_____________________________________________________________________________
Routing Principles Torn Apart By Ankit Fadia ankit@bol.net.in
_____________________________________________________________________________
All kinds of networks have their basis on the routing tables. Routing is the backbone of all the networks around the world. It is probably one of the most interesting sections of the TCP/IP networks. Routing, Routing Tables, route command, playing with the routing tables of systems, routers etc is all that is manual will talk about.
In the earlier manuals, we have learnt about the Internet Protocol or the IP protocol. Routing or handling how the packets will be transferred to the destination and what the next stop will be, is the most important function performed by the IP protocol. So, how does IP actually make its routing decisions or how exactly does it decide how to transfer packets to their destination? Well, read on to understand how exactly IP is able to successfully transmit packets.
Each system has its own routing table. The kernel maintains the routing table of a system. (On a dial up machine, the ISP dynamically allocates or decides the routing table.) Now, typically the routing table is accessed or referred to by the IP or the Internet protocol almost each time it communicates with a remote system, even if the system is in the same LAN. The Routing Table basically decides or controls where and how packets will be sent from the source to the destination. It decides which path the packets will take i.e. it decides as to which router should the system pass on the packet to.
Communication through the Internet takes place, using routers. Routers are basically systems, which connect two networks together. They are commonly used to connect an internal trusted network to the external un-trusted network called the Internet. ISP’s use routers to connect you to the Internet. Routers basically act as gateways to the Internet or gateways to external networks. Say you type in http://www.hotmail.com/ in your browser URL box then packets are transferred from your system to the destination using routers. Communication takes place in the following manner:
Your System ----à Your ISP’s Router ---à Another Router ----à Hotmail’s Internet Network’s Router ---à Server hosting hotmail.com
NOTE: In the actual communication process, more number of routers are involved, connecting your system to hotmail.com
But, how does your system know which is your ISP’s Router? How does your system know which is the next stop router? How does your system know to which router should it transfer the request? Well, this decision is taken by your system depending upon the following two factors:
The Routing Table of a system besides holding other important useful information stores the router address to which packets have to be transferred, depending upon the IP Address of the destination. Let us look at the routing table of a typical machine to understand better. However, before we move on to an example of a routing table, it is important to understand what exactly the Internet Protocol or the IP Protocol does before taking its routing decisions. It involves 3 steps:
It is important to note that IP performs the above steps in the same order as they are written. It always looks for a matching host address before looking for a matching network address. And only after it has failed to find a matching host and network address, does it look for a default entry. This process of searching through the routing table is known as the routing mechanism.
Note: Below is the explanation of the Routing Table on a Unix system. For an explanation of the routing table of a Windows system, go further down in the manual. However, I do suggest that everyone reads the below part too, because the explanations are not repeated when I come to the Windows Routing tables.
On a Unix system, using the Netstat command with the ‘rn’ argument displays the touting table of the system. For more information regarding Netstat and its arguments, refer to the Netstat Torn Apart manual, which is available at: http://hackingtruths.box.sk/netstat.htm
Note: Just to refresh your memory: The Netstat command with the ‘r’ argument prints the system’s routing table, while the ‘n’ option specifies that IP addresses should be displayed instead of hostnames.
#server123 $ Netstat -rn
Routing Tables
Destination Gateway Flags Refcnt Use Interface
192.121.15.95 192.121.15.0 UGH 123 65041 191.121.15.0
127.0.0.1 127.0.0.1 UH 1 0 127.0.0.1
default 192.121.15.0 UG 1256 9854123 191.121.15.0
192.121.15.85 191.121.15.80 U 4 10454 191.121.15.80
Let us analyze the above result line by line. The first line of the output signifies that for the destination 192.121.15.95, the gateway (router) to send the packet to is 192.121.15.0. The third column is the ‘Flags’ column. It can have one or more of any of the following 5 different flags:
U It signifies that the route is up.
G It signifies that the route is to a gateway (router). If this flag is not present, then it means
that the destination is directly connected.
H It means that the route is set to a host i.e. the destination address is a complete host
Address. If this flag is set then the destination address is the complete host address, else
It means that the destination address is a network address.
D It means that the route was created by a redirect. (Discussed later in the manual)
M It means that the route was modified by a redirect. (Discussed later in the manual)
Before we move on, it is important that we understand what the various above flags stand for or what they actually mean. Let us take the various flags one by one.
By the book, the G flag actually signifies that the route is to a gateway (router). If this G flag is present then it means that the destination is not directly connected. That is, it means that the route is an indirect route. However, if it were not present then it would mean that the route is a direct route.
****************
Hacking Truth: What is the difference in the structure of packets being sent on a direct route and that of packets being sent on an indirect route? A packet being sent on a direct route has both the IP address and the Link-Layer address of the destination. However, when a packet is being sent on an indirect route, then it carries the IP address of the destination, however, the link-layer address carried by it is that of the next-hop gateway or router.
For Example, in our above example (in the first line),
Destination Gateway Flags Refcnt Use Interface
192.121.15.95 192.121.15.0 UGH 0 0 191.121.15.0
In the first line, the G flag is set, which signifies an indirect route. This means that the IP address carried by a packet will be that of the final destination (192.121.15.95) while the link layer address will be of the next-hop router (192.121.15.0).
**************
So the underlying fact symbolized by the G flag is whether the route is a direct one or an indirect one. It basically differentiates between a direct route and an indirect route.
The H flag specifies that the destination address is a complete host address. This means that if the H flag is present then the destination address corresponds to a complete host address. However, if the H flag is missing then is means that the destination address is a network address. (with the Host ID set to 0)
In effect, when the routing table is searched for a route to a destination IP address, a host address entry must match the destination address completely, while a network address only needs to match the network ID of the destination address.
For Example, consider the following extract of a routing table:
Routing Tables
Destination Gateway Flags Refcnt Use Interface
192.121.15.95 192.121.15.0 UGH 0 0 191.121.15.0
192.121.15.85 191.121.15.1 UG 4 10454 191.121.15.1
127.0.0.1 127.0.0.1 UH 1 0 127.0.0.1
default 192.121.15.0 UG 0 0 191.121.15.0
Now the lines that are of interest to us here are the first two lines. That is, the following lines:
Destination Gateway Flags Refcnt Use Interface
192.121.15.95 192.121.15.0 UGH 0 0 191.121.15.0
192.121.15.85 191.121.15.1 UG 4 10454 191.121.15.1
The first entry has the H flag set, which means that the destination address is a complete host address. It also has the G flag set, which means that the route is an indirect route.
The second entry too has the G flag set, which again specifies that the route to the destination is an indirect one. However, it does not have the H flag set, meaning that the destination address is not a complete host address. Now, consider that packets are to be sent by this system to the following IP addresses:
A packet has to be sent to the destination host whose IP is: 192.121.15.95.What does your system do?
The kernel searches through the routing table looking for a matching host address, and it finds it in the form of the very first entry. Then it sees the flags, as the H flag is set and the destination IP address completely matches the host address, so it forwards the packet to the specifies router: 192.121.15.0
A packet has to be sent to the destination host whose IP is: 192.121.15.94.What does your system do?
The kernel again searches through the routing table looking for a matching host address. The first entry is for a machine in the same network, however, as the H flag is set and the host addresses do not match completely (only the network addresses match) this packet is not routed according to the first entry. Then the kernel looks for a matching network entry. It finds that the second entry is useful. It finds that the network address is again the same. However, as the ‘H’ flag is missing (which means that all packets with the same network ID are routed by this entry), the packet is routed to its destination according to this entry. That is, it is forwarded to the following router: 191.121.15.1.
By now the difference between the H and G flags would probably have cleared. Let us now move on to other columns in the routing table.
The next column, i.e. the Refcnt column tells us as to how many active users are currently using that particular route. For example, you FTP to a system and then telnet to that same system, then the Refcnt count would go up by 2.
The ‘Use’ column specifies the number of packets sent through that route.
For Example, in the below routing table, the number of active users in the first route are 123 and the packets sent through that route are 65041.
#server123 $ Netstat -rn
Routing Tables
Destination Gateway Flags Refcnt Use Interface
192.121.15.95 192.121.15.0 UGH 123 65041 191.121.15.0
127.0.0.1 127.0.0.1 UH 1 0 127.0.0.1
default 192.121.15.0 UG 1256 9854123 191.121.15.0
192.121.15.85 191.121.15.80 U 4 10454 191.121.15.80
Now, in the above routing table, we have already discussed what the first and last entries mean. Let us now discuss the remaining entries.
The second entry refers to the ‘loopback’ function. As the route is not a gateway, the G flag is missing. The H flag is set to specify the fact that the destination address (127.0.0.1) is a host address, and not a network address.
The third entry refers to the default route. This route is a route to a gateway. We know this, as the G flag is set. The ‘default’ route is the route to which packets are sent to if, a more specific route is not found. All systems will have a default route entry. This is route taken by your system, when you type say hotmail.com or any other website. On a dial up machine, it refers to the router of your ISP, which has the necessary information needed to direct packets from your system to the desired website.
The use of the second and third entries of our routing table, will be clear after the following examples:
Say your system has to sent packets across the Internet to hotmail.com whose IP address is say: 203.45.12.19. Now, the kernel first looks for a matching host address, but the search is negative. So, it looks for a matching network address, however, this too fails. As both, the search for a matching network address and as the search for a matching host address fails, the kernel finally looks for a default entry. It does find a default entry and accordingly directs the packets to the router: 192.121.15.0.
Say you telnet to your own system (i.e. 127.0.01):
#server123 $ telnet 127.0.0.1
This time the second entry is the entry that the kernel finds the most suitable and it accordingly routes the packets.
But, say the kernel does not find any match and there is no default entry in the routing table. Then what happens? Well, it depends. If the datagram was generated on that host, then an error message is sent to the application that created the datagrams(For Example, Host Unreachable or Network Unreachable.) However, if the host was forwarding the datagrams, then an ICMP host unreachable error is sent to the original sender.
Finally the last column refers to the friendly name of the gateway corresponding to that particular entry. However, the part about the friendly name does not always hold true. Like in the example routing table, instead of the friendly name of the routers, the IP addresses of the routers were mentioned.
****************
Hacking Truth: An ICMP message of destination unreachable has a type value of 3. A Network Unreachable ICMP error message has a type value of 3 and a code value of 0. While a Host Unreachable ICMP error message has a type value of 3 and a code value of 1.
****************
To view your Windows box’s routing table, simply use the ‘route’ command. For more information regarding the route command, type the following DOS command:
C:\windows>route
To view your routing table, you need to type the following:
C:\WINDOWS>route print
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.225 203.94.251.225 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.225 203.94.251.225 1
203.94.251.255 255.255.255.255 203.94.251.225 203.94.251.225 1
255.255.255.255 255.255.255.255 203.94.251.225 203.94.251.225 1
The Windows routing table too is pretty much the same as the Unix routing table. (So, if any of you skipped the Unix Routing Table section, then I suggest that you go back and read it again.) Except for the Netmask column. The Netmask specifies a sub-net mask value to be associated with this route entry. If not specified, if defaults to 255.255.255.255.
The Netmask value is used to determine as to which of the four IP address octets contain variable values. For Example, a Netmask value of 255.255.255.0 means that the last octet can contain variable values, while the remaining 3 octets contain constant values. In the above example of routing table entries, the second entry i.e. the loop-back function entry has a Netmask value of 255.0.0.0, which means that all octets other than the first one can have variable values. This is necessary because an IP address starting with 127 will always refer to the local host, irrespective of the values of the remaining octets.
The Netmask value is actually used to decide the type of Network of the destination address. You see, networks can be of three types:
Address Class
Dotted Decimal Notation Ranges
Class A ( /8 Prefixes) 0.0.0.0 through 127.255.255.255
Class B ( /16 Prefixes) 128.0.0.0 through 191.255.255.255
Class C ( /24 Prefixes) 192.0.0.0 through 223.255.255.255
Class D (32 Bit Multicast Group ID) 224.0.0.0 through 239.255.255.255
Class E (32 Bit Address for future use) 240.0.0.0 through 247.255.255.255
The various classes will be clearer after reading the next few lines.
Each Class A Network Address contains an 8 bit Network Prefix followed by a 24-bit host number. They are considered to be primitive. They are referred to as "/8''s" or just "8's" as they have an 8 bit Network prefix. In simpler words, it means that in a Class A network address, the first octet remains the same while the remaining three octets tend to be variable. Also, it is important to remember that in a Class A network address, the first octet refers to the Network ID, while the remaining three octets refer to the Subnet and Host ID’s.
In a Class B Network Address there is a 16 bit Network Prefix followed by a 16-bit Host number. It is referred to as "16's". In simpler words, it means that in a Class B network address; the first two octets remain the same while the remaining two octets tend to be variable. Also, it is important to remember that in a Class B network address, the first two octets refers to the Network ID, while the remaining two octets refer to the Subnet and Host ID’s.
A class C Network address contains a 24-bit Network Prefix and an 8-bit Host number. It is referred to as "24's" and is commonly used by most ISP's. Again, in this case the first three octets refer to the Network ID, while the last octet refers to the host ID.
So, all that the Netmask field does is tell you as to what kind of Network the destination address is a part of. It is necessary for your system and the routers involved in the transmit process, to know as to how many octets are reserved for the network ID and how many octets are reserved for the host ID, so as to be able to send the packets to the correct destination.