Networking Working GroupInternet Engineering Task Force (IETF) L. GinsbergInternet-DraftRequest for Comments: 7987 P. WellsIntended status:Category: Standards Track Cisco SystemsExpires: February 18, 2017ISSN: 2070-1721 B. Decraene Orange T. Przygienda Juniper H. GredlerPrivate Contributer August 17,RtBrick Inc. October 2016 IS-IS Minimum Remaining Lifetimedraft-ietf-isis-remaining-lifetime-04.txtAbstract Corruption of theRemaininingRemaining LifetimeFieldfield in a Link StatePDUProtocol Data Unit (LSP) can go undetected. In certainscenariosscenarios, this may cause or exacerbate flooding storms. It is also a possibledenial of servicedenial- of-service attack vector. This document defines abackwardsbackwards- compatible solution to this problem.Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 ofsix monthsRFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 18, 2017.http://www.rfc-editor.org/info/rfc7987. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Solution . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Deployment Considerations . . . . . . . . . . . . . . . . . . 5 3.1. Inconsistent Values for MaxAge . . . . . . . . . . . . . 5 3.2. Reporting Corrupted Lifetime . . . . . . . . . . . . . . 5 3.3. Impact of Delayed LSP Purging . . . . . . . . . . . . . . 6 4.IANASecurity Considerations . . . . . . . . . . . . . . . . . . .. . 76 5.Security Considerations . . . .References . . . . . . . . . . . . . . .7 6. Acknowledgements. . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . .7 7. Contributors .. . . . . . 7 5.2. Informative References . . . . . . . . . . . . . . . . . 78. References . . . . . . . . .Acknowledgements . . . . . . . . . . . . . . . .7 8.1. Normative References. . . . . . . . 8 Contributors . . . . . . . . . .7 8.2. Informational References. . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Problem Statement [ISO10589] defines the format of a Link State PDU (LSP)whichthat includes a Remaining Lifetime field. This field is set by the originator based on local configuration and then decremented by all systems once the entry is stored in theirLink State PDULSP Database (LSPDB) consistent with the passing of time. This allows all Intermediate Systems (ISs) to age out the LSP at approximately the same time. Each LSP also has a checksum field to allow receiving systems to detect errorswhichthat may have occurred during transmission.[ISO 10589][ISO10589] mandates that the checksum is calculated by the originator of the LSP and cannot be modified by other routers.ThereforeTherefore, the Remaining Lifetime is deliberately excluded from the checksum calculation. In cases where cryptographic authentication is included in an LSP ([RFC5304] or[RFC5310])[RFC5310]), the Remaining Lifetime field is also excluded from the hash calculation. If the Remaining Lifetime field gets corrupted duringfloodingflooding, this corruption is therefore undetectable. The consequences of such corruption depend upon how the Remaining Lifetime is altered. In cases where the Remaining Lifetime becomes larger than the originatorintendedintended, the impact is benign. As the originator is responsible for refreshing the LSP before it agesoutout, a new version of the LSP will be generated before the LSP agesout -out, so no harm is done. In cases where the Remaining Lifetime field becomes smaller than the originatorintendedintended, the LSP may age out prematurely(i.e.(i.e., before the originator refreshes the LSP). This has two negative consequences: 1. The LSP will be purged by an IS when the Remaining Lifetime expires. This will cause a temporary loss of reachability to destinations impacted by the content of that LSP. 2. Unnecessary LSP flooding will occur as a result of the premature purge and subsequent regeneration/flooding of a new version of the LSP by theoriginatororiginator. If the corrupted Remaining Lifetime is only modestly shorter than the lifetime assigned by theoriginatororiginator, the negative impacts are also modest. If, however, the corrupted Remaining Lifetime becomes very small, then the negative impacts can becomesignificant -significant, especially in cases where the cause of the corruption is persistent so that the cycle repeats itself frequently. Abackwards compatiblebackwards-compatible solution to this problem is defined in the following sections. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Solution As discussed in the previous section, the problematic case is when the Remaining Lifetime is corrupted and becomes much smaller than it should be. The goal of the solution is then to prevent premature purging. Under normalcircumstancescircumstances, updates to an LSP--- includingpurgingpurging, if appropriate--- are the responsibility of the originator of the LSP. There is a maximum time between generations of a given LSP. Once this time hasexpiredexpired, it is the responsibility of the originator to refresh the LSP(i.e.(i.e., issue a new version with a higher sequence number) even if the contents of the LSP have not changed. [ISO10589] defines maximumLSPGenerationInterval to be sufficiently less than the maximum lifetime of an LSP so that the new version can be flooded network wide before the old version ages out on any IS. [ISO10589] defines two cases where a system other than the originator of an LSP is allowed to purge an LSP: 1. The LSP ages out. This should only occur if the originating IS is no longer reachable and therefore is unable to update theLSPLSP. 2. There is a Designated Intermediate System (DIS) change on a LAN. Thepseudo-nodepseudonode LSPs generated by the previous DIS are no longer required and may be purged by the new DIS. In both of thesecasescases, purging is not necessary for correct operation of the protocol. It is provided as an optimization to remove stale entries from the LSPDB. In cases where the Remaining Lifetime in a received LSP has been corrupted and is smaller than the Remaining Lifetime at the originatingnodenode, when the Remaining Lifetime expires on the receivingnodenode, it can appear as if the originating IS has failed to regenerate the LSP before it ages out (case #1 above). To prevent this from having a negativeimpactimpact, a modest change to the storage of "new" LSPs in the LSPDB is specified.[ISO10589]Section 7.3.16 of [ISO10589] defines the rules to determine whether a received LSP is older, the same, or newer than the copy of the same LSP in the receiver's LSPDB. The key elements are: o Higher sequence numbers arenewernewer. o If sequence numbers are the same, an LSP with a zero Remaining Lifetime (a purged LSP) is newer than the same LSPwwith a non-zero RemainingLifetimeLifetime. o If both the received and local copy of the LSP have a non-zero RemainingLifetimeLifetime, they are considered the same even if the Remaining Lifetimesdiffer [ISO10589]differ. Section 7.3.15.1.e(1) of [ISO10589] defines the actions to take on receipt of an LSP generated by another ISwhichthat is newer than the local copy and has a non-zero Remaining Lifetime. An additional action is defined by this document: vi. If the Remaining Lifetime of the new LSP is less thanMaxAgeMaxAge, it is set toMaxAgeMaxAge. This additional actioninsuresensures that no matter what value of Remaining Lifetime isreceivedreceived, a system other than the originator of an LSP will never purge the LSP until the LSP has existed in the database for at least MaxAge. It is important to note that no change is proposed for handling the receipt of purged LSPs. The rules specified in[ISO10589]Section7.3.15.1b7.3.15.1.b of [ISO10589] stillapplyapply, i.e., an LSP received with a zero Remaining Lifetime is still considered newer than a matching LSP withnon-zeroa non- zero Remaining Lifetime.ThereforeTherefore, the changes proposed here will not result in LSPDB inconsistency among routers in thenewtork.network. 3. Deployment Considerations This section discusses some possible deployment issues for this protocol extension. 3.1. Inconsistent Values for MaxAge [ISO10589] defines MaxAge (the maximum value for the Remaining Lifetime in an LSP) as an architectural constant of 20 minutes (1200 seconds). However, in practice, implementations have supported allowing this value to be configurable. The common intent of a configurable value is to support longer lifetimes than thedefault -default, thus reducing the periodic regeneration of LSPs in the absence of topology changes. See a discussion of this point in [RFC3719]. It is therefore possible for the value of MaxAge on the ISwhichthat originates an LSP to be higher or lower than the value of MaxAge on the ISswhichthat receive the LSP. If the value of MaxAge of the ISwhichthat originated the LSP is smaller than the value of MaxAge of the receiver of an LSP, then setting the Remaining Lifetime of the received LSP to the local value of MaxAge willinsureensure that it is not purged prematurely. However, if the value of MaxAge on the receiver is less than that of theoriginatororiginator, then it is still possible to have an LSP purged prematurely when using the extension defined in the previoussection to have an LSP purged prematurely.section. Implementors of this extension may wish to protect against this case by making the value to which the Remaining Lifetime is set under the conditions described in the previous section configurable. If that isdonedone, the configured value MUST be greater than or equal to the locally configured value of MaxAge. 3.2. Reporting Corrupted Lifetime Reporting reception of an LSP with a possible corrupt Remaining Lifetime field can be useful in identifying a problem in the network. In order to minimize the reports of falsepositivespositives, the following algorithm SHOULD be used in determining whether the Remaining Lifetime in the received LSP is possibly corrupt: o The LSP has passed all acceptance tests as specified in[ISO10589]Section 7.3.15.1 of [ISO10589]. o The LSP is newer than the copy in the local LSPDB (including the case of not being present in theLSPDB)LSPDB). o The Remaining Lifetime in the received LSP is less thanZeroAgeLifetimeZeroAgeLifetime. o The adjacency to the neighbor from which the LSP is received has been up for a minimum ofZeroAgeLifetimeZeroAgeLifetime. In such acasecase, an IS SHOULD generate a CorruptRemainingLifetime event. Note that it is not possible to guarantee that all cases of a corrupt Remaining Lifetime will be detected using the above algorithm. It is also not possible to guarantee that all CorruptRemainingLifetime events reported using the above algorithm are valid. As a diagnosticaidaid, an implementation MAY wish to retain the value of the Remaining Lifetime received when the LSP was added to the LSPDB. 3.3. Impact of Delayed LSP Purging The extensions defined in this document may result in retaining an LSP longer than its original lifetime. In order for this tooccuroccur, the scheduled refresh of the LSP by the originator of the LSP must fail to occur- which-- this implies that the originator is no longer reachable. In such acasecase, its neighbors will update their own LSPsreportingto report the loss of connectivity to the originator. [ISO10589] specifies that LSPs from a nodewhichthat is unreachable (failure of thetwo-way-two-way connectivity check) will not be used. Note that this behavior applies to ALL information in the set of LSPs from such a node. Retention of stale LSPs therefore has no negative side effects other than requiring additional memory for the LSPDB. In networks where a combination of pathological behaviors(LSP corruption,(e.g., LSP corruption and frequent resetting of nodes in the network) isseenseen, this could lead to a large number of stale LSPs beingretained -retained, but such networks are already compromised. 4.IANA Considerations None. 5.Security Considerations The ability to introduce corrupt LSPs is not altered by the rules defined in this document. Use of authentication as defined in [RFC5304] and [RFC5310] prevents such LSPs from being intentionally introduced. A"man-in-the-middle"man-in-the-middle attackwhichthat modifies an existing LSP by changing the Remaining Lifetime to a small value can cause premature purges even in the presence of cryptographic authentication. The mechanisms defined in this document prevent such an attack from being effective.6. Acknowledgements The problem statement in [LIFE-PROB] motivated this work. 7. Contributors The following people gave a substantial conrtibution to the content of this document and should be considered as co-authors: Stefano Previdi Cisco Systems Email: sprevidi@cisco.com 8.5. References8.1.5.1. Normative References [ISO10589] International Organization for Standardization,"Intermediate system"Information technology -- Telecommunications and information exchange between systems -- Intermediate System to IntermediatesystemSystem intra-domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-modeNetwork Servicenetwork service (ISO 8473)",ISO/ IECISO/IEC 10589:2002, Second Edition,NovNovember 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic Authentication", RFC 5304, DOI 10.17487/RFC5304, October 2008, <http://www.rfc-editor.org/info/rfc5304>. [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., and M. Fanto, "IS-IS Generic Cryptographic Authentication", RFC 5310, DOI 10.17487/RFC5310, February 2009, <http://www.rfc-editor.org/info/rfc5310>.8.2. Informational5.2. Informative References[LIFE-PROB][PROB-STATEMENT] Decraene, B. and C. Schmitz, "IS-IS LSP lifetime corruption - ProblemStatement, draft- decraene-isis-lsp-lifetime-problem-statement-02(workStatement", Work inprogress)",Progress, draft- decraene-isis-lsp-lifetime-problem-statement-02, July 2016. [RFC3719] Parker, J., Ed., "Recommendations for Interoperable Networks using Intermediate System to Intermediate System (IS-IS)", RFC 3719, DOI 10.17487/RFC3719, February 2004, <http://www.rfc-editor.org/info/rfc3719>. Acknowledgements The problem statement in [PROB-STATEMENT] motivated this work. Contributors The following individual contributed substantially to the content of this document and should be considered a co-author: Stefano Previdi Cisco Systems Email: sprevidi@cisco.com Authors' Addresses Les Ginsberg Cisco Systems 510 McCarthy Blvd. Milpitas, CA 95035USAUnited States of America Email: ginsberg@cisco.com Paul Wells Cisco Systems 170WW. TasmanDrDr. San Jose,CaCA 95035USAUnited States of America Email: pauwells@cisco.com Bruno Decraene Orange38 rue du General Leclerc Issy Moulineaux cedex 944 avenue de la Republique, CS 50010 92326 Chatillon Cedex 92794 France Email: bruno.decraene@orange.com Tony Przygienda Juniper 1137 Innovation Way Sunnyvale,CaCA 94089USAUnited States of America Email: prz@juniper.net Hannes GredlerPrivate ContributerRtBrick Inc. Email:hannes@gredler.athannes@rtbrick.com