Fortinet black logo

Handbook

IS-IS

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:569533
Download PDF

IS-IS

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that isn't intended to be used between Autonomous Systems (AS).

IS-IS was developed by Digital Equipment Corporation and later standardized by ISO in 1992 as ISO 19589 (see RFC 1142, note that this RFC is different from the ISO version). About the same time, the Internet Engineering Task Force developed OSPF (see OSPF). After the initial version, IP support was added to IS-IS and this version was called Integrated IS-IS (see RFC 1195). Its widespread use started when an early version of IS-IS was included with BSD v4.3 Linux as the routed daemon. The routing algorithm used by IS-IS, the Bellman–Ford algorithm, first saw widespread use as the initial routing algorithm of the ARPANET.

IS-IS is a link state protocol that is well-suited to smaller networks. It's in widespread use and has near universal support on routing hardware. It's quick to configure and works well if there are no redundant paths. However, IS-IS updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good authentication, can't choose routes based on different quality of service methods, and can create network loops if you're not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.

While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures, largely due to its native support for IPv6 and its non-disruptive methods for splitting, merging, migrating, and renumbering network areas.

FortiGate supports IS-IS for IPv4 and IPv6.

How IS-IS works

As one of the original modern dynamic routing protocols, IS-IS is straightforward. Its routing algorithm isn't complex, there are some options to allow fine-tuning, and it's straightforward to configure IS-IS on a FortiGate.

From RFC 1142:

The routing algorithm used by the Decision Process is a shortest path first (SPF) algorithm. Instances of the algorithm are run independently and concurrently by all intermediate systems in a routing domain. IntraDomain routing of a PDU occurs on a hop-by-hop basis: that is, the algorithm determines only the next hop, not the complete path, that a data PDU will take to reach its destination.

IS-IS versus static routing

IS-IS was one of the earliest dynamic routing protocols to work with IP addresses. As such, it's not as complex as more recent protocols. However, IS-IS is a big step forward from simple static routing.

While IS-IS may be slow in response to network outages, static routing has zero response. The same is true for convergence: static routing has zero convergence. Both IS-IS and static routing have a limited hop count, so it's not a strength or a weakness.

TLV

IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). Each IS-IS LSP consists of a variable-length header to which TLVs are appended in order to extend IS-IS for IP routing. The TLV field consists of one octet of type (T), one octet of length (L), and “L” octets of value (V). They're included in all of the IS-IS Packet types. For a complete breakdown of the LSP, see LSP structure.

In IS-IS, TLVs are used to determine route-leaking and authentication and are also used for IPv4 and IPv6 awareness and reachability.

  • To determine which TLVs are responsible for route-leaking, see Default routing.
  • To determine which TLVs are responsible for authentication, see Authentication.

For a complete list of reserved TLV codepoints, refer to RFC 3359.

LSP structure

It's difficult to fully understand a routing protocol without knowing what information is carried in its packets. Knowing how routers exchange each type of information will help you better understand the IS-IS protocol and will allow you to configure your network more appropriately.

This section provides information about the contents of the IS-IS LSP. LSPs describe the network topology and can include IP routes and checksums.

NSAP and NET

IS-IS routing protocol utilizes ISO network addressing to identify network interfaces. The addresses are known as Network Service Access Points (NSAP). In general, IS-IS routers consist of only one NSAP, whereas IP addressing requires one IP address per interface.

In IS-IS, the NSAP address is translated into a Network Entity Title (NET), which is the same as the NSAP but can differentiate end systems by way of a byte called the n-selector (NSEL). In order for adjacencies to form in IS-IS, the NSEL must be set to zero, to indicate “this system”. The total NET can be anywhere between 8 and 20 bytes long due to the support for variable length area addressing.

The following diagram identifies the individual parts of the NSAP, with explanations below:

NSAP and NET example

  • AF: The Authority and Format Identifier (AFI) especifies the format of the addressing family used. IS-IS is designed to carry routing information for several different protocols. Each entry has an address family identifier that identifies the globally unique Interdomain Part (IDP). For example, 49 is the AFI for private addresses, whereas 47 is the AFI for international organizations.
  • IDI: The Initial Domain Identifier (IDI) identifies the routing domain within an interconnected network. The length of the IDI is typically determined by the AFI. If you are using an AFI of 49, you don't need to specify an IDI since the network is private.
  • HODSP: The High Order Domain-Specific Part (HODSP) identifies the unique address within a specific routing domain. Together, the AFI, IDI, and HODSP define the area address. All of the nodes within an area must have the same area address.
  • System ID: The System ID represents the 6-8 byte router identifier. The ID could be Media Access Control (MAC) format, as in the example above, or a static length IP address expressed in binary-coded decimal (BCD) format.
  • NSEL: The n-selector (NSEL), as previously described, identifies the network layer transport service and must always be set to zero for IS-IS NETs.

Parts and terminology of IS-IS

Before you can understand how IS-IS functions, you need to understand some of the main concepts and parts of IS-IS.

DIS election and pseudonode LSP

In IS-IS routing protocol, a single router is chosen to be the designated intermediate system (DIS). The election of the DIS is determined automatically and dynamically on the LAN depending on highest interface priority and the subnetwork point of attachment (SNPA). The FortiGate is typically the DIS, and each router in its LAN is an intermediate system (IS).

Unlike OSPF, which elects a designated router (DR) and backup designated router (BDR), the DIS has no backup and determines the election of a new DIS whenever a router is added to the LAN or whenever the current DIS drops. A backup DIS is irrelevant since all of the routers on an IS-IS system are synchronized, and the short Hello interval used by the DIS quickly detects failures and the subsequent replacement of the DIS.

Synchronization of all the nodes in an IS-IS area could prove troublesome when updating the network infrastructure and would demand ever-increasing resources each time a new router is added (at an exponential scale). For this purpose, the DIS creates a pseudonode, which is essentially a virtual, logical node representing the LAN. The pseudonode requests adjacency status from all the routers in a multi-access network by sending IS-IS Hello (IIH) PDUs to Level 1 and Level 2 routers (where Level 1 routers share the same address as the DIS and Level 2 routers do not). Using a pseudonode to alter the representation of the LAN in the link-state database (LSD) greatly reduces the amount of adjacencies that area routers have to report. In essence, a pseudonode collapses a LAN topology, which allows a more linear scale to link-state advertising.

In order to maintain the database synchronization, the DIS periodically sends complete sequence number packets (CSNPs) to all participating routers.

Packet types

Four general packet types (PDUs) are communicated through IS-IS, appearing at both Level 1 and Level 2. They are described below.

  • Intermediate System-to-Intermediate System Hello (IIH) PDU: As mentioned previously, the IIH PDU, or Hello packet, detects neighboring routers and indicates to the pseudonode the area’s adjacency mesh. The Hello packet, flooded to the multicast address, contains the system ID of the sending router, the holding time, the circuit type of the interface on which the PDU was sent, the PDU length, the DIS identifier, and the interface priority (used in DIS election). The Hello packet also informs its area routers that it is the DIS. Hello packets are padded to the maximum IS-IS PDU size of 1492 bytes (the full MTU size) to assist in the detection of transmission errors with large frames or with MTU mismatches between adjacencies. The DIS typically floods Hello packets to the entire LAN every three seconds.
  • Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces. LSPs are refreshed periodically and acknowledged on the network by way of sequence number PDUs. If new LSP information is found, based on the most recent complete sequence number PDU (CSNP), out-of-date entries in the link-state database (LSDB) are removed and the LSDB is updated. For a more detailed breakdown of the LSP, see LSP structure.
  • Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB. The CSNP informs other area routers of missing or outdated links in the adjacency mesh. The receiving routers then use this information to update their own database to ensure that all area routers converge. In contrast to Hello packets, CSNPs are sent every ten seconds and only between neighbors. In other words, they're never flooded.
  • Partial sequence number PDU (PSNP): PSNPs are used to request and acknowledge LSP information from an adjacency. When a router compares a CSNP with its local database and determines a discrepancy, the router requests an updated LSP using a PSNP. Once received, the router stores the LSP in its local database and responds to the DIS with acknowledgement.

Default routing

The default route is used if there are no other routes in the routing table or if none of the other routes apply to a destination. Including the gateway in the default route gives all traffic a next-hop address to use when leaving the local network. The gateway address is normally another router on the edge of the local network.

FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, an administration distance of 10, and a gateway IPv4 address. Beginner administrators can use the default route settings until a more advanced configuration is warranted.

By default, all routes are displayed in the Routing Monitor list. To display the routes in the routing table, go to Monitor > Routing Monitor.

Route leaking

Route leaking is a term that's used to describe the bidirectional flow of information between internal and external routing interfaces. By default, IS-IS leaks routing information from a Level 1 area into a Level 2 area. In order to leak Level 2 routing information into a Level 1 area, you must configure an export policy. The ATT bit uses Type Level Value (TLV) 128 (for internal reachability) and TLV 130 (for external IP address information) to determine whether or not a route is leaked. For more information about TLVs, see Troubleshooting IS-IS.

To configure IS-IS route leaking - CLI:
  • On a Level 1-2 router:

config router isis

set {redistribute-l2|redistribute6-l2} enable

end

  • On a Level 1 router:

config router isis

get router {info|info6} routing-table isis

get router {info|info6} isis route

end

Default information originate

You can enable the default-information-originate option to generate and advertise a default route into the FortiGate device's IS-IS-enabled networks. The generated route may be based on routes that the FortiGate learns through a dynamic routing protocol, routes in the routing table, or both. IS-IS doesn't create the default route unless you use the alwaysoption.

If you experience any issues or if you wish to advertise your own static routes into IS-IS updates, set this to disable.

To enable the default information originate option - CLI:

config router isis

set {default-originate | default-originate6}

end

Timer options

IS-IS uses various timers to regulate its performance, including garbage, update, and timeout timers. The FortiGate unit default timer settings (30, 180, and 120 seconds respectively) are effective in most configurations. If you change these settings, ensure that the new settings are compatible with local routers and access servers.

To configure the IS-IS timers - CLI:

config router isis

set garbage-timer

set update-timer

set timeout-timer

end

You will find more information on each timer below.

Update timer

The update timer determines the interval between routing updates. Generally, this value is set to 30 seconds. There's some randomness added to help prevent network traffic congestion, which could result from all routers simultaneously attempting to update their neighbors. The update timer should be at least three times smaller than the timeout timer, or you'll experience an error.

If you're experiencing significant traffic on your network, you can increase this interval to send fewer updates per minute. However, ensure you increase the interval for all the routers on your network or you'll experience timeouts that will degrade your network speed.

Timeout timer

The timeout timer is the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the DIS will keep a reachable route in the routing table while no updates for that route are received. If the DIS receives an update for the route before the timeout period expires, the timer is restarted. The timeout period should be at least three times longer than the update period, or you'll experience an error.

If you're experiencing problems with routers not responding in time to updates, increase this timer. However, remember that longer timeout intervals result in longer overall update periods. It may be a considerable amount of time before the DIS is done waiting for all the timers to expire on unresponsive routes.

Garbage timer

The garbage timer is the amount of time (in seconds) that the DIS will advertise a route as being unreachable before deleting the route from the routing table. If this timer is shorter, it will keep more up-to-date routes in the routing table and remove old ones faster. This results in a smaller routing table, which is useful if you have a very large network or if your network changes frequently.

IS-IS interface advertisements

You can use the adv-passive-only CLI command to configure which IS-IS interfaces the FortiGate advertises. If you set this command to enable, the FortiGate advertises only passive interfaces. If you set this to disable, the FortiGate advertises all IS-IS enabled interfaces.

To configure IS-IS interface advertisements - CLI:

config route isis

set {adv-passive-only|adv-passive-only6} {enable | disable}

end

Loopback interfaces

You can configure loopback interfaces to run IS-IS.

To configure loopback interfaces to run IS-IS - CLI:

config router isis

config isis-interface

edit <name>

set network-type loopback

end

end

Authentication

In routing protocols, it's typically desirable to establish authentication rules that prevent malicious and otherwise unwanted information from being injected into the routing table. IS-IS routing protocol utilizes TLV 10 to establish authentication. For more information about TLVs, see TLV.

Initially, IS-IS used plain cleartext to navigate the authentication rules, but this was found to be insecure since the cleartext packets were unencrypted and could be exposed to packet sniffers. As per RFC 3567, HMAC-MD5 and enhanced cleartext authentication features were introduced in IS-IS, both of which encrypt authentication data, making them considerably more secure than using plain cleartext authentication.

HMAC-MD5 authentication

Hashed Message Authentication Codes - Message Digest 5 (HMAC-MD5) is a mechanism for applying a cryptographic hash function to the message authentication process. It is applied at both Level 1 and Level 2 routing. In IS-IS, an HMAC-MD5 can be applied to each type of LSP, on different interfaces, and with different passwords.

Authentication data is hashed using an AH (Authentication Header) key. From RFC 2085:

The “AH Key” is used as a shared secret between two communicating parties. The Key is not a “cryptographic key” as used in a traditional sense. Instead, the AH key (shared secret) is hashed with the transmitted data and thus, assures that an intervening party cannot duplicate the authentication data. [...] Implementation should, and as frequently as possible, change the AH key. Keys need to be chosen at random, or generated using a cryptographically strong pseudo-random generator seeded with a random seed.”

Cleartext authentication uses the configuration commands area-password and domain-password for authentication, but when migrating from cleartext authentication to HMAC-MD5, these command settings are automatically overwritten.

By the year 2005, the MD5 hash function had been identified as vulnerable to collision search attacks and various weaknesses. While such vulnerabilities don't compromise the use of MD5 within HMAC, administrators need to be aware of potential developments in cryptanalysis and cryptographic hash functions in the likely event that the underlying hash function needs to be replaced.

Enhanced cleartext authentication

Enhanced cleartext authentication is an extension to cleartext authentication that allows the encryption of passwords as they are displayed in the configuration. It includes a series of authentication mode commands and an authentican key chain, and allows for more simple password modification and password management. Enhanced cleartext authentication also provides for smoother migration to and from changing authentication types. Intermediate systems continue to use the original authentication method until all the area routers are updated to use the new method.

Authentication key chain

A key chain is a list of one or more authentication keys including the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. A router migrates from one key to the next according to the scheduled send and receive lifetimes. If an active key is unavailable, the PDU is automatically discarded.

From RFC 5310:

It should be noted that the cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function and on the size and quality of the key.

IS-IS

Intermediate System to Intermediate System Protocol (IS-IS) allows routing of ISO’s OSI protocol stack Connectionless Network Service (CLNS). IS-IS is an Interior Gateway Protocol (IGP) that isn't intended to be used between Autonomous Systems (AS).

IS-IS was developed by Digital Equipment Corporation and later standardized by ISO in 1992 as ISO 19589 (see RFC 1142, note that this RFC is different from the ISO version). About the same time, the Internet Engineering Task Force developed OSPF (see OSPF). After the initial version, IP support was added to IS-IS and this version was called Integrated IS-IS (see RFC 1195). Its widespread use started when an early version of IS-IS was included with BSD v4.3 Linux as the routed daemon. The routing algorithm used by IS-IS, the Bellman–Ford algorithm, first saw widespread use as the initial routing algorithm of the ARPANET.

IS-IS is a link state protocol that is well-suited to smaller networks. It's in widespread use and has near universal support on routing hardware. It's quick to configure and works well if there are no redundant paths. However, IS-IS updates are sent out node-by-node, so it can be slow to find a path around network outages. IS-IS also lacks good authentication, can't choose routes based on different quality of service methods, and can create network loops if you're not careful. IS-IS uses Djikstra’s algorithm to find the best path, like OSPF.

While OSPF is more widely known, IS-IS is a viable alternative to OSPF in enterprise networks and ISP infrastructures, largely due to its native support for IPv6 and its non-disruptive methods for splitting, merging, migrating, and renumbering network areas.

FortiGate supports IS-IS for IPv4 and IPv6.

How IS-IS works

As one of the original modern dynamic routing protocols, IS-IS is straightforward. Its routing algorithm isn't complex, there are some options to allow fine-tuning, and it's straightforward to configure IS-IS on a FortiGate.

From RFC 1142:

The routing algorithm used by the Decision Process is a shortest path first (SPF) algorithm. Instances of the algorithm are run independently and concurrently by all intermediate systems in a routing domain. IntraDomain routing of a PDU occurs on a hop-by-hop basis: that is, the algorithm determines only the next hop, not the complete path, that a data PDU will take to reach its destination.

IS-IS versus static routing

IS-IS was one of the earliest dynamic routing protocols to work with IP addresses. As such, it's not as complex as more recent protocols. However, IS-IS is a big step forward from simple static routing.

While IS-IS may be slow in response to network outages, static routing has zero response. The same is true for convergence: static routing has zero convergence. Both IS-IS and static routing have a limited hop count, so it's not a strength or a weakness.

TLV

IS-IS uses type-length-value (TLV) parameters to carry information in Link-State PDUs (LSPs). Each IS-IS LSP consists of a variable-length header to which TLVs are appended in order to extend IS-IS for IP routing. The TLV field consists of one octet of type (T), one octet of length (L), and “L” octets of value (V). They're included in all of the IS-IS Packet types. For a complete breakdown of the LSP, see LSP structure.

In IS-IS, TLVs are used to determine route-leaking and authentication and are also used for IPv4 and IPv6 awareness and reachability.

  • To determine which TLVs are responsible for route-leaking, see Default routing.
  • To determine which TLVs are responsible for authentication, see Authentication.

For a complete list of reserved TLV codepoints, refer to RFC 3359.

LSP structure

It's difficult to fully understand a routing protocol without knowing what information is carried in its packets. Knowing how routers exchange each type of information will help you better understand the IS-IS protocol and will allow you to configure your network more appropriately.

This section provides information about the contents of the IS-IS LSP. LSPs describe the network topology and can include IP routes and checksums.

NSAP and NET

IS-IS routing protocol utilizes ISO network addressing to identify network interfaces. The addresses are known as Network Service Access Points (NSAP). In general, IS-IS routers consist of only one NSAP, whereas IP addressing requires one IP address per interface.

In IS-IS, the NSAP address is translated into a Network Entity Title (NET), which is the same as the NSAP but can differentiate end systems by way of a byte called the n-selector (NSEL). In order for adjacencies to form in IS-IS, the NSEL must be set to zero, to indicate “this system”. The total NET can be anywhere between 8 and 20 bytes long due to the support for variable length area addressing.

The following diagram identifies the individual parts of the NSAP, with explanations below:

NSAP and NET example

  • AF: The Authority and Format Identifier (AFI) especifies the format of the addressing family used. IS-IS is designed to carry routing information for several different protocols. Each entry has an address family identifier that identifies the globally unique Interdomain Part (IDP). For example, 49 is the AFI for private addresses, whereas 47 is the AFI for international organizations.
  • IDI: The Initial Domain Identifier (IDI) identifies the routing domain within an interconnected network. The length of the IDI is typically determined by the AFI. If you are using an AFI of 49, you don't need to specify an IDI since the network is private.
  • HODSP: The High Order Domain-Specific Part (HODSP) identifies the unique address within a specific routing domain. Together, the AFI, IDI, and HODSP define the area address. All of the nodes within an area must have the same area address.
  • System ID: The System ID represents the 6-8 byte router identifier. The ID could be Media Access Control (MAC) format, as in the example above, or a static length IP address expressed in binary-coded decimal (BCD) format.
  • NSEL: The n-selector (NSEL), as previously described, identifies the network layer transport service and must always be set to zero for IS-IS NETs.

Parts and terminology of IS-IS

Before you can understand how IS-IS functions, you need to understand some of the main concepts and parts of IS-IS.

DIS election and pseudonode LSP

In IS-IS routing protocol, a single router is chosen to be the designated intermediate system (DIS). The election of the DIS is determined automatically and dynamically on the LAN depending on highest interface priority and the subnetwork point of attachment (SNPA). The FortiGate is typically the DIS, and each router in its LAN is an intermediate system (IS).

Unlike OSPF, which elects a designated router (DR) and backup designated router (BDR), the DIS has no backup and determines the election of a new DIS whenever a router is added to the LAN or whenever the current DIS drops. A backup DIS is irrelevant since all of the routers on an IS-IS system are synchronized, and the short Hello interval used by the DIS quickly detects failures and the subsequent replacement of the DIS.

Synchronization of all the nodes in an IS-IS area could prove troublesome when updating the network infrastructure and would demand ever-increasing resources each time a new router is added (at an exponential scale). For this purpose, the DIS creates a pseudonode, which is essentially a virtual, logical node representing the LAN. The pseudonode requests adjacency status from all the routers in a multi-access network by sending IS-IS Hello (IIH) PDUs to Level 1 and Level 2 routers (where Level 1 routers share the same address as the DIS and Level 2 routers do not). Using a pseudonode to alter the representation of the LAN in the link-state database (LSD) greatly reduces the amount of adjacencies that area routers have to report. In essence, a pseudonode collapses a LAN topology, which allows a more linear scale to link-state advertising.

In order to maintain the database synchronization, the DIS periodically sends complete sequence number packets (CSNPs) to all participating routers.

Packet types

Four general packet types (PDUs) are communicated through IS-IS, appearing at both Level 1 and Level 2. They are described below.

  • Intermediate System-to-Intermediate System Hello (IIH) PDU: As mentioned previously, the IIH PDU, or Hello packet, detects neighboring routers and indicates to the pseudonode the area’s adjacency mesh. The Hello packet, flooded to the multicast address, contains the system ID of the sending router, the holding time, the circuit type of the interface on which the PDU was sent, the PDU length, the DIS identifier, and the interface priority (used in DIS election). The Hello packet also informs its area routers that it is the DIS. Hello packets are padded to the maximum IS-IS PDU size of 1492 bytes (the full MTU size) to assist in the detection of transmission errors with large frames or with MTU mismatches between adjacencies. The DIS typically floods Hello packets to the entire LAN every three seconds.
  • Link-state PDU (LSP): The LSP contains information about each router in an area and its connected interfaces. LSPs are refreshed periodically and acknowledged on the network by way of sequence number PDUs. If new LSP information is found, based on the most recent complete sequence number PDU (CSNP), out-of-date entries in the link-state database (LSDB) are removed and the LSDB is updated. For a more detailed breakdown of the LSP, see LSP structure.
  • Complete sequence number PDU (CSNP): CSNPs contain a list of all LSPs in the current LSDB. The CSNP informs other area routers of missing or outdated links in the adjacency mesh. The receiving routers then use this information to update their own database to ensure that all area routers converge. In contrast to Hello packets, CSNPs are sent every ten seconds and only between neighbors. In other words, they're never flooded.
  • Partial sequence number PDU (PSNP): PSNPs are used to request and acknowledge LSP information from an adjacency. When a router compares a CSNP with its local database and determines a discrepancy, the router requests an updated LSP using a PSNP. Once received, the router stores the LSP in its local database and responds to the DIS with acknowledgement.

Default routing

The default route is used if there are no other routes in the routing table or if none of the other routes apply to a destination. Including the gateway in the default route gives all traffic a next-hop address to use when leaving the local network. The gateway address is normally another router on the edge of the local network.

FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, an administration distance of 10, and a gateway IPv4 address. Beginner administrators can use the default route settings until a more advanced configuration is warranted.

By default, all routes are displayed in the Routing Monitor list. To display the routes in the routing table, go to Monitor > Routing Monitor.

Route leaking

Route leaking is a term that's used to describe the bidirectional flow of information between internal and external routing interfaces. By default, IS-IS leaks routing information from a Level 1 area into a Level 2 area. In order to leak Level 2 routing information into a Level 1 area, you must configure an export policy. The ATT bit uses Type Level Value (TLV) 128 (for internal reachability) and TLV 130 (for external IP address information) to determine whether or not a route is leaked. For more information about TLVs, see Troubleshooting IS-IS.

To configure IS-IS route leaking - CLI:
  • On a Level 1-2 router:

config router isis

set {redistribute-l2|redistribute6-l2} enable

end

  • On a Level 1 router:

config router isis

get router {info|info6} routing-table isis

get router {info|info6} isis route

end

Default information originate

You can enable the default-information-originate option to generate and advertise a default route into the FortiGate device's IS-IS-enabled networks. The generated route may be based on routes that the FortiGate learns through a dynamic routing protocol, routes in the routing table, or both. IS-IS doesn't create the default route unless you use the alwaysoption.

If you experience any issues or if you wish to advertise your own static routes into IS-IS updates, set this to disable.

To enable the default information originate option - CLI:

config router isis

set {default-originate | default-originate6}

end

Timer options

IS-IS uses various timers to regulate its performance, including garbage, update, and timeout timers. The FortiGate unit default timer settings (30, 180, and 120 seconds respectively) are effective in most configurations. If you change these settings, ensure that the new settings are compatible with local routers and access servers.

To configure the IS-IS timers - CLI:

config router isis

set garbage-timer

set update-timer

set timeout-timer

end

You will find more information on each timer below.

Update timer

The update timer determines the interval between routing updates. Generally, this value is set to 30 seconds. There's some randomness added to help prevent network traffic congestion, which could result from all routers simultaneously attempting to update their neighbors. The update timer should be at least three times smaller than the timeout timer, or you'll experience an error.

If you're experiencing significant traffic on your network, you can increase this interval to send fewer updates per minute. However, ensure you increase the interval for all the routers on your network or you'll experience timeouts that will degrade your network speed.

Timeout timer

The timeout timer is the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the DIS will keep a reachable route in the routing table while no updates for that route are received. If the DIS receives an update for the route before the timeout period expires, the timer is restarted. The timeout period should be at least three times longer than the update period, or you'll experience an error.

If you're experiencing problems with routers not responding in time to updates, increase this timer. However, remember that longer timeout intervals result in longer overall update periods. It may be a considerable amount of time before the DIS is done waiting for all the timers to expire on unresponsive routes.

Garbage timer

The garbage timer is the amount of time (in seconds) that the DIS will advertise a route as being unreachable before deleting the route from the routing table. If this timer is shorter, it will keep more up-to-date routes in the routing table and remove old ones faster. This results in a smaller routing table, which is useful if you have a very large network or if your network changes frequently.

IS-IS interface advertisements

You can use the adv-passive-only CLI command to configure which IS-IS interfaces the FortiGate advertises. If you set this command to enable, the FortiGate advertises only passive interfaces. If you set this to disable, the FortiGate advertises all IS-IS enabled interfaces.

To configure IS-IS interface advertisements - CLI:

config route isis

set {adv-passive-only|adv-passive-only6} {enable | disable}

end

Loopback interfaces

You can configure loopback interfaces to run IS-IS.

To configure loopback interfaces to run IS-IS - CLI:

config router isis

config isis-interface

edit <name>

set network-type loopback

end

end

Authentication

In routing protocols, it's typically desirable to establish authentication rules that prevent malicious and otherwise unwanted information from being injected into the routing table. IS-IS routing protocol utilizes TLV 10 to establish authentication. For more information about TLVs, see TLV.

Initially, IS-IS used plain cleartext to navigate the authentication rules, but this was found to be insecure since the cleartext packets were unencrypted and could be exposed to packet sniffers. As per RFC 3567, HMAC-MD5 and enhanced cleartext authentication features were introduced in IS-IS, both of which encrypt authentication data, making them considerably more secure than using plain cleartext authentication.

HMAC-MD5 authentication

Hashed Message Authentication Codes - Message Digest 5 (HMAC-MD5) is a mechanism for applying a cryptographic hash function to the message authentication process. It is applied at both Level 1 and Level 2 routing. In IS-IS, an HMAC-MD5 can be applied to each type of LSP, on different interfaces, and with different passwords.

Authentication data is hashed using an AH (Authentication Header) key. From RFC 2085:

The “AH Key” is used as a shared secret between two communicating parties. The Key is not a “cryptographic key” as used in a traditional sense. Instead, the AH key (shared secret) is hashed with the transmitted data and thus, assures that an intervening party cannot duplicate the authentication data. [...] Implementation should, and as frequently as possible, change the AH key. Keys need to be chosen at random, or generated using a cryptographically strong pseudo-random generator seeded with a random seed.”

Cleartext authentication uses the configuration commands area-password and domain-password for authentication, but when migrating from cleartext authentication to HMAC-MD5, these command settings are automatically overwritten.

By the year 2005, the MD5 hash function had been identified as vulnerable to collision search attacks and various weaknesses. While such vulnerabilities don't compromise the use of MD5 within HMAC, administrators need to be aware of potential developments in cryptanalysis and cryptographic hash functions in the likely event that the underlying hash function needs to be replaced.

Enhanced cleartext authentication

Enhanced cleartext authentication is an extension to cleartext authentication that allows the encryption of passwords as they are displayed in the configuration. It includes a series of authentication mode commands and an authentican key chain, and allows for more simple password modification and password management. Enhanced cleartext authentication also provides for smoother migration to and from changing authentication types. Intermediate systems continue to use the original authentication method until all the area routers are updated to use the new method.

Authentication key chain

A key chain is a list of one or more authentication keys including the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. A router migrates from one key to the next according to the scheduled send and receive lifetimes. If an active key is unavailable, the PDU is automatically discarded.

From RFC 5310:

It should be noted that the cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function and on the size and quality of the key.