Routing


You've already learned a little bit about how IP routing works, but we'll now cover it in a little bit more detail. Configuring routes properly is one of the great skills one can develop in networking, and it pays to be able to do it correctlyor at least to have a working understanding of it so that you can perform administrative tasks that require interfacing with the routing table, such as portsentry (which we will discuss in Chapter 30, "Network Security").

A router is any device configured to act as a router, which includes actual dedicated devices sold by Cisco or its competitors, or regular computers that can do the job in a pinch. Routers work by maintaining a routing tablea set of rules that says where packets that match certain IP address criteria should be sent. Because FreeBSD can be configured as a router, let's look at its routing tables as an example using the netstat -rn command (-r tells netstat to show the routing tables, and n says not to resolve IP addresses into hostnames):

# netstat -rn Routing tables Internet: Destination        Gateway            Flags     Refs     Use      Netif Expire default            hsrp-gw.netnation. UGSc      126  1379327      xl0 64.41.53.101/32    localhost          UGScB       0        3      lo0 net-64-40-111.netn link#1             UC          0        0      xl0 => ip3.example.com    0:50:ba:b3:98:13   UHLW        2   357107      xl0     735 ip4.example.com    0:50:ba:b3:95:bb   UHLW        0     2272      xl0     500 ip6.example.com    0:1:2:55:12:56     UHLW        0   118941      lo0 => ip6.example.com    localhost          UGScB       0        0      lo0 hsrp-gw.netnation. 0:0:c:7:ac:1e      UHLW      119     8814      xl0     405 64.77.63.139/32    localhost          UGScB       0        0      lo0 Toronto-ppp218408. localhost          UGScB       0        0      lo0 localhost          localhost          UH         45 45210727      lo0 goo.cs.und.nodak.e localhost          UGScB       0        0      lo0


Each line in this output is a rule. A routing rule specifies a particular destination and what should be done with traffic sent to that destination. The information in the routing table includes the following fields for each rule:

  • Destination This can be an IP address, a hostname, a network address (which FreeBSD displays in CIDR format, as you can see in the preceding example), or one of several special destinations, such as the "default route." This field matches the destination address of any packet the machine doing the routing sees.

  • Gateway address This is the "next-hop" router address where traffic to the specified destination should be sent. This can be a hostname or IP address, or for destinations on the LAN it can be a MAC address. FreeBSD also shows an entry for the link#1 gateway, which is a route matching the network of the primary network interface, from which new routes can be cloned on use (hence the C flag).

  • Flags This field specifies the type of route. Each letter represents a different flag, so this example shows routes with between two and five simultaneous flags. See man netstat for the meaning of each of the flags.

  • Network interface When a packet matches a route in the table, it is passed out through this specified interface.

IP routing grew from the distributed, adaptive defense communications network envisioned by ARPA; therefore, its nature is to dynamically update these routing tables according to network conditions. The large telecommunications hubs maintain immense routing tables with many backup links from any one place to any other place. When one route is found to be unavailable, the routing table shuffles the entries around until traffic is redirected to a working route. The result is a system in which no single router has to know anything about the route to a packet's destination other than where its own nexthop router is. Any address that isn't local (in other words, any address that isn't on the network managed by that router) is passed upstream to the next-hop router, and so on, until the packet reaches a router that has an explicit entry in its routing tablewith the appropriate netmaskfor the network matching the packet's destination IP address. At that point, the packet is routed out that interface and hopefully to its destination (it might have to pass through several more routers, each with a more specific matching rule, on the way downstream to the destination host's network).

Routing Misconfiguration

IP routing is susceptible to misconfiguration. On the way upstream, the packet will keep moving upward until it finds an explicit match for its destination address. It's unlikely that a packet won't reach the backbone level without incident because someone would have to explicitly add a bogus route to the table in order to hijack the packet on its way up the chain of routers. However, after the packet starts downstream toward the destination, every router along the way must be properly configured to route to the network that the upstream routers think it's capable of routing to! A packet might start on its way downstream, only to find that the router that was supposed to have a further route for it to the destination actually doesn't have one. Naturally, without an explicit route for the packet, the router will pass the packet back to its upstream router, which will then send the packet back downstream again, beginning what is frequently referred to as a "router loop":

traceroute to example.com (209.237.26.189), 30 hops max, 40 byte packets  1  r2-72-core-van.nx.com (10.10.4.253)  101.878 ms  135.377 ms  85.218 ms  2  dis2-atm1.in.nx.net (206.108.110.189)  132.023 ms  80.653 ms  81.686 ms  3  core2-1.in.nx.net (206.108.101.45)  102.365 ms  61.537 ms  68.561 ms  4  core2.in.nx.net (206.108.102.209)  79.989 ms  109.389 ms  115.587 ms  5  bx3-pos5-0.in.nx.net (206.108.102.202)  86.434 ms  109.678 ms  129.128 ms  6  sea1-nx.above.net (208.184.233.73)  91.201 ms  67.287 ms  79.369 ms  7  core2.above.net (208.185.175.178)  74.219 ms  79.480 ms  93.121 ms  8  sjc2.sjc2.above.net (216.200.127.117)  188.692 ms  212.627 ms  181.123 ms  9  core1.above.net (208.184.102.25)  195.260 ms  194.973 ms  272.053 ms 10  main1.sjc1.above.net (208.185.175.246)  344.104 ms  318.313 ms 11  core1.above.net (208.184.102.25)  195.260 ms  194.973 ms  272.053 ms 12  main1.sjc1.above.net (208.185.175.246)  344.104 ms  318.313 ms 13  core1.above.net (208.184.102.25)  195.260 ms  194.973 ms  272.053 ms 14  main1.sjc1.above.net (208.185.175.246)  344.104 ms  318.313 ms 15  core1.above.net (208.184.102.25)  195.260 ms  194.973 ms  272.053 ms 16  main1.sjc1.above.net (208.185.175.246)  344.104 ms  318.313 ms 17  core1.above.net (208.184.102.25)  195.260 ms  194.973 ms  272.053 ms 18  main1.sjc1.above.net (208.185.175.246)  344.104 ms  318.313 ms


This "bouncing" behavior will continue, preventing proper delivery of packets until the downstream router fixes its routing tables by adding the appropriate rule, allowing the packets to continue on their way downstream instead of bouncing back upstream. Fortunately, usually when this occurs it's because work is being done on the router that's at fault, and the condition is temporary, resolving itself when the backed-up routing tables are restored.

Gateways and Network Address Translation

A gateway is the router for a specific network, often used for translating addresses used by hosts on the LAN it manages to the addresses that the outside world sees. The term gateway is frequently used to mean router, and that isn't an inaccurate statement; we should clarify exactly what it means in today's parlance, though.

When you're configuring a machine's TCP/IP settings, you have to specify a gateway. This is simply the next-hop router for the machine you're configuring. H1 and H2 each have to have a gateway configured so that they can operate with hosts whose addresses don't match their netmasks. Generally, in this type of topology, the gateway would be R2. Depending on the type of router, H1 and H2 might not be able to reach R1 directly. It's important to consider failure modes. If R2 should be shut down, it is unlikely that it would pass LAN traffic directly through; some network devices fail into a pass-through mode, but routers seldom fall into that category.

In another type of network topology, the subnets defined by R2 might be completely unlike the R1 subnet; for instance, R1 might specify the 64.41 network, but R2 would control subnets at 192.168.10 and 192.168.11. In this case, it wouldn't do to set H1 or H2 to R1 as a gateway at all; traffic simply wouldn't reach it. The best practice is generally to set your machine's gateway to the nearest router and make sure the router is properly configured to pass traffic to the upstream router and to its managed subnets.

Note

Certain IP address ranges are "reserved" for specific private uses and cannot be assigned to hosts on public networksdata will not reach them. These ranges include 10.xxx.xxx.xxx and 192.168.xxx.xxx, which are commonly used in subnets and NAT topologies, and recommended for internal networks.


The traditional meaning of gateway, however, is the "edge device"the point at which LAN traffic passes out onto the WAN. This device, generally a router, is also where network address translation (NAT) can be done. The NAT daemon on the router specifies aliases for internal routes and their translated addresses on the outside, and vice versa. NAT can be done in a one-to-one, many-to-one, or one-to-many fashion.

To use FreeBSD as a NAT router, you will want to configure and run the natd daemon; we'll discuss this in more detail in Chapter 28.




FreeBSD 6 Unleashed
FreeBSD 6 Unleashed
ISBN: 0672328755
EAN: 2147483647
Year: 2006
Pages: 355
Authors: Brian Tiemann

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net