Packet Design is now part of      Learn More

IS-IS Purge Originator Identification Explained

Due to advantages, such as stability, fast convergence and high scalability, the IS-IS protocol is a popular routing protocol used by network operators, service providers and large enterprises. In this blog, we explore IS-IS Purge Originator Identification (POI), a mechanism used by the IS-IS protocol to identify the router that initiated a purge of a Link State PDU (LSP) entry from the link-state database. While the purging is usually done when a router has been removed from the network and the content of the LSP is no longer valid, it can also occur during a network attack, where low lifetime is maliciously generated for an LSP, which then causes a purge.

Under these circumstances, network engineers managing networks with thousands of devices have a need to find which intermediate system (IS) caused a purge and the cause of the LSP purge. This is where POI helps. Before we explain how, let’s have a quick IS-IS routing refresher.

IS-IS Routing Overview

Intermediate System to Intermediate System (IS-IS) is an interior gateway protocol used for routing within an administrative domain or network. An IS-IS network is called a routing domain and consists of end systems and intermediate systems. End systems are hosts that send and receive packets whereas intermediate systems can send, receive and forward packets (usually routers). In IS-IS, the routing domain is divided into small groups known as areas. Each area is hierarchically divided into Level 1 intermediate systems and Level 2 intermediate systems. Level 1 systems route within an area and Level 2 systems route between areas and to other autonomous systems (AS).

What is an IS-IS Purge Originator Identification

An IS-IS Network

IS-IS is a link state routing protocol and operates by flooding the link state information through the network. Every time something changes in the network topology, an LSP is regenerated and flooded by the IS-IS router. The other IS-IS routers then build a complete network connectivity map by aggregating the flooded topology information. Let us now examine the various IS-IS packets.

IS-IS Packets

IS-IS routing uses the below packets to exchange routing information:

IS-IS Hello PDU (IIH) – Is broadcast to discover neighboring IS-IS systems and establish adjacencies with other routers.

Link State PDU (LSP) – Contains information about the adjacencies to neighboring IS-IS systems. LSPs are periodically flooded throughout an area. Two primary LSP attributes are sequence number and lifetime. The sequence number denotes which LSP is the latest and lifetime refers to the number of seconds before an LSP expires.

Sequence Number PDU (SNP) – SNPs are used to maintain the link state database. There are two types of SNPs:  CSNP and PSNP.

Complete Sequence Number PDUs (CSNP) are periodically sent out and contain information about the complete list of all LSPs in the link state database. The receiving systems use information from the CSNP to update their link state database. If a router finds newer LSPs in a CSNP, the older entries are purged, and the link state database is updated with the newer entries. Partial Sequence Number PDUs (PSNP) are used to describe a few LSPs rather than the entire link state database. PSNPs are used by IS-IS routers to request missing or updated LSPs.

What is an IS-IS Purge Originator Identification?

As we stated at the beginning of this blog, an LSP purge can occur when a router is down and is removed from the network and thus its LSP information is outdated. But this can also be done with malicious intent, where a spoofed LSP with lifetime set to zero or a low value is used to purge a valid LSP, leading to network issues and downtime.

When the IS-IS protocol purges an LSP entry from the LSP database, the information is flooded throughout an area. But if the network engineer needs to find the cause of the purge, it is difficult as there is no way to identify the router from which the purge was initiated. This is where Purge Originator Identification (POI), defined in RFC 6232, helps.

POI defines a type, length, value (TLV) that must be added to purges to record the ID of the intermediate system (IS) that initiates a purge. Thus, if an IS generates a purge, it also must include the TLV that records its system ID. When an IS receives a purge, the TLV is propagated further.

Monitoring Purge Originator Identification

Network engineers need to know the cause of a purge. By using route analytics tools that check for IS-IS Purge Originator Identification and generate alerts, network operators can quickly find the intermediate system which originated the purge and the upstream reporter of the purge. Engineers managing IS-IS networks with thousands of routers can quickly determine if the purge of an LSP was expected due to the planned removal of a router or if it was an unexpected network or security issue that needs further analysis.

Request a Personalized Demo | Route Explorer Features