| Internet-Draft | IS-IS Packet Timestamping | July 2026 |
| Przygienda, et al. | Expires 2 January 2027 | [Page] |
Many applications in today’s networks rely on reliable and timely flooding of link-state information, such as, but not limited to Traffic Engineered networks. If such link-state information is delayed it can be difficult for those applications to adequately fulfill their intended functionality. This document describes extensions to ISIS supporting distribution of fragment origination time. The origination time can be used to aid troubleshooting and/or by the applications themselves to improve their behavior. Timestamping can be also used to detect replay attack which are not addressed in IS-IS currently.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Many applications in today’s networks rely on safe, reliable and timely flooding of link-state information, such as, but not limited to Traffic Engineered networks and advanced telemetry solutions. If such information is delayed during flooding it can be difficult for those applications to adequately fulfill their intended purpose. This document describes extensions to ISIS allowing it to carry the origination time on each packet. The origination time can be used to aid troubleshooting of large domains and/or by the applications themselves to improve their behavior. Further, the addition of timestamps into IS-IS packets allows to address replay attacks. Thus, IIHs can carry optional timestamps and LSPs will additionally contain in the timestamp the original lifetime used when originating the fragment in question.¶
As an example, in the case of Traffic Engineered Networks synchronization of the Traffic Engineering Database (TED) enables the compute nodes to adapt to changes in the network state and/or react to network events in a timely manner. If link state information is delayed during the flooding process this can result in an unsynchronized TED and easily lead to service degradation due to substandard re-optimization of network load. More specifically, in RSVP-TE networks, a TE path computed using a specific snapshot of the TED may be rejected during signaling by a transit node because of bandwidth unavailability on a specific link (link bandwidth information in the snapshot of TED used during computation may not be “current”). When the ingress is subsequently notified of this “error” via RSVP signaling, the link in question is avoided in the subsequent path computation and an alternate path is sought. An implementation may use a configurable “hold time” to determine how long this link needs to be avoided. The awareness of the distribution delay statistics can be used by implementations to dynamically adapt an appropriate “hold time” for a given TE link (instead of using a blanket topology-wide configuration). Therefore, the origination time proposed in this document is meant to be used by a compute node(s) or by an operator of Traffic Engineered Network to measure any delays incurred in TED synchronization. The awareness of delays in the distribution of information can be incorporated further into algorithms and network tooling to improve the responsiveness and quality of decisions taken.¶
As a second application, attackers attempting to replay previously recorded authenticated exchanges between nodes will be deflected by the timestamping mechanism refusing to accept packets failing the required sanity checks. Such a protection relies however on quite closely synchronized clocks which in itself is an chicken-and-egg problem given predominant dependency on mechanisms such as NTP [RFC5905] that rely themselves on forwarding decisions and resulting server connectivity. This document presents a framework where adjacencies can be formed using a roughly accurate time derived from neighbor's precise time before local clock is synchronized fully.¶
The following terms are used throughout this document:¶
This section defines two new, optional TLVs for carrying timestamps in ISIS packets. The two TLVs are distinguished by type code: the Adjacency Timestamp TLV is used in IIH, SNP, CSNP, and ASH packets, while the LSP Timestamp TLV is used exclusively in LSPs and carries the originating lifetime of the fragment. In case of multiple instances of a timestamp TLV in a packet are present, the first one MUST be processed, and any later ones MUST be ignored. The absence of a timestamp TLV signifies that the node does not have a usable time source or does not support timestamping at all.¶
A node that includes a timestamp TLV MUST ensure that the time value carried is strictly monotonically increasing across successive packets of the same type on the same adjacency (for Adjacency Timestamps) and monotonically for the same LSP fragment (for LSP Timestamps). An implementation MUST NOT send a timestamp with a value equal (and for Adjacency Timestamp also less than) to the last timestamp it sent in the same context, even if the local clock is adjusted backwards. In such cases the implementation MUST hold off sending until the clock advances until it reaches an acceptable value.¶
Both TLVs share a common time encoding. To save space the timestamp follows semantically the NTP seconds epoch [RFC5905] with the exception of an extra bit in the seconds field to extend the wrap around and carrying approximately 1 millisecond resolution in the fractional part of the timestamp since this is considered sufficient for link-state purposes. The specification follows further guidelines of [RFC8877] as far as possible.¶
When present in an IIH, SNP, CSNP, or ASH packet, this TLV carries the origination time of the packet. A node without a usable time source MUST NOT include this TLV.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |H|P| Fraction | Precs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
When contained in a fragment this TLV indicates the point in time the fragment with the current sequence number has been generated and carries the original lifetime used. A node without a usable time source MUST NOT include this TLV.¶
For practical purposes, although desirable, timestamping the moment a fragment is flooded would be preferable but beside practical implementation problems this could generate on different interfaces the same fragment with different content which breaks one of the fundamental tenants of link-state protocols. However, an implementation is free to choose to use, e.g. the moment the fragment is queued for flooding first time rather than the time the version is generated.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |H|P| Fraction | Precs | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Originating Lifetime | +-------------------------------+
The timestamp field MUST NOT be used if the packet is not authenticated by cryptographic signature or hash. Further considerations are outlined in Section 7.¶
Packets arriving on the wire SHOULD undergo timestamp sanity checking as soon as possible after being cryptographically authenticated.¶
The following intervals are used throughout this section:¶
When timestamped, packets can be protected against replay attacks by following acceptance rules.¶
A node MUST track per adjacency the timestamp value last accepted from the neighbor (the "last-iih-timestamp-seen", "last-snp-timestamp-seen" and "last-ash-timestamp-seen"). All these values are reset when the adjacency transitions to Down state.¶
The following rules govern acceptance of IIH, SNP and ASH packets with respect to timestamping:¶
Clearing last-iih-timestamp-seen on transition into Down state is not sufficient to prevent permanent lockout. Consider the following scenario: the adjacency is already in Down state, a valid timestamped IIH arrives from the neighbor (setting last-iih-timestamp-seen), and the neighbor then reboots without support of timestamping. The rebooted neighbor now sends IIHs without the Adjacency Timestamp TLV forever, which are dropped because last-iih-timestamp-seen is set. Since the adjacency is already Down, no hold timer is running to expire it and trigger a fresh Down transition that would clear the value. The adjacency is permanently stuck.¶
The inactivity reset rule above resolves this: if no valid timestamped packet is accepted within the hold period (regardless of adjacency state), last-*-timestamp-seen variables are cleared unconditionally. This allows the adjacency formation to proceed once the rebooted neighbor resumes sending IIHs (with or without timestamps).¶
When a node reboots and has lost its clock, the neighbor's last-iih-timestamp-seen still holds the value from before the reboot. The rebooted node cannot send a timestamp higher than this value because it has no time source. Two recovery paths exist:¶
The following diagrams illustrate the temporal relationships between originating timestamp, originating lifetime, LSP remaining lifetime, and the acceptance window. We use the term time-in-transit to indicate (originating lifetime - current lsp lifetime).¶
Normal LSP in transit: orig_ts now orig_ts + orig_lifetime | | | |=================================|=======================| |<--- elapsed since origination ->|<-- lsp_lifetime ----->| | | | |<-------------- orig_lifetime (from Timestamp TLV) ----->| Invariant: orig_ts + orig_lifetime - lsp_lifetime ≈ now (the difference is propagation delay + processing)
Acceptance window for (orig_ts + lsp_lifetime):
|L| now |L|
<-> | <->
REJECT |<============ ACCEPT WINDOW ===============>| REJECT
| |
| now - L now + L |
- orig_ts + time-in-transit must fall within [now - |L, now + |L]
- lsp_lifetime must be ≤ orig_lifetime
- orig_ts + time-in-transit must be > last accepted timestamp (strictly monotonic)
A node MUST track per LSP fragment the timestamp value last accepted as the "last-fragment-timestamp-seen". This variable is set when a timestamped fragment is accepted and is used to enforce monotonicity across successive instances of the same fragment. If a newer, authenticated fragment (as determined by standard IS-IS fragment comparison rules) arrives without an LSP Timestamp TLV, it MUST be accepted normally and last-fragment-timestamp-seen MUST be cleared for that fragment. This covers the case of a node that was downgraded or lost its clock and is re-originating without timestamps. To prevent a chain of attacks with pre-recorded higher fragment version numbers without timestamps a node MAY decide to issue timestamped newer versions the fragment with a large increment in case of such an attack.¶
When timestamped, LSPs packets which are not purges and trigger any of the criteria corresponding to Figure 4 acceptance window failure¶
SHOULD not be accepted.¶
The last condition allows specifically for sending multiple versions of a fragment with the same timestamp within a small window of time. Attempts to tighten this further would limit the maximum rates of packet issuance given the timestamp resolution and impose further very strict packet queuing limitations. An attempted replay attack within this window is detectable by arrival of excessive amount of versions of the same fragment within a small window of time and should be tracked and reported.¶
Purging presents a particularly difficult problem since [RFC6232] mandates the acceptable TLVs in a purge and timestamping is currently not part of those TLVs. Due to this precondition, a change in standard is needed and timestamping on purging can only be originated after upgrade of the whole domain. Additionally, purges carry a lifetime of 0 which defeats the timestamp criteria as defined above and thus need a different set of rules. Purges that trigger any of the criteria¶
SHOULD be discarded.¶
A node that has not yet synchronized a precise internal clock (e.g. has not acquired NTP synchronization) SHOULD derive its Proxy Time from its adjacent neighbors' IIH timestamps using the following algorithm:¶
The combination of median selection and monotonic advancement provides Byzantine-fault-tolerant proxy derivation: an attacker must compromise more than half the eligible adjacencies of a node to influence its Proxy Time at all, and even then cannot move it backwards.¶
A node operating with Proxy Time MUST set the P-Bit on all timestamps it originates (in IIHs, SNPs, ASHs and LSPs).¶
A requirement for the correct interpretation of the additions proposed in this document is an infrastructure capable of synchronizing time across devices involved so the timestamps at the various points of interest become comparable. This could be accomplished by utilizing NTP [RFC5905], Precision Time Protocol (PTP) IEEE Std. 1588 [IEEEstd1588] or 802.1AS [IEEEstd8021AS] designed for bridged LANs. The achieved precision is carried in the timestamp of the fragment.¶
Though the timestamp can be very useful in deriving measurement of behavior in a deployed IS-IS network, e.g. maximum incurred flooding delays between any pair of nodes, it should not be used in any attempts to modify the behavior of protocol behavior itself such as e.g. influencing flooding rates. A single badly synchronized clock could otherwise change the behavior of parts or even the whole network in unpredictable or even detrimental way. Replay protection as defined in Section 4 is an exception.¶
For practical reasons, the timestamping replay protection defined in this document relies on strictly monotonically increasing timestamps rather than negotiation and repetition of nonces. It preconditions clock synchronization across nodes and hence presents an attack vector where the necessary clock mechanisms can be compromised if vulnerable. The attack windows and vectors are otherwise comparable due to the nature of IGPs which do not rely on lossless communication channels.¶
The replay protection mechanisms defined in this document rely on the IS-IS three-way handshake as defined in [RFC5303] to prevent an attacker from exploiting adjacency state transitions to reset timestamp tracking state. Accordingly, IS-IS three-way handshake MUST be deployed on all interfaces and cryptographic authentication MUST be enabled before timestamping is used for replay attack protection. If either precondition is not met, IIH timestamps MUST NOT be relied upon for replay protection and SHOULD be used for informational purposes only. LSP replay protection as defined in this document does not depend on the three-way handshake but MUST only be employed when cryptographic authentication of LSPs is enabled.¶
TBD¶
This document uses the graphical representation of data models per [RFC8340].¶
The following shows the tree diagram of the module:¶
module: ietf-isis-fragment-timestamping
augment /rt:routing/rt:control-plane-protocols
/rt:control-plane-protocol/isis:isis
/isis:database/isis:levels/isis:lsp:
+--rw fragment-origination-time? yang:date-and-time
¶
The following is the YANG module:¶
<CODE BEGINS> file "ietf-isis-fragment-timestamping@2026-06-26.yang"
module ietf-isis-fragment-timestamping {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-isis-timestamping";
prefix isis-fragment-timestamping;
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-routing {
prefix rt;
reference
"RFC 8349: A YANG Data Model for Routing
Management (NMDA Version)";
}
import ietf-isis {
prefix isis;
reference
"RFC 9130: YANG Data Model for the IS-IS Protocol";
}
organization
"IETF LSR - LSR Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/lsr>
WG List: <mailto:lsr@ietf.org>
Author: Renato Westphal
<renato@netdef.org>
";
description
"The YANG module augments the base IS-IS YANG data model with
operational state related to IS-IS fragment timestamping.
Copyright (c) 2026 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.";
reference
"RFC XXXX: Optional IS-IS Fragment Timestamping";
revision 2026-06-26 {
description
"Initial Version";
reference
"RFC XXXX: Optional IS-IS Fragment Timestamping";
}
/* Fragment Timestamp TLV */
augment "/rt:routing/"
+ "rt:control-plane-protocols/rt:control-plane-protocol"
+ "/isis:isis/isis:database/isis:levels/isis:lsp" {
when "derived-from-or-self(../../../../rt:type,"
+ "'isis:isis')" {
description
"This augment ISIS routing protocol when used";
}
description
"This augments IS-IS protocol LSDB with Timestamp TLV.";
leaf fragment-origination-time {
type yang:date-and-time;
description
"The time at which this LSP fragment with the
current sequence number was generated.";
}
}
}
<CODE ENDS>¶