Host Router Support for OSPFv2Arrcuskeyur@arrcus.comPPE Consultingpadma.ietf@gmail.comCisco Systems170 W. Tasman DriveSan JoseCA95134United States of Americamanbhard@cisco.comCisco Systems170 W. Tasman DriveSan JoseCA95134United States of Americaserpil@cisco.comnon-transit
The Open Shortest Path First Version 2 (OSPFv2) protocol does not
have a mechanism for a node to repel transit traffic if it is on the
shortest path. This document defines a bit called the Host-bit (H-bit). This bit enables a
router to advertise that it is a non-transit router. This document also
describes the changes needed to support the H-bit in the domain. In
addition, this document updates RFC 6987 to advertise Type 2 External
and Not-So-Stubby Area (NSSA) Link State Advertisements (LSAs)
(RFC 3101) with a high cost in order to repel traffic effectively.Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by
the Internet Engineering Steering Group (IESG). Further
information on Internet Standards is available in Section 2 of
RFC 7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
. Introduction
. Requirements Language
. Host-Bit Support
. SPF Modifications
. Autodiscovery and Backward Compatibility
. OSPF AS-External-LSAs / NSSA-LSAs with Type 2 Metrics
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
Introduction
The OSPFv2 protocol specifies a Shortest Path First (SPF) algorithm
that identifies transit vertices based on their adjacencies.
Therefore, OSPFv2 does not have a mechanism to prevent traffic
transiting a participating node if it is a transit vertex in the only
existing or shortest path to the destination. The use of metrics to
make the node undesirable can help to repel traffic only if an
alternative better route exists.
A mechanism to move traffic away from the shortest path is
particularly useful for a number of use cases:
Graceful isolation of a router, to avoid blackhole scenarios when
there is a reload and possible long reconvergence times.
Closet switches that are not usually used for transit traffic but need
to participate in the topology.
Overloaded routers that could use such a capability to temporarily
repel traffic until they stabilize.
BGP route reflectors, known as virtual Route Reflectors,
that are not in the forwarding path but are in central locations
such as data centers. Such route reflectors are typically used
for route distribution and are not capable of forwarding transit
traffic. However, they need to learn the OSPF topology to
perform SPF computation for optimal routes and reachability
resolution for their clients
.
This document describes the functionality provided by the Host-bit (H-bit);
this functionality prevents other OSPFv2 routers from using the host router by excluding
it in path calculations for transit traffic in OSPFv2 routing
domains. If the H-bit is set, then the calculation of the
shortest-path tree for an area, as described in , is
modified by including a check to verify that transit vertices DO NOT
have the H-bit set (see ). Furthermore, in order to repel
traffic effectively, this document updates so that Type 2 External and Not-So-Stubby Area (NSSA)
Link State Advertisements (LSAs)
are advertised with a high cost (see ). OSPFv3 defines an
option bit, known as the R-bit, for router-LSAs; the H-bit supports similar functionality.Requirements LanguageThe key words "MUST", "MUST NOT",
"REQUIRED", "SHALL",
"SHALL NOT", "SHOULD",
"SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.Host-Bit Support
This document defines a new router-LSA bit, known as the Host-bit or
the H-bit. An OSPFv2 router advertising a router-LSA with the H-bit
set indicates that it MUST NOT be used as a transit router (see
) by other OSPFv2 routers in the
area that support the H-bit functionality.
If the H-bit is not set, then backward compatibility is achieved, as
the behavior will be the same as in .Bit H is the high-order bit of the OSPF flags, as shown below.
When the H-bit is set, the OSPFv2 router is a host (non-transit)
router and is incapable of forwarding transit traffic. In this mode,
the other OSPFv2 routers in the area MUST NOT use the host router for
transit traffic but may send traffic to its local destinations.
An OSPFv2 router originating a router-LSA with the H-bit set MUST
advertise all its non-stub links with a link cost of MaxLinkMetric
.
When the H-bit is set, an Area Border Router (ABR) MUST advertise the
same H-bit setting in its self-originated router-LSAs for all
attached areas. The consistency of the setting will prevent
inter‑area traffic transiting through the router by suppressing
advertisements of prefixes from other routers in the area in its
summary-LSAs. Only IPv4 prefixes associated with its local
interfaces MUST be advertised in summary-LSAs to provide reachability
to end hosts attached to a router with the H-bit set.
When the H-bit is set, the host router cannot act as an Autonomous System
Border Router (ASBR). Indeed, ASBRs are transit routers to prefixes that are
typically imported through redistribution of prefixes from other
routing protocols. Therefore, non-local IPv4 prefixes, e.g., those
imported from other routing protocols, SHOULD NOT be advertised in
AS-external-LSAs if the H-bit is set. Some use cases, such as an
overloaded router or a router being gracefully isolated, may benefit
from continued advertisements of non-local prefixes. In these cases,
the Type 2 metric in AS-external-LSAs MUST be set to
LSInfinity to
repel traffic (see of this document).SPF Modifications
The SPF calculation described in is
modified to ensure that the routers originating router-LSAs with the
H-bit set will not be used for transit traffic. Step (2) is
modified to include a check on the H-bit, as shown below. (Please note
that all of the sub-procedures of Step (2) remain unchanged and are not included in
the excerpt below.)
(2)
Call the vertex just added to the
tree "vertex V". Examine the LSA
associated with vertex V. This is
a lookup in Area A's link state
database based on the Vertex ID. If
this is a router-LSA, and the H-bit
of the router-LSA is set, and
vertex V is not the root, then the
router should not be used for transit
and Step (3) should be executed
immediately. If this is a router-LSA
and bit V of the router-LSA (see
Appendix A.4.2) is set, set Area A's
TransitCapability to TRUE. In any case,
each link described by the LSA gives
the cost to an adjacent vertex. For
each described link (say it joins
vertex V to vertex W):
Autodiscovery and Backward Compatibility
To reduce the possibility of any routing loops due to partial
deployment, this document defines an OSPF Router Information (RI) LSA
capability bit . See
().
The RI LSA MUST be area-scoped.
Autodiscovery via announcement of the OSPF Host Router capability
()
ensures that the H-bit functionality and its associated SPF changes
MUST only take effect if all the routers in a given OSPF area support
this functionality.
In normal operation, it is possible that the RI LSA will fail to
reach all routers in an area in a timely manner. For example, if a
new router without H-bit support joins an area that previously had
only H-bit-capable routers with the H-bit set, then it may take some time
for the RI LSA to propagate to all routers. While it is propagating, the
routers in the area will gradually detect the presence of a router
that does not support the capability and will revert back to the normal SPF
calculation. During the propagation time, the area as a whole is
unsure of the status of the new router; this type of situation can cause temporary
transient loops.
The following recommendations will mitigate transient routing loops:
Implementations are RECOMMENDED to provide a configuration
parameter to manually override enforcement of the H-bit
functionality in partial deployments where the topology guarantees
that OSPFv2 routers not supporting the H-bit do not compute routes
resulting in routing loops.
All routers with the H-bit set MUST advertise all of the router's
non-stub links with a metric equal to MaxLinkMetric in
its LSAs in order to prevent OSPFv2 routers (unless a last-resort path)
that do not support the H-bit from attempting to use the non-stub links for transit
traffic.
All routers supporting the H-bit MUST check the RI LSAs of all
nodes in the area to verify that all nodes support the H-bit
before actively using the H-bit feature. If any router does not
advertise the OSPF Host Router capability (), then the SPF
modifications described in MUST NOT be used in the area.
OSPF AS-External-LSAs / NSSA-LSAs with Type 2 Metrics
When calculating the path to a prefix in an OSPF AS-external-LSA or
NSSA-LSA with a Type 2 metric, the advertised Type 2 metric
is taken as more significant than the OSPF intra-area or inter-area
path. Hence, advertising the links with MaxLinkMetric as specified
in does not discourage transit
traffic when calculating AS-external or NSSA routes with Type 2 metrics.
Consequently, this document updates so that the Type 2 metric in any
self-originated AS-external-LSAs or NSSA-LSAs is advertised as
LSInfinity-1 .
If the H-bit is set, then the Type 2 metric
MUST be set to LSInfinity.IANA Considerations
IANA has registered the following value in the
"OSPFv2 Router Properties Registry".
H-Bit
Value
Description
Reference
0x80
Host (H-bit)
RFC 8770
IANA has registered the following in the "OSPF Router
Informational Capability Bits" registry.
OSPF Host Router Capability Bit
Bit Number
Capability Name
Reference
7
OSPF Host Router
RFC 8770
Security Considerations
This document introduces the H-bit, which is a capability feature that
restricts the use of a router for transit, while only its local
destinations are reachable. This is a subset of the operations of a
normal router and therefore should not introduce new security
considerations beyond those already known in OSPFv2 . The
feature introduces the advertisement of host router capability
information to all OSPFv2 routers in an area. This information can
be leveraged for discovery and verification that all routers in the
area support the capability before the feature is turned on. In the
event that a rogue or buggy router incorrectly advertises its
capability, possible scenarios are as follows:
The router does not have the capability but sends the H-bit set in
its LSAs. In this case, a routing loop is possible.
However, this is mitigated by the fact that this router should be
avoided anyway. Moreover, the link metrics cost (MaxLinkMetric)
of this router will mitigate this situation. In any case, a
router advertising the H-bit capability without its link metrics cost
equal to MaxLinkMetric could be a rogue
router and should be avoided.
The router has the capability but sends the H-bit clear in its
LSAs. In this case, the router merely prevents the support of other
H-bit routers in the area and prevents all the routers from running the modified
SPF. Any impacts are also mitigated in this scenario, as other H-bit routers in the
area also advertise the MaxLinkMetric cost, so they will still be
avoided unless they are the last‑resort path.
The rogue router is on the only transit path for some destinations
and sends the H-bit set (for no good/valid reason) in its LSAs, and
effectively partitions the network. This case is indistinguishable
from the normal case where an operator may consciously decide to
set the H-bit to perform maintenance on a router that is on the
only transit path. The OSPF protocol will continue to function
within the partitioned domains.
ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.OSPF Version 2This memo documents version 2 of the OSPF protocol. OSPF is a link- state routing protocol. [STANDARDS-TRACK]OSPF Stub Router AdvertisementThis document describes a backward-compatible technique that may be used by OSPF (Open Shortest Path First) implementations to advertise a router's unavailability to forward transit traffic or to lower the preference level for the paths through such a router.This document obsoletes RFC 3137.Extensions to OSPF for Advertising Optional Router CapabilitiesIt is useful for routers in an OSPFv2 or OSPFv3 routing domain to know the capabilities of their neighbors and other routers in the routing domain. This document proposes extensions to OSPFv2 and OSPFv3 for advertising optional router capabilities. The Router Information (RI) Link State Advertisement (LSA) is defined for this purpose. In OSPFv2, the RI LSA will be implemented with an Opaque LSA type ID. In OSPFv3, the RI LSA will be implemented with a unique LSA type function code. In both protocols, the RI LSA can be advertised at any of the defined flooding scopes (link, area, or autonomous system (AS)). This document obsoletes RFC 4970 by providing a revised specification that includes support for advertisement of multiple instances of the RI LSA and a TLV for functional capabilities.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Informative ReferencesBGP Optimal Route Reflection (BGP-ORR)The OSPF Not-So-Stubby Area (NSSA) OptionThis memo documents an optional type of Open Shortest Path First (OSPF) area that is somewhat humorously referred to as a "not-so-stubby" area (or NSSA). NSSAs are similar to the existing OSPF stub area configuration option but have the additional capability of importing AS external routes in a limited fashion. The OSPF NSSA Option was originally defined in RFC 1587. The functional differences between this memo and RFC 1587 are explained in Appendix F. All differences, while expanding capability, are backward-compatible in nature. Implementations of this memo and of RFC 1587 will interoperate. [STANDARDS-TRACK]OSPF for IPv6This document describes the modifications to OSPF to support version 6 of the Internet Protocol (IPv6). The fundamental mechanisms of OSPF (flooding, Designated Router (DR) election, area support, Short Path First (SPF) calculations, etc.) remain unchanged. However, some changes have been necessary, either due to changes in protocol semantics between IPv4 and IPv6, or simply to handle the increased address size of IPv6. These modifications will necessitate incrementing the protocol version from version 2 to version 3. OSPF for IPv6 is also referred to as OSPF version 3 (OSPFv3).Changes between OSPF for IPv4, OSPF Version 2, and OSPF for IPv6 as described herein include the following. Addressing semantics have been removed from OSPF packets and the basic Link State Advertisements (LSAs). New LSAs have been created to carry IPv6 addresses and prefixes. OSPF now runs on a per-link basis rather than on a per-IP-subnet basis. Flooding scope for LSAs has been generalized. Authentication has been removed from the OSPF protocol and instead relies on IPv6's Authentication Header and Encapsulating Security Payload (ESP).Even with larger IPv6 addresses, most packets in OSPF for IPv6 are almost as compact as those in OSPF for IPv4. Most fields and packet- size limitations present in OSPF for IPv4 have been relaxed. In addition, option handling has been made more flexible.All of OSPF for IPv4's optional capabilities, including demand circuit support and Not-So-Stubby Areas (NSSAs), are also supported in OSPF for IPv6. [STANDARDS-TRACK]Acknowledgements
The authors would like to acknowledge for discovering
the limitation in , and , , , , and for their comments.Authors' AddressesArrcuskeyur@arrcus.comPPE Consultingpadma.ietf@gmail.comCisco Systems170 W. Tasman DriveSan JoseCA95134United States of Americamanbhard@cisco.comCisco Systems170 W. Tasman DriveSan JoseCA95134United States of Americaserpil@cisco.com