Routing Table; Friend or Foe?

If we examine the routing table used by TCP to control traffic flow, we can gain some insight
to sticky issues that are easily misunderstood. This article exhamines the routing table and
how it controls visibility, thruput and in some cases isolates systems from one another.

Route Print Results:Line [1] see [8] below

Line [2] The Loop Back interface address which can not be used for anything other than
accessing the local system.
On a Linux/Unix system, this address is not functionally useful while
Windows/* can use this address for local services.

Line [3] The NIC card parms for the 192.168.0.* network, eg the local LAN

Line [4] A Windows anachronism. This forces packets routed to 192.168.0.4 to arrive on
[2], which is a one-way routing to the local NIC (meaning the reverse flow doesn't occur).

Line [5] The Lan Broadcast address; (will not exit the lan subnet)
Windows uses this to find File Shares on port 137, 445

Line [6] The Multicast address.
The range from 224.0.0.0 to 224.0.0.255 (or 224.0.0.0/24) is designated for multicasting
on the local LAN only. Well known examples are RIPv2 which uses 224.0.0.9,
OSPF which uses 224.0.0.5 and Zeroconf mDNS which uses 224.0.0.251.

Line [7] The 'Zero' address equivalent of [5]; not used much any more

Line [8] The generic 'if all else fails, send it here' which is created by line [1]

What does that all mean;
a) when accessing Print/File shares, line [3] is used to connect to the local systems.
b) when accessing a website like http://www.google.com,

1] a dns request on port 53 is sent to the configured DNS (not shown but lets say that is aa.bb.cc.dd)
which is none of the addresses in 1-8 so the request exits our system via the Default Gateway
2] the DNS responds with the real ip address for http://www.google.com (eg: 208.67.219.230)
3] the browser then connects to 208.67.219.230 on port 80. Again 208.67.219.230 is not in our
routing table, so the traffic exits our system on the Default Gateway.
4] the reply from google.com will be on the connection created and flows to our browser.

So what you might ask. There are subtile results from the above description in the areas of
I) What happens when there are two or more NIC cards in the system, each with its own ISP connection?
II) What happens if we add another router.

The description of the Route Print (ie: the routing table in our system) is far more generic than one might assume.
The bacic operations are also implemented in any device outside our system which has routing capability
(eg: routers and switches). An external router works very much as described, while a switch operates as if there
were only one line for each active connection which was coded like:

Code:

	192.168.0.x     255.255.255.0      192.168.0.x     192.168.0.x       20  ##=> nic-x
	192.168.0.y     255.255.255.0      192.168.0.y     192.168.0.y       20  ##=> nic-y
	192.168.0.z     255.255.255.0      192.168.0.z     192.168.0.z       20  ##=> nic-z

which says each nic-x sees only traffic intended for the connected device. Nice huh!

So on (I), with a second nic in the system, connected to its own router and an IP address like 172.16.2.4,
we get a line added to the route print results like

Code:

 	172.16.2.0     255.255.255.0      192.168.0.4     172.16.2.4       20  ##=> nic-#2

Any systems attached to router#2 and in the 172.16.2.* subnet will get Print/File Share access both
to and from our nic#2. Many people will try this setup thinking that with two NIC cards in the same system,
we ought to see 1/2 of our network traffic on Nic#1 and the other 1/2 on Nic#2 -- sorry -- it doesn't work that way.
Look again carefully at (b) above. The browser operation starts the flow on Nic#1 with a DNS request and continues
the flow using the Default Gateway. The only way to get traffic to flow on Nic#2 is to specifically access
a system on the 172.16.2.* subnet.

This 'specific routing' comes into play for (II) above; adding a second router. Let's describe our wiring first:
This network operates as describe under the Route Print Results and What does that all mean discussed above.

Now lets add a second router#2 and consider (II).
Connecting a LAN port from router#1 to the WAN port of router#2 creates:

router#2 is seen from router#1 as a 192.168.0.x address while
devices attached to router #2 have 192.168.1.x addresses

Let's say that router#2 get assigned an IP address of 192.168.0.10. That will create a routing table with a line like
and there will be NO ENTRY for the subnet of 192.168.1.*

So what happens if we ping 192.168.1.1? NOTHING! err; more properly it will just timeout.
The ping packets flow where -- you should have guessed, the DEFAULT GATEWAY which
has nothing with that address out there and thus the timeout.

This is usually not what we expected, but may be useful to us (see Isolation below)
While systems attached to router#1 will get Internet and Email access,
they can not use Print/File sharing with anything attached to router#2 @ 192.168.0.1

How can I get more systems attached to router#1? If you have a second router already, then wire it like this.
Take a LAN port from router#1 and connect to a LAN port on router#2.
Otherwise, if you need to purchase a device with more slots, get a switch and use the wiring from example-B.
The switch will not assign IP addresses. Either way, everything attached to the second device will be controlled by router#1 and have an
IP address of 192.168.0.x. All system will be able to ping each other and Print/File Sharing works normally.
(btw: when using a router in this manner, disable the DHCP service!)


Isolation
There are situations where you need to have Print/File Sharing for some systems and to ensure that others
can never access those resources. For example, a landlord my have the ISP connection and offer Internet access
to a tenant. example-B above fills that need, but to which router does the tenant attach? Router#1

Why Router#1? Attaching the tenant to it will allow Internet access, but it also
hides router#2 at 192.168.1.1 -- it can not be seen nor pinged.
Router#2 can ping both routers, the ISP gateway and any system attached to router#1.
Thus, keeping the landlord (or the protected resources) at the last router in the chain will isolate those resources from
the network above.

Network Security
Systems Security

__________________
J. O. Beard; you + tech-101.com => synergism. Secure your system now