From: Subject: Understanding routing for Solaris Date: Sun, 17 Jun 2001 11:58:04 +0900 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.enteract.com/~lspitz/routing.html X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Understanding routing for Solaris How to get your = packets from=20 point a to point b
Routing with=20 Solaris=20

Lance=20 Spitzner
Last Modified: 9 March, 2000=20

This article is the second in a two part series. In the first = article I=20 discussed how to configure, modify and troubleshoot network interface = cards.=20 This second article will discuss routing issues for systems with two or = more=20 network interface cards. I will not be discussing gated nor any routing=20 protocols, such as RIP or OSPF. This article will focus only on = implementing=20 static routing tables. Throughout this article I will be using the octet = method=20 for denoting subnet masks, as opposed to the more modern method of using = a /.=20 Example, I will be designating a class C network as 255.255.255.0, as = opposed to=20 /24. I decided to use the older notation as this is what Solaris = uses.  If=20 you have any questions about IP addressing or subnetting, I highly = recommend you=20 first review http://www.3com.com/nsc/5013= 02.html.=20
 =20

Routing=20

Routing has always fascinated me, it is amazing how a system knows = where to=20 forward a packet. In this article, I will discuss how Solaris 2.6 knows = just=20 that, where to forward a packet. The first part of this article I will = explain=20 and setup some basic static routes. In the second part of the article I = will=20 cover some of Solaris 2.6's more advanced capabilities, specifically = VLSM=20 (Variable Length Subnet Masks).=20

Routing is the process of forwarding a packet from point A to point = B.=20 Solaris does this by building a routing table. When it forwards a = packet, it=20 first refers to the routing table to decided where to send the packet. = The key=20 to successful routing with Solaris is building a proper routing table. = You start=20 building your routing table with your first network interface device.=20

When you configure a network interface device, the kernel = automatically=20 builds a static routing table. For example, lets say you are on a system = that=20 has a single interface, elx0. You configure the device to have an IP = address of=20 207.229.165.133, with a netmask of 255.255.255.0. To see the routing = table the=20 kernel has built, use the command netstat –nr.=20

Routing = Table:=20
Destination      =20 Gateway           =   =20 Flags Ref   Use    Interface =
----------------- = --------------------=20 ----- ----- ------ ---------
207.229.165.0    =20 207.229.165.133     =20 U         = 1     20=20 elx0
127.0.0.1        =20 127.0.0.1          &nbs= p;=20 UH        0     = 94=20 lo0=20

 Here we see the system's routing table. The first column is=20 Destination, which network does the packet want to go to. The = second=20 column is Gateway, the IP address the packet must go to get to = the=20 destination (the next hop). The third column is Flags, which = denotes=20 interface information, such as U for up, and G for Gateway. The fourth = column is=20 Ref, which denotes how many times that specific MAC address is = referenced=20 in the routing table. The fifth is Use, or how many packets have = gone=20 through the interface. The last column is Interface, it show the = device=20 the packet must go through if the destination is the local network.=20

In the example above we have two routes. The bottom one, 127.0.0.1, = is the=20 standard loopback route. All systems have this route, the kernel uses it = to talk=20 to itself. The second entry is a result of the elx0 interface. This = entry says=20 if you need to get to a node on the 207.229.165.0 network, go to=20 207.229.165.133, which is the system interface. This entry is called the = local=20 network entry and is added by default. The kernel assumed that because = elx0 has=20 an IP address of 207.229.165.133 and a netmask of 255.255.255.0, it must = be=20 connected to the local network 207.229.165.0. Thus, if you want to talk = to any=20 node on the 207.229.165.0 network, the kernel knows exactly where to = send the=20 packet.=20

Any time you add a new interface, the kernel adds a routing entry = similar to=20 the one above. It assumes that the new interface can talk to the local=20 network.  Your system can now talk to the local network, = 207.229.165.0. But=20 what about other networks, such as the Internet? If you were to attempt = to talk=20 to any node on any other network, such as 206.54.252.8, you would get = the=20 following error.=20

 lisa #ping=20 206.54.252.8
   ICMP Net Unreachable from gateway lisa = (207.229.165.133) =
   for icmp from lisa=20 (207.229.165.133)=20

The system has no idea how to reach this node. To fix this, we need = to give=20 the system a default route. When the kernel is given a destination it = does not=20 know, it sends it to the default route. The default route is usually the = IP=20 address of another router. This router takes the packet and does one of = two=20 things with it. If the destination is local to the router, it sends the = packet=20 to the local destination. If not, the router sends the packet upstream = to=20 another router. This process repeats itself until the packet has reached = its=20 destination.=20

By default, Solaris uses a routing protocol to dynamically determine = the=20 default route, RIP or Route Discovery. During the init process, the=20 /etc/rc2.d/S69inet will attempt to find a router running route discovery = (/usr/sbin/in.rdisc). If this fails after three attempts, the script = then=20 launches /usr/bin/in.routed, otherwise known as RIP. However, we will = use=20 neither method. Instead, we are going to manually set the default route. = When=20 the default route is manually set, neither routing protocol is = initiated. The=20 advantages to this are a simpler and more secure system to administer.=20

You manually define the default route with the file = /etc/defaultrouter. This=20 file consists of a single entry, the IP address of the default router. = This file=20 is read during the init process (specifically /etc/rc2.d/S69inet) and = added to=20 the routing table.  For this system, we have identified the default = router=20 as 207.229.165.1. This is the IP address of the router that connects us=20 Internet. If our system does not know a packet's destination, it sends = the=20 packet to the default router. With our default route, the new routing = table=20 would looks as follows=20

Routing = Table:
Destination        &nbs= p;=20 Gateway           =   =20 Flags Ref   Use    Interface =
-------------------- = -------------------- -----=20 ----- ------ ---------
207.229.165.0       =20 207.229.165.133      =20 U        2     20 = elx0
default         &n= bsp;   =20 207.229.165.1        =20 UG       0    =20 20
127.0.0.1         =   =20 127.0.0.1          &nbs= p; =20 UH       0     30=20 lo0=20

Based on this table, the system now has two choices for forwarding a = packet.=20 If the destination is on the 207.229.165.0 network, the packet is sent = to the=20 local network. However, if the destination is any other network, then = the packet=20 is sent to the default router. Notice that the default router, = 207.229.165.1, is=20 on the local network. If the default route is not on the local network, = the=20 system cannot reach the default router.=20

To define the netmasks of your network, you use the file = /etc/netmasks. This=20 file is read during the bootup process, defining the makeup of your = networks.=20 Here is an example of a /etc/netmasks file.

#
# The netmasks file associates Internet Protocol (IP) = address
# masks=20 with IP network numbers.
#
# network-number netmask
#
# The = term=20 network-number refers to a number obtained from the Internet = Network
#=20 Information Center. Currently this number is restricted to being a = class
# A,=20 B, or C network number. In the future we should be able to support
#=20 arbitrary network numbers per the Classless Internet Domain Routing
# = guidelines.
#
# Both the network-number and the netmasks are = specified=20 in
# "decimal dot" notation, e.g:
#
# 128.32.0.0=20 255.255.255.0
#
207.229.165.133 255.255.255.0
172.16.1.0=20      255.255.255.0
192.168.1.0     = 255.255.255.240

This file defines the network 207.229.165.0 as a = standard class=20 C network. However, the file also defines 172.16.1.0 as a class C = network, even=20 though it is normally a class B network. Last, we see the network = 192.168.1.0=20 broken down even smaller as a 16 IP subnet. We discuss subnetting later = in the=20 article.=20


 =20

 IP=20 Forwarding=20

Up to this point we have been discussing singled homed system. Single = homed=20 systems have one of two choices, talk to the local network, or to the = default=20 router. Things get more complicated when you add a second interface. = Your system=20 now becomes multi-homed, and potentially a gateway. A multi-homed host = is any=20 system with two or more interfaces, usually on different networks. A = gateway is=20 any multi-homed system that routes packets between different networks.=20

Lets take a look at what happens when we add a second interface. We = add the=20 interface elx1 to our system, with an IP address of 10.1.6.1, netmask=20 255.255.255.0.=20

Routing = Table:
Destination        &nbs= p;=20 Gateway           =   =20 Flags Ref   Use    Interface =
-------------------- = -------------------- -----=20 ----- ------ ---------
207.229.165.0       =20 207.229.165.133     =20 U         = 2     20=20 elx0
10.1.6.0         &= nbsp;  =20 10.1.6.1           = ; =20 U         1    = 123=20 elx1
default         &n= bsp;   =20 207.229.165.1       =20 UG        0    =20 20
127.0.0.1         =   =20 127.0.0.1          &nbs= p;=20 UH        0     = 30=20 lo0=20

Looking at the routing table, you notice only one change, the = addition of=20 interface elx1. If a packet is destined for any node on the 10.1.6.0 = network,=20 the packet is forward out the elx1 interface.=20

However, there is another, and far more important change not seen = here, IP=20 forwarding has just been enabled on this machine. Basically, IP = forwarding means=20 the system will route packets between networks. Based on the table = above, the=20 gateway will forward a packet one of two ways. If it does not know the=20 destination, it will forward the packet to the default router. If the=20 destination is on one of the two local networks, then the packet will be = forwarded to its destination.=20

IP forwarding is enabled during the init process, in = /etc/rc2.d/S69inet. If=20 the system detects more then 2 interfaces (including the loopback) ip = forwarding=20 will be enabled by default. Your system is now a gateway.=20

You can have a system with 2 or more interfaces and not forward = packets if=20 you want. This is done one of two ways. First, by touching the file=20 /etc/notrouter. During the init process, /etc/rc2.d/S69inet will look = for this=20 file. If it finds it, it turns off ip forwarding by executing the = following=20 command.=20

ndd -set /dev/ip = ip_forwarding=20 0=20

 You can manually turn off ip forwarding any time by executing = the same=20 command.
 =20

Route = Command=20

The route command allows you to manually change the route table. You = can add,=20 delete or change routes in real time. For example, lets say the IP = address of=20 the default router has changed, but you cannot afford to reboot the = system. You=20 have to change the IP address of the default route without rebooting. = You do=20 this with the route command. The syntax is simple,=20

lisa #route change = default=20 207.229.165.5 1=20

This command changes the default router from 207.229.165.1 to a .5. = The=20 syntax is simple, type the network information as you want it to appear = in the=20 routing table. The last number at the end of the command is the metric, = or how=20 many hops to the next gateway. Any node, including a router, on the = local=20 network is a hop of 1. The route add command allows you to add = additional routes=20 to the routing table, just as route delete removes them. If you want to = make a=20 route command permanent, add the command to the bottom of = /etc/rc.2/S69inet. The=20 init script will execute the route command and update the routing table. =
 =20

VLSM=20

Starting with 2.6, Solaris supports VLSM (Variable Length Subnet = Mask). VLSM=20 means a network can be variably subnetted into smaller networks, each = smaller=20 network having a different subnet mask. What that means to you is that = life just=20 got a lot easier.=20

Under Solaris 2.5.1 or earlier, you could only define a single subnet = for a=20 network. For example, if you defined the network 10.1.6.0 with a = 255.255.255.0=20 subnet mask as we have done, older versions of Solaris would assume that = any=20 network starting with 10 was a 255.255.255.0 subnet mask. You have now = locked=20 yourself in. You had to manually add an individual route for any = 10.0.0.0=20 network that did not have this subnet. This could easily reach into the=20 hundreds!=20

VLSM does not make this assumption, it gives you flexibility in = setting up=20 your routing tables. You can have as many different subnets as you want = for a=20 network. Lets take a look at an example. Our current routing table (see = example=20 from above) is configured for two local networks and a single default = route for=20 everything else (the Internet). However, this system is to be the = gateway for a=20 large corporation, the company's firewall. This means all inbound and = outbound=20 traffic must go through it.=20

The corporation is made up of an internal 10.0.0.0 network, which is=20 subnetted into over 100 smaller networks. Each smaller, subnetted = network has a=20 different subnetmask. For example=20

      =20 10.15.146.0       =20 255.255.254.0      (510 hosts)
      =20 10.128.112.0     =20 255.255.248.0      (2046 hosts) =
      =20 10.220.160.0     =20 255.255.240.0      (4094 hosts)=20

Here you see the company's various, different networks. We have to = create a=20 routing table that routes all default traffic to the Internet, but at = the same=20 time routes anything on the 10.0.0.0 internally. Remember, our internal = network=20 is really over a hundred smaller 10.0.0.0 networks, all variably = subnetted.=20

First, we have to identify the internal router. In our case, we will = use=20 10.1.6.5. This is the IP address of the router on the internal network. = Notice=20 how this router is on the local network of interface elx1. Now, since we = are=20 using Solaris 2.6, which support VLSM, we need only 1 command to route = all the=20 variably subnetted 10.0.0.0 networks=20

lisa #route add net = 10.0.0.0 10.1.6.5=20 1=20

With this single command, we have taken care of all routing issues, = something=20 possible only with VLSM. Lets take a look at the routing table and = explain what=20 I mean.=20

Routing = Table:
Destination        &nbs= p;=20 Gateway           =   =20 Flags Ref   Use    Interface =
-------------------- = -------------------- -----=20 ----- ------ ---------
207.229.165.0       =20 207.229.165.133     =20 U         = 2     20=20 elx0
10.1.6.0         &= nbsp;  =20 10.1.6.1           = ; =20 U         2    = 123=20 elx1
10.0.0.0         &= nbsp;  =20 10.1.6.5           = ; =20 U        =20 0      0
default         &n= bsp;   =20 207.229.165.1       =20 UG        0    =20 20
127.0.0.1         =   =20 127.0.0.1          &nbs= p;=20 UH        0     = 30=20 lo0=20

The first line states that if your destination is on the = 207.229.165.0=20 network, the network is local to the interface elx0. If your destination = is on=20 the 10.1.6.0 network, the network is local to the interface elx1. If = your=20 destination is on any 10.0.0.0 network EXCEPT to 10.1.6.0, the packet is = forwarded to the gateway 10.1.6.5. Last, if the destination meets none = of the=20 above criteria (the Internet), the packet is forwarded to the default = router,=20 207.229.165.1.=20

You may be confused as to how does the system know where to forward = anything=20 on 10.1.6.0. By looking at the routing table, you see two entries that = would=20 work, one for 10.1.6.0 and one for 10.0.0.0, both work for 10.1.6.0. The = system=20 always selects the most specific path first.=20

Now, if this was on a system that did not support VLSM, such as = 2.5.1, things=20 would be MUCH uglier. As stated earlier, the 10.0.0.0 is variably = subnetted into=20 smaller networks. Without VLSM, you would have to manually add a static = route=20 for each separate network with the route add command. If you do not, the = kernel=20 will assume that all the 10.0.0.0 networks are subnetted the same, = causing all=20 sorts of interesting routes. As you can see, VLSM is extremely powerful. =
 =20

 CIDR=20

I decided to discuss CIDR, as it is easy to confuse with VLSM and = they are=20 both closely related. Defined in 1993 by rfc 1519, Classless = Inter-Domain=20 Routing is used for routing aggregation, also known as supernetting. = Simple=20 stated, this means lumping several networks into one. The purpose is to = reduce=20 routing tables, which are beginning to overload backbone routers. An = example=20 would be taking 256 class C networks and defining them as a single = network,=20 aggregating them together. You can define the networks 207.229.0.0 = –=20 207.229.255.0 with the single routing entry of 207.229.0.0 subnet mask = of=20 255.255.0.0.=20

CIDR aggregates several networks together for simpler routing, = compared to=20 VLSM which variably subnets a network into smaller networks. Confused? = Don't=20 feel bad, so is half the Internet. To learn more, I highly recommend you = read=20 3Com's Whitepaper on IP addressing, VLSM, and CIDR at http://www.3com.com/nsc/5013= 02.html=20
 
 =20

Conclusion=20

The key to successful routing is your routing tables. By defining a = proper=20 routing table, your packets will get from point A to point B. VLSM is a = standard=20 that allows greater flexibility and in developing a proper routing = table.=20 Remember, a happy gateway is a happy network.
 =20

Downloads=20

Figuring out subnet masks and CIDR aggregation can be quite=20 challenging.  However, for the brain dead like me there exists an = AWESOME=20 little tool called IP Calculator from Net3 Group Inc.  This freely=20 distributed Windows tool is a great way to solve all your subnetting=20 problems.  I HIGHLY recommend it.=20

ip_calculator.= zip  =20 603 KB

For you Unix weenies, there is a Unix version of this tool, located = at http://www.interloper.ne= t/~dan/software


Author's=20 bio
Lance Spitzner enjoys learning by = blowing up=20 his Unix systems at home. Before this, he was an Officer in the = Rapid=20 Deployment Force, where he blew up things of a different nature. You = can=20 reach him at lance@honeynet.org .=20
 
 =20

Whitepapers /=20 = Publications