receiver does not
support those performance improvements, in the worst case (small RWIN
and high RTT) the throughput will be limited by the LSP Transmission
Interval as defined in Section 4.2.
6.2.1.1. Operation on a Point-to-Point Interface
By sending the Receive Window sub-TLV, a node advertises to its
neighbor its ability to receive that many unacknowledged LSPs from
the neighbor. This is akin to a receive window or sliding window in
flow control. In some implementations, this value should reflect the
IS-IS socket buffer size. Special care must be taken to leave space
for CSNPs, PSNPs, and IIHs if they share the same input queue. In
this case, this document suggests advertising an LSP Receive Window
corresponding to half the size of the IS-IS input queue.
By advertising an LSP Transmission Interval sub-TLV, a node
advertises its ability to receive LSPs separated by at least the
advertised value, outside of LSP bursts.
By advertising an LSP Burst Size sub-TLV, a node advertises its
ability to receive that number of LSPs back to back.
The LSP transmitter MUST NOT exceed these parameters. After having
sent a full burst of LSPs, it MUST send the subsequent LSPs with a
minimum of LSP Transmission Interval between LSP transmissions. For
CPU scheduling reasons, this rate MAY be averaged over a small
period, e.g., 10-30 ms.
If either the LSP transmitter or receiver does not adhere to these
parameters, for example, because of transient conditions, this
doesn't result in a fatal condition for IS-IS operation. In the
worst case, an LSP is lost at the receiver, and this situation is
already remedied by mechanisms in [ISO10589]. After a few seconds,
neighbors will exchange PSNPs (for point-to-point interfaces) or
CSNPs (for broadcast interfaces) and recover from the lost LSPs.
This worst case should be avoided as those additional seconds impact
convergence time since the LSDB is not fully synchronized. Hence, it
is better to err on the conservative side and to under-run the
receiver rather than over-run it.
6.2.1.2. Operation on a Broadcast LAN Interface
Flow and congestion control on a LAN interface is out of scope for
this document.
6.2.2. Congestion Control
Whereas flow control prevents the sender from overwhelming the
receiver, congestion control prevents senders from overwhelming the
network. For an IS-IS adjacency, the network between two IS-IS
neighbors is relatively limited in scope and includes a single link
that is typically oversized compared to the capability of the IS-IS
speakers. In situations where the probability of LSP drop is low,
flow control (Section 6.2.1) is expected to give good results,
without the need to implement congestion control. Otherwise, adding
congestion control will help handling congestion of LSPs in the
receiver.
This section describes one sender-side congestion control algorithm
largely inspired by the TCP congestion control algorithm [RFC5681].
The proposed algorithm uses a variable congestion window 'cwin'. It
plays a role similar to the receive window described above. The main
difference is that cwin is adjusted dynamically according to various
events described below.
6.2.2.1. Core Algorithm
In its simplest form, the congestion control algorithm looks like the
following:
+---------------+
| |
| v
| +----------------------+
| | Congestion avoidance |
| + ---------------------+
| |
| | Congestion signal
----------------+
Figure 1
The algorithm starts with cwin = cwin0 = LPP + 1. In the congestion
avoidance phase, cwin increases as LSPs are acked: for every acked
LSP, cwin += 1 / cwin without exceeding RWIN. When LSPs are
exchanged, cwin LSPs will be acknowledged in 1 RTT, meaning cwin(t) =
t/RTT + cwin0. Since the RTT is low in many IS-IS deployments, the
sending rate can reach fast rates in short periods of time.
When updating cwin, it must not become higher than the number of LSPs
waiting to be sent, otherwise the sending will not be paced by the
receiving of acks. Said differently, transmission pressure is needed
to maintain and increase cwin.
When the congestion signal is triggered, cwin is set back to its
initial value, and the congestion avoidance phase starts again.
6.2.2.2. Congestion Signals
The congestion signal can take various forms. The more reactive the
congestion signals, the fewer LSPs will be lost due to congestion.
However, overly aggressive congestion signals will cause a sender to
keep a very low sending rate even without actual congestion on the
path.
Two practical signals are given below.
1. Delay: When receiving acknowledgments, a sender estimates the
acknowledgment time of the receiver. Based on this estimation,
it can infer that a packet was lost and that the path is
congested.
There can be a timer per LSP, but this can become costly for
implementations. It is possible to use only a single timer t1
for all LSPs: during t1, sent LSPs are recorded in a list list_1.
Once the RTT is over, list_1 is kept and another list, list_2, is
used to store the next LSPs. LSPs are removed from the lists
when acked. At the end of the second t1 period, every LSP in
list_1 should have been acked, so list_1 is checked to be empty.
list_1 can then be reused for the next RTT.
There are multiple strategies to set the timeout value t1. It
should be based on measurements of the maximum acknowledgment
time (MAT) of each PSNP. Using three times the RTT is the
simplest strategy; alternatively, an exponential moving average
of the MATs, as described in [RFC6298], can be used. A more
elaborate one is to take a running maximum of the MATs over a
period of a few seconds. This value should include a margin of
error to avoid false positives (e.g., estimated MAT measure
variance), which would have a significant impact on performance.
2. Loss: if the receiver has signaled the O-flag (see Section 4.4),
a sender MAY record its sending order and check that
acknowledgments arrive in the same order. If not, some LSPs are
missing, and this MAY be used to trigger a congestion signal.
6.2.2.3. Refinement
With the algorithm presented above, if congestion is detected, cwin
goes back to its initial value and does not use the information
gathered in previous congestion avoidance phases.
It is possible to use a fast recovery phase once congestion is
detected and to avoid going through this linear rate of growth from
scratch. When congestion is detected, a fast recovery threshold
frthresh is set to frthresh = cwin / 2. In this fast recovery phase,
for every acked LSP, cwin += 1. Once cwin reaches frthresh, the
algorithm goes back to the congestion avoidance phase.
+---------------+
| |
| v
| +----------------------+
| | Congestion avoidance |
| + ---------------------+
| |
| | Congestion signal
| |
| +----------------------+
| | Fast recovery |
| +----------------------+
| |
| | frthresh reached
----------------+
Figure 2
6.2.2.4. Remarks
This algorithm's performance is dependent on the LPP value. Indeed,
the smaller the LPP is, the more information is available for the
congestion control algorithm to perform well. However, it also
increases the resources spent on sending PSNPs, so a trade-off must
be made. This document recommends using an LPP of 15 or less. If a
Receive Window is advertised, LPP SHOULD be lower, and the best
performance is achieved when LPP is an integer fraction of the
Receive Window.
Note that this congestion control algorithm benefits from the
extensions proposed in this document. The advertisement of a receive
window from the receiver (Section 6.2.1) avoids the use of an
arbitrary maximum value by the sender. The faster acknowledgment of
LSPs (Section 5.1) allows for a faster control loop and hence a
faster increase of the congestion window in the absence of
congestion.
6.2.3. Pacing
As discussed in [RFC9002], Section 7.7, a sender SHOULD pace sending
of all in-flight LSPs based on input from the congestion controller.
Sending multiple packets without any delay between them creates a
packet burst that might cause short-term congestion and losses.
Senders MUST either use pacing or limit such bursts. Senders SHOULD
limit bursts to LSP Burst Size.
Senders can implement pacing as they choose. A perfectly paced
sender spreads packets evenly over time. For a window-based
congestion controller, such as the one in this section, that rate can
be computed by averaging the congestion window over the RTT.
Expressed as an inter-packet interval in units of time:
interval = (SRTT / cwin) / N
SRTT is the Smoothed Round-Trip Time [RFC6298].
Using a value for N that is small, but at least 1 (for example,
1.25), ensures that variations in RTT do not result in
underutilization of the congestion window.
Practical considerations, such as scheduling delays and computational
efficiency, can cause a sender to deviate from this rate over time
periods that are much shorter than an RTT.
One possible implementation strategy for pacing uses a leaky bucket
algorithm, where the capacity of the "bucket" is limited to the
maximum burst size, and the rate that the "bucket" fills is
determined by the above function.
6.2.4. Determining Values to be Advertised in the Flooding Parameters
TLV
The values that a receiver advertises do not need to be perfect. If
the values are too low, then the transmitter will not use the full
bandwidth or available CPU resources. If the values are too high,
then the receiver may drop some LSPs during the first RTT, and this
loss will reduce the usable receive window, and the protocol
mechanisms will allow the adjacency to recover. Flooding slower than
both nodes can support will hurt performance as will consistently
overloading the receiver.
6.2.4.1. Static Values
The values advertised need not be dynamic, as feedback is provided by
the acknowledgment of LSPs in SNP messages. Acknowledgments provide
a feedback loop on how fast the LSPs are processed by the receiver.
They also signal that the LSPs can be removed from the receive
window, explicitly signaling to the sender that more LSPs may be
sent. By advertising relatively static parameters, we expect to
produce overall flooding behavior similar to what might be achieved
by manually configuring per-interface LSP rate-limiting on all
interfaces in the network. The advertised values could be based, for
example, on offline tests of the overall LSP-processing speed for a
particular set of hardware and the number of interfaces configured
for IS-IS. With such a formula, the values advertised in the
Flooding Parameters TLV would only change when additional IS-IS
interfaces are configured.
Static values are dependent on the CPU generation, class of router,
and network scaling, typically the number of adjacent neighbors.
Examples at the time of publication are provided below. The LSP
Burst Size could be in the range 5 to 20. From a router perspective,
this value typically depends on the queue(s) size(s) on the I/O path
from the packet forwarding engine to the control plane, which is very
platform-dependent. It also depends upon how many IS-IS neighbors
share this I/O path, as typically all neighbors will send the same
LSPs at the same time. It may also depend on other incoming control
plane traffic that is sharing that I/O path, how bursty they are, and
how many incoming IS-IS packets are prioritized over other incoming
control plane traffic. As indicated in Section 3, the historical
behavior from [ISO10589] allows a value of 10; hence, 10 seems
conservative. From a network operation perspective, it would be
beneficial for the burst size to be equal to or higher than the
number of LSPs that may be originated by a single failure. For a
node failure, this is equal to the number of IS-IS neighbors of the
failed node. The LSP Transmission Interval could be in the range of
1 ms to 33 ms. As indicated in Section 3, the historical behavior
from [ISO10589] is 33 ms; hence, 33 ms is conservative. The LSP
Transmission Interval is an advertisement of the receiver's
sustainable LSP reception rate taking into account all aspects and
particularly the control plane CPU and the I/O bandwidth. It's
expected to improve (hence, decrease) as hardware and software
naturally improve over time. It should be chosen conservatively, as
this rate may be used by the sender in all conditions -- including
the worst conditions. It's also not a bottleneck as the flow control
algorithm may use a higher rate in good conditions, particularly when
the receiver acknowledges quickly, and the receive window is large
enough compared to the RTT. LPP could be in the range of 5 to 90
with a proposed 15. A smaller value provides faster feedback at the
cost of the small overhead of more PSNP messages. PartialSNPInterval
could be in the range 50 to 500 ms with a proposed value of 200 ms.
One may distinguish the value used locally from the value signaled to
the sender. The value used locally benefits from being small but is
not expected to be the main parameter to improve performance. It
depends on how fast the IS-IS flooding process may be scheduled by
the CPU. Even when the receiver CPU is busy, it's safe because it
will naturally delay its acknowledgments, which provides a negative
feedback loop. The value advertised to the sender should be
conservative (high enough) as this value could be used by the sender
to send some LSPs rather than keep waiting for acknowledgments.
Receive Window could be in the range of 30 to 200 with a proposed
value of 60. In general, the larger the better the performance on
links with high RTT. The higher that number and the higher the
number of IS-IS neighbors, the higher the use of control plane
memory, so it's mostly dependent on the amount of memory, which may
be dedicated to IS-IS flooding and the number of IS-IS neighbors.
From a memory usage perspective (a priori), one could use the same
value as the TCP receive window, but the value advertised should not
be higher than the buffer of the "socket" used.
6.2.4.2. Dynamic Values
To reflect the relative change of load on the receiver, the values
may be updated dynamically by improving the values when the receiver
load is getting lower and by degrading the values when the receiver
load is getting higher. For example, if LSPs are regularly dropped,
or if the queue regularly comes close to being filled, then the
values may be too high. On the other hand, if the queue is barely
used (by IS-IS), then the values may be too low.
Alternatively, the values may be computed to reflect the relevant
average hardware resources, e.g., the amount of buffer space used by
incoming LSPs. In this case, care must be taken when choosing the
parameters influencing the values in order to avoid undesirable or
unstable feedback loops. For example, it would be undesirable to use
a formula that depends on an active measurement of the instantaneous
CPU load to modify the values advertised in the Flooding Parameters
TLV. This could introduce feedback into the IGP flooding process
that could produce unexpected behavior.
6.2.5. Operational Considerations
As discussed in Section 4.7, the solution is more effective on point-
to-point adjacencies. Hence, a broadcast interface (e.g., Ethernet)
only shared by two IS-IS neighbors should be configured as point-to-
point in order to have more effective flooding.
6.3. Transmitter-Based Congestion Control Approach
This section describes an approach to the congestion control
algorithm based on performance measured by the transmitter without
dependence on signaling from the receiver.
6.3.1. Router Architecture Discussion
Note that the following description is an abstraction; implementation
details vary.
Existing router architectures may utilize multiple input queues. On
a given line card, IS-IS PDUs from multiple interfaces may be placed
in a rate-limited input queue. This queue may be dedicated to IS-IS
PDUs or may be shared with other routing related packets.
The input queue may then pass IS-IS PDUs to a "punt queue", which is
used to pass PDUs from the data plane to the control plane. The punt
queue typically also has controls on its size and the rate at which
packets will be punted.
An input queue in the control plane may then be used to assemble PDUs
from multiple line cards, separate the IS-IS PDUs from other types of
packets, and place the IS-IS PDUs in an input queue dedicated to the
IS-IS protocol.
The IS-IS input queue then separates the IS-IS PDUs and directs them
to an instance-specific processing queue. The instance-specific
processing queue may then further separate the IS-IS PDUs by type
(IIHs, SNPs, and LSPs) so that separate processing threads with
varying priorities may be employed to process the incoming PDUs.
In such an architecture, it may be difficult for IS-IS in the control
plane to determine what value should be advertised as a receive
window.
The following section describes an approach to congestion control
based on performance measured by the transmitter without dependence
on signaling from the receiver.
6.3.2. Guidelines for Transmitter-Side Congestion Controls
The approach described in this section does not depend upon direct
signaling from the receiver. Instead, it adapts the transmission
rate based on measurement of the actual rate of acknowledgments
received.
Flow control is not used by this approach. When congestion control
is necessary, it can be implemented based on knowledge of the current
flooding rate and the current acknowledgment rate. The algorithm
used is a local matter. There is no requirement to standardize it,
but there are a number of aspects that serve as guidelines that can
be described. Algorithms based on this approach should follow the
recommendations described below.
A maximum LSP transmission rate (LSPTxMax) should be configurable.
This represents the fastest LSP transmission rate that will be
attempted. This value should be applicable to all interfaces and
should be consistent network wide.
When the current rate of LSP transmission (LSPTxRate) exceeds the
capabilities of the receiver, the congestion control algorithm needs
to quickly and aggressively reduce the LSPTxRate. Slower
responsiveness is likely to result in a larger number of
retransmissions, which can introduce much longer delays in
convergence.
Dynamic increase of the rate of LSP transmission (LSPTxRate), i.e.,
making the rate faster, should be done less aggressively and only be
done when the neighbor has demonstrated its ability to sustain the
current LSPTxRate.
The congestion control algorithm should not assume that the receive
performance of a neighbor is static, i.e., it should handle transient
conditions that result in a slower or faster receive rate on the part
of a neighbor.
The congestion control algorithm should consider the expected delay
time in receiving an acknowledgment. Therefore, it incorporates the
neighbor partialSNPInterval (Section 4.5) to help determine whether
acknowledgments are keeping pace with the rate of LSPs transmitted.
In the absence of an advertisement of partialSNPInterval, a locally
configured value can be used.
7. IANA Considerations
7.1. Flooding Parameters TLV
IANA has made the following allocation in the "IS-IS Top-Level TLV
Codepoints" registry.
+=======+=========================+=====+=====+=====+=======+
| Value | Name | IIH | LSP | SNP | Purge |
+=======+=========================+=====+=====+=====+=======+
| 21 | Flooding Parameters TLV | y | n | y | n |
+-------+-------------------------+-----+-----+-----+-------+
Table 1
7.2. Registry: IS-IS Sub-TLV for Flooding Parameters TLV
IANA has created the following sub-TLV registry in the "IS-IS TLV
Codepoints" registry group.
Name: IS-IS Sub-TLVs for Flooding Parameters TLV
Registration Procedure(s): Expert Review
Description: This registry defines sub-TLVs for the Flooding
Parameters TLV (21).
Reference: RFC 9681
+=======+===========================+
| Type | Description |
+=======+===========================+
| 0 | Reserved |
+-------+---------------------------+
| 1 | LSP Burst Size |
+-------+---------------------------+
| 2 | LSP Transmission Interval |
+-------+---------------------------+
| 3 | LSPs per PSNP |
+-------+---------------------------+
| 4 | Flags |
+-------+---------------------------+
| 5 | PSNP Interval |
+-------+---------------------------+
| 6 | Receive Window |
+-------+---------------------------+
| 7-255 | Unassigned |
+-------+---------------------------+
Table 2: Initial Sub-TLV
Allocations for Flooding
Parameters TLV
7.3. Registry: IS-IS Bit Values for Flooding Parameters Flags Sub-TLV
IANA has created a new registry, in the "IS-IS TLV Codepoints"
registry group, for assigning Flag bits advertised in the Flags sub-
TLV.
Name: IS-IS Bit Values for Flooding Parameters Flags Sub-TLV
Registration Procedure: Expert Review
Description: This registry defines bit values for the Flags sub-TLV
(4) advertised in the Flooding Parameters TLV (21).
Note: In order to minimize encoding space, a new allocation should
pick the smallest available value.
Reference: RFC 9681
+=======+=================================+
| Bit # | Description |
+=======+=================================+
| 0 | Ordered acknowledgment (O-flag) |
+-------+---------------------------------+
| 1-63 | Unassigned |
+-------+---------------------------------+
Table 3: Initial Bit Allocations for
Flags Sub-TLV
8. Security Considerations
Security concerns for IS-IS are addressed in [ISO10589], [RFC5304],
and [RFC5310]. These documents describe mechanisms that provide for
the authentication and integrity of IS-IS PDUs, including SNPs and
IIHs. These authentication mechanisms are not altered by this
document.
With the cryptographic mechanisms described in [RFC5304] and
[RFC5310], an attacker wanting to advertise an incorrect Flooding
Parameters TLV would have to first defeat these mechanisms.
In the absence of cryptographic authentication, as IS-IS does not run
over IP but directly over the link layer, it's considered difficult
to inject a false SNP or IIH without having access to the link layer.
If a false SNP or IIH is sent with a Flooding Parameters TLV set to
conservative values, the attacker can reduce the flooding speed
between the two adjacent neighbors, which can result in LSDB
inconsistencies and transient forwarding loops. However, it is not
significantly different than filtering or altering LSPs, which would
also be possible with access to the link layer. In addition, if the
downstream flooding neighbor has multiple IGP neighbors (which is
typically the case for reliability or topological reasons), it would
receive LSPs at a regular speed from its other neighbors and hence
would maintain LSDB consistency.
If a false SNP or IIH is sent with a Flooding Parameters TLV set to
aggressive values, the attacker can increase the flooding speed,
which can either overload a node or more likely cause loss of LSPs.
However, it is not significantly different than sending many LSPs,
which would also be possible with access to the link layer, even with
cryptographic authentication enabled. In addition, IS-IS has
procedures to detect the loss of LSPs and recover.
This TLV advertisement is not flooded across the network but only
sent between adjacent IS-IS neighbors. This would limit the
consequences in case of forged messages and also limit the
dissemination of such information.
9. References
9.1. Normative References
[ISO10589] ISO/IEC, "Information technology - Telecommunications and
information exchange between systems - Intermediate system
to Intermediate system intra-domain routeing information
exchange protocol for use in conjunction with the protocol
for providing the connectionless-mode network service (ISO
8473)", Second Edition, ISO/IEC 10589:2002, November 2002,
<https://www.iso.org/standard/30932.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic
Authentication", RFC 5304, DOI 10.17487/RFC5304, October
2008, <https://www.rfc-editor.org/info/rfc5304>.
[RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R.,
and M. Fanto, "IS-IS Generic Cryptographic
Authentication", RFC 5310, DOI 10.17487/RFC5310, February
2009, <https://www.rfc-editor.org/info/rfc5310>.
[RFC6298] Paxson, V., Allman, M., Chu, J., and M. Sargent,
"Computing TCP's Retransmission Timer", RFC 6298,
DOI 10.17487/RFC6298, June 2011,
<https://www.rfc-editor.org/info/rfc6298>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References
[RFC2973] Balay, R., Katz, D., and J. Parker, "IS-IS Mesh Groups",
RFC 2973, DOI 10.17487/RFC2973, October 2000,
<https://www.rfc-editor.org/info/rfc2973>.
[RFC5681] Allman, M., Paxson, V., and E. Blanton, "TCP Congestion
Control", RFC 5681, DOI 10.17487/RFC5681, September 2009,
<https://www.rfc-editor.org/info/rfc5681>.
[RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", RFC 9002, DOI 10.17487/RFC9002,
May 2021, <https://www.rfc-editor.org/info/rfc9002>.
[RFC9293] Eddy, W., Ed., "Transmission Control Protocol (TCP)",
STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022,
<https://www.rfc-editor.org/info/rfc9293>.
[RFC9667] Li, T., Ed., Psenak, P., Ed., Chen, H., Jalil, L., and S.
Dontula, "Dynamic Flooding on Dense Graphs", RFC 9667,
DOI 10.17487/RFC9667, October 2024,
<https://www.rfc-editor.org/info/rfc9667>.
Acknowledgments
The authors would like to thank Henk Smit, Sarah Chen, Xuesong Geng,
Pierre Francois, Hannes Gredler, Acee Lindem, Mirja Kühlewind,
Zaheduzzaman Sarker, and John Scudder for their reviews, comments,
and suggestions.
The authors would like to thank David Jacquet, Sarah Chen, and
Qiangzhou Gao for the tests performed on commercial implementations
and for their identification of some limiting factors.
Contributors
The following people gave substantial contributions to the content of
this document and should be considered as coauthors:
Jayesh J
Ciena
Email: jayesh.ietf@gmail.com
Chris Bowers
Juniper Networks
Email: cbowers@juniper.net
Peter Psenak
Cisco Systems
Email: ppsenak@cisco.com
Authors' Addresses
Bruno Decraene
Orange
Email: bruno.decraene@orange.com
Les Ginsberg
Cisco Systems
821 Alder Drive
Milpitas, CA 95035
United States of America
Email: ginsberg@cisco.com
Tony Li
Juniper Networks, Inc.
Email: tony.li@tony.li
Guillaume Solignac
Email: gsoligna@protonmail.com
Marek Karasek
Cisco Systems
Pujmanove 1753/10a, Prague 4 - Nusle
10 14000 Prague
Czech Republic
Email: mkarasek@cisco.com
Gunter Van de Velde
Nokia
Copernicuslaan 50
2018 Antwerp
Belgium
Email: gunter.van_de_velde@nokia.com
Tony Przygienda
Juniper
1133 Innovation Way
Sunnyvale, CA 94089
United States of America
Email: prz@juniper.net
ERRATA