Overview

IS-IS is a dynamic routing protocol developed by the International Organization for Standardization (ISO) and commonly referred to as ISO 10589. The original development of IS-IS was done at Digital Equipment Corporation for Phase V DECnet. The motivation to standardize IS-IS, however, was through the efforts of the American National Standards Institute (ANSI) X3S3.3 Network and Transport Layers Committee.

Similar to the Open Shortest Path First (OSPF) routing protocol, IS-IS is a link state protocol. It builds a complete and consistent picture of a network's topology by sharing link state information across all network Intermediate System (IS) devices.

The IS-IS routing protocol provides routing for pure Open Systems Interconnection (OSI) environments. IS-IS as implemented on the ERX system supports IP networks and enables you to configure IS-IS as an IP routing protocol only. In IS-IS, networks are partitioned into routing domains, which are further divided into areas. A two-level hierarchical routing design is used. With this model, routing is referred to as level 1, level 2, or both level 1 and level 2.

Terms

OSI internetworking has its own terminology. A number of terms used in IS-IS routing discussions are defined in Table 9-1.

Table 9-1 IS-IS terms  

Term	Meaning
area	A group of contiguous networks and their attached hosts. Area boundaries are normally assigned by a network administrator.
complete sequence number PDU (CSNP)	PDU sent by designated router to ensure database synchronization
Connectionless-mode Network Protocol (CLNP)	An OSI network layer protocol used by CLNS to handle data at the transport layer; the OSI equivalent of IP
Connectionless Network Service Protocol (CLNS)	An OSI network layer service that enables data transmission without establishing a circuit and that routes messages independently of any other messages.
end system (ES)	Any nonrouting network node or host
intermediate system (IS)	A router
level 1 routing	Routing within an area Level 1 routers (or intermediate systems) track all the individual links, routers, and end systems within a level 1 area. Level 1 routers do not know the identity of routers or destinations outside their area. A level 1 router forwards all traffic for destinations outside its area to the nearest level 2 router within its area.
level 2 routing	Routing between areas Level 2 routers know the level 2 topology and know which addresses are reachable via each level 2 router. Level 2 routers track the location of each level 1 area. Level 2 routers are not concerned with the topology within any level 1 area (for example, the details internal to each level 1 area). Level 2 routers can identify when a level 2 router is also a level 1 router within the same area. Only a level 2 router can exchange packets with external routers located outside its routing domain.
link state packet (LSP)	Packet broadcast by link state protocols that contains information about neighbors and path costs; used to maintain routing tables; also known as link state advertisement
network entity title (NET)	ISO network addresses used by CLNS networks; an identifier of a network entity in an end system or intermediate system. A NET consists of an area address (routing domain), system identifier, and selector.
network service access point (NSAP)	Hierarchical network address that specifies the point at which network services are made available to a transport layer entity in the OSI reference model. A valid NSAP address is unique and unambiguously identifies a single system.
protocol data unit (PDU)	OSI term equivalent to packet, containing protocol control information and, possibly, user data
routing domain	A collection of connected areas that provide full connectivity to all end systems located within them. A routing domain is partitioned into areas.
system identifier	Uniquely identifies a system within an area

Figure 9-1 illustrates some of the terms described in Table 9-1 above.

Figure 9-1 Overview of IS-IS topology

ISO Network Layer Addresses

ISO network layer addresses are flexible enough to make routing feasible in a world-wide Internet. Network layer addresses in ISO and IP are hierarchical and clearly identify level 1 and level 2 areas. These addresses can be up to 20 octets long; any packet that contains an address has one additional octet to specify the length of the address.

An ISO address—also known as the NSAP address—is broken into three parts: the area address, the system identifier (ID), and the NSAP selector.

The area address defines the routing domain and the area within the routing domain. The length of the ID field can be from 1 to 8 octets and uses a single fixed length for any one routing domain. The selector field is always 1 octet long. Usually, all end systems within the same area have the same area address. Some areas can have multiple addresses. The NSAP address is defined by the network entity title (NET) during configuration.

Level 1 Routing

A level 1 router looks at a packet's area address and compares it with a destination address. If the area portion of the destination address matches its own area's address, the level 1 router uses the ID portion of the address to route the packet. If the area portion of the address does not match, the level 1 router routes the packet to a level 2 router within its area.

Level 2 Routing

Level 2 routers do not look at an area's internal structure, but simply route toward an area based on the area address. It is common for a level 2 router to also be a level 1 router in a particular area; these routers are sometimes referred to as level 1-2 routers. See Figure 9-1.

Dynamic Hostname Resolution

The system identifier of the NSAP address identifies a node in a network. System operators often find symbolic hostnames to be easier to use and remember than the system identifier. However, a static mapping of hostname to system identifier requires every router to maintain a table of the mappings; each table must contain the hostnames and system identifiers of every router in the network. The static mapping must be managed by system operators, and every change or addition of a mapping requires all the tables to be updated. Consequently, the static tables are likely to become rapidly outdated.

The system supports dynamic resolution of hostnames to system identifiers. You can use the clns host command to map the hostname to the NSAP address, and therefore to the system ID. This mapping is inserted in the dynamic hostname type-length-value tuple (TLV type 137), and subsequently advertised when LSPs are transmitted. The value field contains the hostname, preferably the fully qualified domain name (FQDN) of the host, or a subset of the FQDN. You can display the TLV by issuing the show isis database detail command.

Authentication

The system supports hash function-based message authentication code (HMAC) MD5 authentication for IS-IS to prevent unauthorized routers from injecting false routing information into your network or forming adjacencies with your system.

Authentication is disabled by default. When you enable IS-IS MD5 authentication, the system creates secure digests of the packets, encrypted according to the HMAC MD5 message-digest algorithms. The digests are inserted into the packets from which they are created. Depending on the commands you issue, the digests can be inserted into hello packets, link state PDUs, complete sequence number PDUs, and partial sequence number PDUs.

Commands

The area-message-digest-key command specifies an HMAC MD5 key that the system uses to create a message digest of each level 1 packet—LSPs, CSNPs, and PSNPs—transmitted by area routers. Using MD5 authentication for area routers protects against unauthorized routers injecting false routing information into the area portions of your network.

The domain-message-digest-key command specifies an HMAC MD5 key that the system uses to create a message digest of each level 2 packet—LSPs, CSNPs, and PSNPs—transmitted by domain routers. Using MD5 authentication for domain routers protects against unauthorized routers injecting false routing information into the routing domain portions of your network.

The isis message-digest-key command specifies an HMAC MD5 key that the system uses to create a message digest of level 1 or level 2 hello packets on the interface. Level 1 packets are the default. Using MD5 authentication on interfaces protects against intrusion by preventing unauthorized routers from forming adjacencies with your system.

Example

Suppose authentication is configured on router LA and router SanDiego, but not on router SanJose, as shown in Figure 9-2. Router LA and router SanDiego accept packets from each other because they contain message digests generated by an accepted key. Router SanJose accepts packets from router LA and router SanDiego, and simply ignores the message digest included in their packets. Router LA and router SanDiego reject packets from router SanJose because those packets do not include a message digest.

Figure 9-2 Packet flow between routers with and without authentication set

Specifying Start and Stop Timing

With each of the MD5 commands, you can specify when the system will start and stop accepting packets that include a digest made with this key. You can also specify when the system will start and stop generating packets that include a digest made with this key. If you specify a time for any of these actions, you can further specify the day, month, and year. The default times are as follows:

• start accepting keys (startAcceptTime) - current time
• stop accepting keys (stopAcceptTime) - never
• start generating keys (startGenTime) - current time plus two minutes
• stop generating keys (stopGenTime) - never

If you specify times, you must follow these guidelines to achieve appropriate timing between the actions:

• startAcceptTime must be less than startGenTime
• stopGenTime must be less than stopAcceptTime
• When a new key replaces an old one, the startGenTime time for the new key must be less than or equal to the stopGenTime time of the old key.

For example, suppose you configure authentication on router A and router B. If the startGenTime for router A is earlier than the startAcceptTime for router B, router B does not accept packets from router A until the current time matches its startAcceptTime.

The system accepts any packet authenticated with a key you have defined if the packet is received within the period defined for the key by its startAcceptTime and stopAcceptTime. If more than one key has been defined for that period, the system determines which key to use by comparing the startGenTime with the current time. When the startGenTime of a key matches the current time, the system starts using this key to transmit packets and stops using the previous key.

Example

host1(config-router)#area-message-digest-key 1 hmac-md5 
mr942s7n start-accept 08:00:00 start-generate 9:00:00 
stop-accept 23:00:00 stop-generate 22:59:59 

host1(config-router)#area-message-digest-key 2 hmac-md5 
dsb38h5f start-accept 08:00:00 start-generate 0:00:00 
stop-accept 23:00:00 stop-generate 22:59:59 

Both key 1 and key 2 are configured to be accepted between 08:00:00 and 23:00:00. When the current time reaches 09:00:00, the system begins using key 1 to transmit packets. When the current time reaches 10:00:00, the system begins using key 2 to transmit packets; key 1 is no longer used. Key 2 will continue to be used until a new key is configured and the new key's startGenTime matches the current time on the system.

Halting MD5 Authentication

To prevent key expiration from causing your network to revert to an unauthenticated condition, you cannot halt MD5 authentication by using the timers. When the stopGenTime time for a key is reached, the system does not stop generating the key if it was the last key issued. You must delete all keys to halt authentication. Use the no version of the command to delete a key.

Managing and Replacing Keys

A key has an infinite lifetime if you do not specify stopGenTime and stopAcceptTime. (As noted above, if the last key expires, the system continues to generate that key.) Many system operators choose to roll their keys over on a regular basis, such as every month. If you determine that a key is no longer secure, you should configure a new key immediately. We recommend the following practice for configuring new keys:

1. Configure the new key on all routers in the IS-IS network.
2. Verify that the new key is working.
3. Delete the old key from every router.

Each key has an associated key-id that you specify. The key-id is sent with the message digest, so that the receiving routers know which key was used to generate the digest. You also use the key-id to delete a key.

Extensions for Traffic Engineering

The system supports new-style TLV tuples described in the Internet draft, IS-IS Extensions for Traffic Engineering. The router ID TLV (TLV type 134) contains the ID of the router that originates the LSP, providing a stable address that can always be referenced regardless of the state of node interfaces.

The extended IP reachability TLV (type 135) carries IP prefixes and is similar to the IP reachability TLVs (types 128 and 130). The extended IS reachability TLV (type 22) contains information about a series of IS neighbors and is similar to the IS neighbor TLV (type 2).

The older TLVs—2, 128, 130—each have a narrow metric field, providing for metric values ranging only from 0-63. The new TLVs—22 and 135—have a new data structure that includes a wide metric field of 3 bytes (extended IS reachability; configurable) or four bytes (extended IP reachability; calculated). Both new TLVs provide for the use of sub-TLVs to carry more information about IS neighbors; however, only the extended IS reachability TLV currently has defined sub-TLVs, such as IPv4 interface and neighbor addresses.

Use the metric-style commands to configure what style the system generates and accepts. The following behaviors are supported:

• Generates and accepts only old-style metrics
• Generates only old-style metrics, but accepts old style and new style
• Generates and accepts both old-style and new-style metrics (this option consumes the most system resources)
• Generates only new-style metrics, but accepts old style and new style
• Generates and accepts only new-style metrics

Refer to the Internet draft, IS-IS Extensions for Traffic Engineering, for more information about these extensions.

Integrated IS-IS

The ERX system supports the Integrated IS-IS version of IS-IS. Integrated IS-IS provides a single routing algorithm to route both TCP/IP and OSI Connectionless Network Protocol (CLNP) packets. This design adds IP-specific information to the OSI IS-IS routing protocol. It supports IP subnetting, variable subnet masks, type-of-service (ToS), and external routing.

Integrated IS-IS allows for the mixing of routing domains; that is, IP-only routers, OSI-only routers, and dual (IP and OSI) routers. OSI and IP packets are forwarded directly over the link layer services without needing mutual encapsulation. The ERX system supports IS-IS only for the routing and forwarding of TCP/IP packets. Forwarding of OSI packets is not supported.

Equal-Cost Multipath

IS-IS supports equal-cost multipath (ECMP) and installs into the routing table multiple entries for paths to the same destination. Each of these multiple paths to a given destination must have the same cost as the others, but a different next hop.