blog
    OSPF Route Poisoning Tech ...
    06 March 19

    OSPF Route Poisoning Techniques

    Posted byKeith Bogart
    facebooktwitterlinkedin
    news-featured

    switch-3297900_1280

    OSPF Route Poisoning Techniques

    When first learning about IGP Routing Protocols, much time is spent learning about how routers form neighborships (if they do at all) and how new routing updates are exchanged. Little, if any, time is spent describing the process by which routers inform each other of prefixes that have gone down, and the mechanics involved in doing so.

    This blog post seeks to rectify that situation with regards to the OSPFv2 Routing Protocol.

    Every standardized routing protocol has some way of informing peers about routes that have become inaccessible.

    In this post, let’s look at the process that OSPFv2 uses to mark routes as inaccessible.

    OSPFv2

    Because I’m lazy, I’m going to write “OSPF” in this blog, but just know that I’m talking about OSPFv2 (the IPv4 version of OSPF). I’m going to assume that you already know the basics of how to configure OSPFv2, so that won’t be shown here.

    A prefix that is lost in OSPF can originate in one of three places, and where it originated determines how routers are informed when it goes away;

    • Intra-Area prefix (a prefix that goes down in your own, local area)
    • Inter-Area prefix (a prefix that goes down in a non-local area)
    • External prefix (a prefix that was redistributed into OSPF by an ASBR becomes inaccessible).

    Below is the basic topology I’ll be using for all of my demonstrations and screenshots;

    null

    Let’s start by seeing what happens when an OSPF Intra-Area route goes away.

     

    Poisoning Intra-Area Routes

    At the moment, router R1 has advertised its Loopback-1 prefix into OSPF using a Type-1 Router LSA. Because it is a Loopback interface, the configured subnet mask is ignored (a /32 is advertised by default) and the Link-Type is described as “Stub.”

    null

    Here is how that same LSA is viewed using Cisco IOS commands in router R1 (that originated the LSA);

    null

    Pay special attention to the “LS Age” field in the LSA. Recall that (by default) LSAs are only valid for a maximum of 3,600 seconds (one hour). This is called their “lifetime”. And the owners/originators of LSAs (who list themselves in the LSA as the “Advertising Router”) must refresh any LSAs they create every 1800-seconds. The age of 284 (as shown in the image above) reflects an LSA that has been “alive” for 284-seconds. This should not exceed the value of 1800 before it needs to be refreshed.

    Also view the LS Seq Number field. When an LSA is first created it starts with a default sequence value of 80000001. As we see in this output, this LSA has been regenerated twice because it currently contains an LS Sequence of 80000003.

    These two fields will play a special role when LSAs need to be poisoned or refreshed due to a link failure.

    Now...what will happen when Loopback-1 is disabled in Router-1?

    null

     

    null

    Notice that the 111.111.111.1/32 address (that was visible in the previous instance of this LSA) is now missing. Our takeaway from this is that when a router loses one of its directly-connected prefixes it will:

    1. Regenerate its own Type-1 Router-LSA
    2. Reset the LS-Age back to 1-second
    3. Increment the Sequence Number by one
    4. Simply remove from the LSA any reference to the link that has gone down.

    Because this Type-1 Router LSA will be flooded by all routers in the local area, this is the method by which all routers within a given area learn of an Intra-Area link that has gone down.

    Let’s go back to our topology again, and now ask the question, “How do routers in other areas (such as Area-0) learn that this prefix has been lost?”

    null

     

    Poisoning Inter-Area Routes

    In this topology, router R2 is an Area Border Router (ABR). As such, it is the responsibility of R2 to extract the networks it has learned about in Area-1 (by virtue of having received Type-1 Router and Type-2 Network LSAs) and create its own Type-3 Summary LSA which it will use to advertise those subnets into an adjacent area (Area-0). Of course the same process happens for routes learned from Area-0 that it needs to inject into Area-1.

    One of the many differences between Type-1 Router LSAs and Type-3 Summary LSAs is that a single Type-1 Router LSA (as we previously saw) can contain references to more-than-one link. This translates to the fact that a single Type-1 Router LSA can be used to advertise multiple IP subnets (depending on how the links are described within the LSA) that a router owns. This is not the case with Type-3 Summary LSAs.

    An ABR is required to create a unique Type-3 Summary LSA for every network it wishes to advertise into an adjacent area. This means, that if a network disappears (such as what just happened with Loopback-1’s network on R1) the ABR can’t simply stop advertising that network. If that were the case, the most recent Type-3 Summary LSA that originally advertised the network would remain in the OSPF Link State Database of all routers (outside of the area where the prefix actually lives) for 1-hour and take equally long to be purged from the IP Routing Table. That would not be acceptable. So when an ABR learns of a route that has become inaccessible, it must explicitly poison its Type-3 Summary LSA that advertised that route.

    Here is what the Type-3 Summary LSA looks like in the OSPF Link-State Database of all routers in Area-0 (containing the network 111.111.111.1/32; Loopback-1 of R1);

    null

    Now let’s see how our ABR “poisons” this LSA once it learns from R1 that the network is gone;

    null

    Notice that the ABR performs the following actions upon receiving either a Type-1 Router LSA (or a Type-2 Network LSA) indicating that a route in its local area has vanished;

    1. The ABR notes the current sequence number of the Type-3 Summary LSA that the local ABR owns, the one it used to advertise this network into adjacent areas.
    2. The ABR creates a new Type-3 Summary LSA for the inaccessible subnet, incrementing the sequence number by one over the current sequence number.
    3. The intent of the new Type-3 Summary LSA is to advertise that the network has become inaccessible/unreachable. In order to do this the ABR;
      1. Increases the LS-Age field to the maximum age (3600-seconds).
      2. Increases the cost of the LSA to the maximum value that a 24-bit field will carry, namely 16,777,215
    4. The ABR purges the old LSA from its Link State Database.

    Note that if there were another ABR on the far side of Area-0 (that perhaps connected to Area-2), when that ABR received the poisoned Type-3 Summary LSA for the 111.111.111.1/32 subnet, it would be responsible for replicating this same process on its own Type-3 Summary LSA. Remember, that Type-3 Summary LSAs (just like Type-1 Router LSAs and Type-2 Network LSAs) are only allowed to be flooded into a local area. They are not allowed to be flooded between areas. The ONLY type of LSA that can be flooded between multiple areas is the Type-5 External LSA (carrying redistributed routes).

    null

    Lastly, let’s explore how an ASBR will mark a route that has been redistributed as inaccessible.

     

    Poisoning External Routes

    In this topology, router R1 is serving as an ASBR because it is redistributing a connected network (11.1.1.0/24 on Loopback-0). Redistribution will cause the ASBR to generate a Type-5 External LSA, which will then be flooded throughout the entire OSPF domain (unless parts of the domain contain Stub areas, in which case Type-5 External LSAs are not allowed into those areas).

    Here we can see what that External LSA looks like as it sits within the OSPF Link State Database of any given router in the OSPF domain;

    null

    And here is a sniffer trace of the Link State Update packet that carried this Type-5 External LSA throughout the entire OSPF domain;

    null

    Just as an ABR must create a single, unique Type-3 Summary LSA for each network it advertises from one area into another, the same is true of ASBRs. If an ASBR is redistributing 500 routes, it must generate 500 Type-5 External LSAs (or Type-7 NSSA-External LSAs if redistributing into a NSSA).

    So...just as it is the responsibility of an ABR to poison any LSA that references a route that is no longer reachable...similarly, an ASBR is in charge of poisoning any of its Type-5 External LSAs that are no longer accessible, and it does it the same way that ABRs do;

    null

    Namely, when an ASBR discovers that one of its redistributed routes has become inaccessible;

    The ASBR notes the current sequence number of the Type-5 External LSA that it most recently generated to advertise this network into the entire OSPF domain.

    1. The ASBR creates a new Type-5 External LSA for the inaccessible subnet, incrementing the sequence number by one over the current sequence number.
    2. The intent of the new Type-5 External LSA is to advertise that the network has become inaccessible/unreachable. In order to do this the ASBR;
      1.  Increases the LS-Age field to the maximum age (3600-seconds).
      2. Increases the cost of the LSA to the maximum value that a 24-bit field will carry, namely 16,777,215
    3. The ASBR purges the old LSA from its Link State Database.

    And that’s it! Hopefully this post has clarified in your mind the process that OSPFv2 uses to poison LSAs and purge entries from its Link State Database.

     

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo