IGP choice

Hi everyone,

Anybody from Yahoo to share experience on IGP choice ?
IS-IS vs OSPF, why did you switch from one to the other, for what reason ?
Same question could apply to other ISP, I'd like to heard some international ISP/carriers design choice, please.

Thank in advance,
Best regards,
-Marcel

"marcel.duregards@yahoo.fr" <marcel.duregards@yahoo.fr> writes:

Hi everyone,

Anybody from Yahoo to share experience on IGP choice ?
IS-IS vs OSPF, why did you switch from one to the other, for what reason ?
Same question could apply to other ISP, I'd like to heard some
international ISP/carriers design choice, please.

Thank in advance,
Best regards,
-Marcel

I worked a project as recently as 2009 where we tried to connect two
6509s together over a tunnel interface and wanted to extend Area 0
across it and couldn't because it was a limitation of the version of IOS
we were running at the time.

That forced us to use isis.

It was a decision based on pragmatism rather than design choice; and we
were a small operator, too. The choice of an interior routing protocol
really doesn't have much implication for small operators.

* marcel.duregards@yahoo.fr (marcel.duregards@yahoo.fr) [Thu 22 Oct 2015, 18:57 CEST]:

Anybody from Yahoo to share experience on IGP choice ?

What a weird way to limit your audience. This is NANOG, not Yahoo.

Otherwise, http://userpages.umbc.edu/~vijay/work/ppt/oi.pdf

  -- Niels.

The "everything must connect to Area 0" requirement of OSPF was limiting
for me back in 2008.

So we moved to IS-IS.

Mark.

Just use rip for *everything*

Problem solved!

And Windows Server for your routing platform of choice!

I'm unsure if this is a serious argument, but its such a poor point
today. Everything has to be connected to a level 2 in IS-IS. If you
want a flat area 0 network in OSPF, go nuts. As long as you are
sensible about what you put in your IGP, both IS-IS and OSPF scale
very well.

The differences between the two protocols are so small, that people
really grasp at straws when 'proving' that one is better over the
other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses
TLVs so new features are quicker to implement'. While these may be
vaguely valid arguments, they don't hold much water. If you don't
secure your routers to bad actors forming OSPF adjacencies with you,
you're doing something wrong.Who is running code that is so bleeding
edge that feature X might be available for IS-IS, but not OSPF?

Chose whichever you and your operational team are most comfortable
with, and run with it.

Regards,
Dave

OSPFv3 scaled better than OSPFv2 in 2008. But multi-AF support for
OSPFv3 was only developing then, so that was not a viable replacement
for OSPFv2.

OSPFv2 should scale better in 2015 (I say "should" because more routers
now have x86-based control planes, but I don't run OSPF so I'm hand-waving).

You're right, a single Level-2 domain in IS-IS is akin to a single Area
0 in OSPF. But those "so small" differences between the protocols in
2008 meant I was less eager to try the single area with OSPF than I was
the single level with IS-IS.

Mark.

Hi,

The differences between the two protocols are so small, that people
really grasp at straws when 'proving' that one is better over the
other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses
TLVs so new features are quicker to implement'. While these may be
vaguely valid arguments, they don't hold much water. If you don't
secure your routers to bad actors forming OSPF adjacencies with you,
you're doing something wrong.Who is running code that is so bleeding
edge that feature X might be available for IS-IS, but not OSPF?

well, bleeding edge fearures in ISIS would also depend on your vendor...
ours seems backwards for ISIS in most of their product line and
we're always wanting more.... heck, I think they've even tried to ensure its not in
their training courses either...just the briefest of mentions

as for IGP - ISIS - we moved to it from OSPF because we didnt want
2 seperate routing calculations and tables being kept for IPv4 and IPv6 and
all routing config is under the one routing protocol.

alan

> The differences between the two protocols are so small, that people
> really grasp at straws when 'proving' that one is better over the
> other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses
> TLVs so new features are quicker to implement'. While these may be
> vaguely valid arguments, they don't hold much water. If you don't
> secure your routers to bad actors forming OSPF adjacencies with you,
> you're doing something wrong.Who is running code that is so bleeding
> edge that feature X might be available for IS-IS, but not OSPF?
>
> Chose whichever you and your operational team are most comfortable
> with, and run with it.

Basic point I very much agree with. However, if that was all there
was to it, nobody would ever switch from OSPF to IS-IS or vice versa

OSPFv3 scaled better than OSPFv2 in 2008. But multi-AF support for
OSPFv3 was only developing then, so that was not a viable replacement
for OSPFv2.

OSPFv2 should scale better in 2015 (I say "should" because more routers
now have x86-based control planes, but I don't run OSPF so I'm hand-waving).

You're right, a single Level-2 domain in IS-IS is akin to a single Area
0 in OSPF. But those "so small" differences between the protocols in
2008 meant I was less eager to try the single area with OSPF than I was
the single level with IS-IS.

Some points I've noticed - YMMV.

- Needing OSPFv3 for IPv6 when you're alredy running OSPFv2 for IPv4
is less than optimal. I believe nowadays several vendors support
OSPFv3 for both IPv4 and IPv6 - but this is not universal.

- Probably mostly due to large operators running IS-IS, new features
are more likely to show up first in IS-IS.

- OSPFv3 security depends on IPsec, while IS-IS uses MD5. You could
certainly argue that MD5 is starting to get long in the tooth - on the
other hand, it's significantly better than nothing, and significantly
less complex than IPsec.

- We still have a few cases of needing OSPF towards customers. IS-IS
as core IGP makes it slightly easier to ensure that core routing and
customer routing are never mixed.

I see no reason to mention anything about scaling, since I believe the
protocols (both OSPF and IS-IS) nowadays scale to much larger topologies
than we're likely to need.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

You still have separate tables for IPv4 and IPv6 with isis and
multi-topology still runs 2 spf calculations.

I don't have all the details because I don't fully understand it, but I've
heard that if you're running an MPLS/RSVP core, you can only use a single
OSPF area. This introduces a scalability ceiling.

Our configuration is MPLS VPNv6 for IPv6. Therefore we have no native IPv6
in the backbone and no need for OSPFv3.

The IPv4 internet is MPLS VPNv4 so there should be no easy way to attack
our OSPFv2 instance from outside. The attacker is simply not in the same
VRF as the routing protocol.

Is this such an uncommon configuration? I am asking because nobody
mentioned this in the thread.

Regards,

Baldur

It comes down to personal preference now days in my opinion. Both ISIS and
OSPFv3 allow you to run multi-af using the same protocol. Both of them dont
run full SPF when a stub network is added/removed (unlike OSPFv2). How
about vendor support? Perhaps ISIS has the upper hand here since its been
around for so long, as compared to multi-af OSPFv3.

If I had to build a network from scratch that need to support v4/v6, I
would go with ISIS...but thats just personal preference. Some DC gear
doens't support ISIS, so I guess it depends what the network is going to
support.

BGP as an IGP is also an interesting option =).

*Pablo Lucena*

OK I will bite -

Yes, RIP everything and let'em all Rest-In-Peace.

My 0.02cents about OP's question-

"Scale" and Admin-headaches:

IS-IS scales far better than OSPF. Admin-headaches - as your OSPF domain grows, do you want to continually re-design; create more areas? You definitely don't want 50k prefixes in your OSPF domain; in area 0 - try it and see how it works.

Security& ease-of-deployment:

IS-IS is inherently a l2 protocol used over IP and is IP-Version independant and I dare say, more secure at the protocol-level compared to any other flavor of IGP.

As to why you see more OSPF than IS-IS(except of a few large one's States-side) is more of a history-lession.

./Randy

Not true.

The rate of development of advanced features in OSPF and IS-IS is at a
similar pace today.

The main issue is implementation. Some vendors will implement the new
capabilities in one protocol sooner than the other. The features may
eventually filter down to the other protocol, or not. It is entirely a
situation specific to your vendor.

For example, IIRC, LFA came to IS-IS in Junos first, and then OSPF
followed (or was it the other way around, I can't remember - but support
didn't come for both immediately). Same thing at Cisco.

Quagga is an example of a case where IS-IS is seriously lagging behind
OSPF to the point of not being useable at all.

So while the spec. will have parity, your choice of vendor will be a
practical factor.

Mark.

sorry for that, but the only one I've heard about switching his core IGP is Yahoo. I've no precision, and it's really interest me.
I know that there had OSPF in the DC area, and ISIS in the core, and decide to switch the core from ISIS to OSPF.
Why spend so much time/risk to switch from ISIS to OSPF, _in the core_ a not so minor impact/task ?
So I could guess it's for maintain only one IGP and have standardized config. But why OSPF against ISIS ? What could be the drivers? People skills (more people know OSPF than ISIS) --> operational reason ?

In my understanding of both protocols, from 3 year old documentation (2012):

OSPF is more or less limited to hundred routers in the backbone area. Yeah, ok, but back in 2005 I know some ISP which run 200 routers in the backbone area (only one area) w/o problem. What about today ? protocol design limitation or resources (memory+cpu) limitation ? If ressources only, as of today we can put also 1000 ospf routers in one area...
Cisco recommend no more than 50 routers per area with OSPF. Is it a conservative value ?
It also depend on the number of networks/router, of course.

ISIS is not. ISIS scale up to thousand routers in the same area.
Some docs say that ISIS converge faster due to fewer LSP traffic (compare to OSPF which generate more LSA traffic, therefore use more CPU) and better timers. Timers can also be tuned with OSPF, so I do not sea a real argument with better timers for ISIS (same story between HSRP versus VRRP with better timers for VRRP).

As your doc say (reason to choose ISIS):
better convergence, better security, simplicity.

-Marcel

Hey,

Quagga is an example of a case where IS-IS is seriously lagging behind
OSPF to the point of not being useable at all.

I believe this is because you need 802.3 (as opposed to EthernetII)
and rudimentary CLNS implementation, both which are very annoying from
programmer point of view.
I hope ISIS would migrate to EthernetII and IP. From security point of
view, people often state how it's better that it's not IP, but in
reality, how many have verified the flip side of this proposal, how
easy it is to protect yourself from ISIS attack from connected host?
For some platforms the answer is, there is absolutely no way, and any
connected host can bring you down with trivial amount of data.

I believe this is because you need 802.3 (as opposed to EthernetII)
and rudimentary CLNS implementation, both which are very annoying from
programmer point of view.

I'm not really sure what the hold-up is, but I know Mikael, together
with the good folks at netDEF (Martin and Alistair) are working hard on
fixing these issues. While I have not had much time to provide them with
feedback on their progress, it is high on my agenda - not to mention
funding support for them will only help the cause.

I hope ISIS would migrate to EthernetII and IP. From security point of
view, people often state how it's better that it's not IP, but in
reality, how many have verified the flip side of this proposal, how
easy it is to protect yourself from ISIS attack from connected host?
For some platforms the answer is, there is absolutely no way, and any
connected host can bring you down with trivial amount of data.

Well, on the basis that an attack is made easier if you are running
IS-IS on a vulnerable interface, in theory, an attack would be highly
difficult if a vulnerable interface were not running IS-IS to begin with.

But I do not have any empirical data on any attempts to attack IS-IS,
successfully or otherwise. So your guess is as good as mine.

Mark.

Hey,

Well, on the basis that an attack is made easier if you are running
IS-IS on a vulnerable interface, in theory, an attack would be highly
difficult if a vulnerable interface were not running IS-IS to begin with.

Assuming that interface won't punt ISIS if ISIS is not configured,
unfortunately this assumption isn't true for all platforms.