Routing, RIP, and Windows NT

Gary C. Kessler
Carol Monaghan
March 1999


An edited version of this paper appeared with the title "Routing, NT, & RIP" as the August 23, 1999 Web exclusive of Windows NT Magazine.

While many networks that employ Windows NT Server operate within a single domain running on a single network, many users must run over multiple networks for a variety of reasons. The issues of running in a single domain versus multiple domains are different than those associated with running in a single network or multiple network environment. When the Internet Protocol (IP) is used, interconnection of multiple IP subnetworks require routers. And a Windows NT Server can act as a software-based router. This article will review what a router is, why you might need one, how to set up a Windows NT Server with more than one network interface card (NIC), and how routing protocols work.

Router Defined

Even though the numbers of computers in use today is on the rise and the number of local area networks (LANs) is on the rise, the average number of hosts attached to each LAN is decreasing. Although this seems somewhat counter-intuitive, consider that LAN performance degrades as the number of attached stations and offered traffic grows. If a LAN becomes sluggish over time, there are a variety of ways to improve performance, one of which is to actually divide the LAN and make two networks!

If this approach is taken, the new LANs that have been created can be interconnected using some device, usually a bridge or a router. Although both bridges and routers segment network and filter/forward data, the differences in their operation and capabilities can be explained in terms of the address that they use to do their job.

All host computers that are connected to a LAN and use TCP/IP have two addresses, namely, the LAN media access control (MAC) address and the IP address. In terms of the Open Systems Interconnection (OSI) Reference Model, the MAC is similar to the Data Link Layer (layer 2) and is responsible for error-free communication between devices on the LAN. MAC addresses are flat; that is, they are assigned pretty much at random and no routing or location information can be derived from the address. MAC addresses are associated with the specific LAN network interface card (NIC); Ethernet addresses, for example, are 48-bits in length and written in hexadecimal (for example, 0x00-60-08-83-71-10).

IP, on the other hand, resides at the OSI Network Layer (layer 3) and is responsible for routing packets through a network, or across a series of subnetworks. On the LAN, an IP packet is transported inside of a MAC frame. IP addresses are hierarchical, meaning that some portion of the address identifies a network (called the NET_ID); this part of the address is used for routing. All IP hosts on a given network will have the same NET_ID.

(A human analogy to MAC and IP addresses might be this: your social security number uniquely identifies you but not your location, while your telephone number uniquely identifies you and allows the network to route telephone calls to your location.)

Bridges operate based on the MAC address, and merely allow a number of physically separate LAN segments to operate as a single network by forwarding frames from LAN to LAN. In a transparent bridge environment (usually seen with Ethernet LANs), bridges have to learn the location of all stations on the network and forward frames based on tables in the bridges; if the bridges doesn't recognize the MAC address of the destination station, it broadcasts the frame everywhere. Routers, on the other hand, are more intelligent devices than bridges and route packets based on the Network Layer address (e.g., IP) and allow several logically distinct networks to communicate with each other. A Network Layer protocol such as IP handles its routing function by examining a routing table; some sort of routing protocol is responsible for populating the routing table with information. A complete discussion of the advantages and disadvantages of bridges and routers is beyond the scope of this discussion; suffice it to say that bridges do not scale well to very large networks and cannot ever be used as a customer's interface to the Internet.

So let's assume at this point that you have decided to interconnect two or more IP subnets with a router. You can certainly purchase a piece of hardware built specifically for this purpose, such as routers from Cisco, Nortel (Bay Networks), 3Com, or many others. In some cases, however, it might be feasible to utilize a software-based router using the capabilities of Windows NT Server.

A true router is probably the preferred solution if your network is large or for your high-speed connection to the Internet. Router hardware, software, memory, and bus components are all optimized for moving packets at high-speed, and routers today are rather modestly priced. They will, therefore, typically offer better performance for routing than a computer running a general purpose operating system, such as NT.

On the other hand, there are reasons where a site might want to try a software-based solution using NT:

Subnetting and Addressing

The first step in setting up your NT server to act as a software based router is to physically install two (or more) NICs. Next, you have to configure the cards; go to the Network option in the Control Panel and choose the Protocols page. Select the properties of the TCP/IP protocol from the dialog box. On the IP Address tab (Screen 1), you will see the name of one of your network cards listed; click on the down arrow box to select each of the NICs, in turn, and enter the appropriate information for that card. Only one default gateway must be defined for each server/router, so only one of your network cards will need to have a default gateway address provided; this field can be left blank for the other card(s). (Alternatively, you can define additional default gateways for each NIC by clicking on the Advanced button.) After you have entered all of the addressing information for the NICs, click on the other tabs and enter the appropriate information for the DNS, WINS Address, and DHCP Relay.


Screen 1: Configuring IP address information for multiple NIC adapters.


Screen 2: Routing tab for configuring TCP/IP.


The Routing tab (Screen 2) has an option for IP forwarding. With two NICs installed, a system can be physically attached to two networks, as shown in Figure 1; that system can act as a member on both, and may or may not do any packet forwarding. In a dual-homed environment, such as where a system acts solely as a print or file server, a machine might need to be accessible from two different LANs but will never forward packets from one to the other. Thus, a client on the 192.168.88.0 network will access the server (GOLEM) via the NIC at 192.168.88.1 and a client on the 192.168.99.0 network will access GOLEM via the NIC at 192.168.99.7. Alternatively, the server can act as a router and accept packets from one network and forward them to another. If the Enable IP Forwarding checkbox is selected, then, systems on either physical network can access systems on the other network.



FIGURE 1. Two LANs interconnected by a single router (GOLEM).


If you will be routing between networks, the server must have a routing table with information telling IP how to forward packets. Routing tables can be created and maintained on a static or dynamic basis. Static routing tables are created automatically by the system software at NIC installation. Static routing tables do not change in response to network conditions (such as traffic load or link status) and, therefore, routes stay the same until changed by a system administrator. Dynamic routing tables are created and maintained via some sort of routing protocol; the IP routing protocol used by Windows NT Server is the Routing Information Protocol (RIP).

To install RIP on your NT server, go to the Network option under the Control Panel and select the Services page. Click on the Add button and select RIP for Internet Protocol from the list. You will then be prompted to insert your Windows NT Server 4.0 installation CD-ROM. There are no parameters for you to configure, so your installation is complete after closing out the Network Control Panel and accepting the option to reboot the system.

Routing Tables and Routing Protocols

Figure 1 shows a simple example of two networks and a single server connecting them. With simple IP forwarding, a server only knows about the networks to which it is directly attached.



FIGURE 2. Three LANs interconnected by two NT server-based routers (GOLEM and KERBEROS),
with a router connection to the Internet.


Clearly, more networks and more intermediate systems can be interconnected to form a more complex set of interconnections. As the network topology becomes more involved, however, simple network-to-network packet forwarding will no longer suffice and a routing protocol must be employed so that a server can become aware of networks to which it is not directly attached. Figure 2 shows an example of this more complicated scenario, where a new router, KERBEROS, is added to the 192.168.99.0 network with the address 192.168.99.8. A third network (222.168.111.0) is also introduced here, connected to KERBEROS at the address 222.168.111.6; this third network also has another dedicated router with a connection to the Internet. Note that the new network and router are invisible to GOLEM, just as 192.168.88.0 is invisible to KERBEROS.

As mentioned above, RIP, described in Request for Comments (RFC) 1058 and 2453 (versions 1 and 2, respectively), is NT's routing protocol for IP. Both versions of RIP are current Internet standards; the primary difference between the two is that RIP-2 supports variable-length subnet masks ( la CIDR) while RIP-1 is limited to advertising standard classful network addresses (see sidebar). RIP is one of the older routing protocols still seeing widespread, although diminishing, use on the Internet. RIP is classified as a distance vector routing protocol because of the nature of the information in the routing table and the mechanism used for router-to-router communication. The routing table maintains a list of all networks known to the router, the address of the next hop towards each known destination, and the total "cost" (called the metric) to get to the destination. A distance vector routing protocol does not spell out the entire route from one network to each known destination, but merely gets the packet started in the right direction. And although some distance vector protocols allow a variety of metrics, hop count is the only metric used in RIP.



FIGURE 3. RIP packet from Router 3 to Router 1, and the update
of Router 1's routing table.


Distance vector routing protocols create and maintain their routing tables using a process called table exchange. In RIP, a router will broadcast a portion of its routing table to each of its neighbor routers every 30 seconds. A router receiving a neighbor's table will compare the advertised routes with the routes that it already knows and if it finds what appears to be a better route, it will update its table. Figure 3 shows an example of the routing table update process between two neighbor routers, Router 1 and Router 3. In this example, Router 1 has a table entry for Network A that shows it to be 5 hops away if it routes via router #2 and Router 3 believes that it is 3 hops away from Network A if it routes via router #7 (neither router #2 nor #7 are shown in the figure). At some point, Router 3 will broadcast a RIP packet containing a portion of its routing table. Note that the entry for Network A in the advertisement shows a hop count of 4 because all neighbors of Router 3 are 4 hops from Network A if the neighbor routes via Router 3; note further that it is Router 3's responsibility to increment the table entry before broadcasting its routes. In this case, Router 1 determines that routing to Network A via Router 3 is better than the old route, and it updates its tables.

RIP has fallen out of favor for use within the greater Internet since the explosive growth began in the early- to mid-1990s, because it does not scale well to very large, complex network topologies where it can become unstable and take a long time to propagate changes through the network; RIP is largely being replaced by the Open Shortest Path First (OSPF) protocol. Nevertheless, RIP is a simple protocol to implement and requires very little processing and management, and is therefore well-suited for a small network, such as one that might be built with a few software-based routers.

In Windows NT (and Windows 9x), a system's routing tables can be displayed by using the route print command from the DOS command line. The route command can also be used to manually add, delete, or modify table entries. The route help command provides more information (although there does not appear to be an easy way either to prevent the help information from scrolling off the screen or to redirect the output to a file).

The NT routing table contains five pieces of information. The Network Address and Netmask together specify the address for which a particular row applies. The Gateway Address is the IP address of the router (gateway) to which to forward a packet destined for the specified network address; the gateway will be accessible at the IP address specified by the Interface. Finally, Metric indicates the number of hops to get to the destination network.

TABLE 1. Sample routing table for GOLEM, when connected to two networks (refer to Figure 1).

    Active Routes:

    Network Address          Netmask  Gateway Address        Interface  Metric
 1          0.0.0.0          0.0.0.0     192.168.88.1     192.168.88.1       1
 2          0.0.0.0          0.0.0.0     192.168.99.7     192.168.99.7       1
 3        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1       1
 4     192.168.88.0    255.255.255.0     192.168.88.1     192.168.88.1       1
 5     192.168.88.1  255.255.255.255        127.0.0.1        127.0.0.1       1
 6   192.168.88.255  255.255.255.255     192.168.88.1     192.168.88.1       1
 7     192.168.99.0    255.255.255.0     192.168.99.7     192.168.99.7       1
 8     192.168.99.7  255.255.255.255      127.0.0.1        127.0.0.1         1
 9   192.168.99.255  255.255.255.255     192.168.99.7     192.168.99.7       1
10        224.0.0.0        224.0.0.0     192.168.88.1     192.168.88.1       1
11        224.0.0.0        224.0.0.0     192.168.99.7     192.168.99.7       1
12  255.255.255.255  255.255.255.255     192.168.88.1     192.168.88.1       1
13  255.255.255.255  255.255.255.255     192.168.99.7     192.168.99.7       1

Table 1 shows a sample routing table that corresponds to the scenario in Figure 1 with a system that merely interconnects two LANs:

Table 2 shows an abbreviated route table for the router named GOLEM in Figure 2, and demonstrates what the routing table might look like that contains network addresses that are not local to the server. It also shows that there is a single default gateway configured; any packet addressed to a network other than the three that are defined in the figure are assumed to be aimed at the Internet and will, therefore, be forwarded to the default gateway.

It is important to note that the address of the gateway is never placed into the packet; an IP packet always contains the original source and destination host addresses. In fact, the original packet is placed into a MAC frame and the gateway address is used only to determine the destination address for the MAC's transmission. This is a subtlety of IP routing that is well beyond the scope of this article.

TABLE 2. Abbreviated routing table for GOLEM when routing is employed (refer to Figure 2).

    Network Address          Netmask  Gateway Address        Interface  Metric

 1          0.0.0.0          0.0.0.0    222.168.111.1     192.168.99.7       3
 2     192.168.88.0    255.255.255.0     192.168.88.1     192.168.88.1       1
 3     192.168.88.1  255.255.255.255        127.0.0.1        127.0.0.1       1
 4     192.168.99.0    255.255.255.0     192.168.99.7     192.168.99.7       1
 5     192.168.99.7  255.255.255.255        127.0.0.1        127.0.0.1       1
 6    222.168.111.0    255.255.255.0     192.168.99.8     192.168.99.7       2

This routing table shows the following information:

As this article has indicated, there are several scenarios where it makes sense to configure an NT server to function as a router. Understanding the routing protocol will lead to a better understand of the tables that are generated and how the tables themselves might be manipulated to improve the operation. A complete treatment of routing is obviously well beyond the scope of this article. Much more information about bridging, routing, their associated protocols, and applicability to the Internet can be found in two excellent books, Routing in the Internet by Christian Huitema (Prentice Hall) and Interconnections by Radia Perlman (Addison-Wesley).




SIDEBAR: Addressing in IP

IP version 4 (IPv4) addresses are 32 bits in length (see figure below). They are typically written as a sequence of four numbers, representing the decimal value of each of the address bytes. Since the values are separated by periods, the notation is referred to as dotted decimal.


                                         BIT
                                1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
            0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
           --+-------------+------------------------------------------------
 Class A   |0|     NET_ID  |                         HOST_ID               |
           |-+-+-----------+---------------+-------------------------------| 
 Class B   |1|0|    NET_ID                 |            HOST_ID            |
           |-+-+-+-------------------------+---------------+---------------|
 Class C   |1|1|0|                     NET_ID              |    HOST_ID    |
           |-+-+-+-+---------------------------------------+---------------|
 Class D   |1|1|1|0|                            MULTICAST_ID               |
           |-+-+-+-+-------------------------------------------------------|
 Class E   |1|1|1|1|                      EXPERIMENTAL_ID                  |
           --+-+-+-+--------------------------------------------------------
IP Address Format.

IP addresses are hierarchical for routing purposes (like those of all OSI Network Layer protocols) and are subdivided into two subfields. The Network Identifier (NET_ID) subfield identifies the IP subnetwork and is used for high-level routing between networks, much the same way as the country code, city code, or area code is used in the telephone network. The Host Identifier (HOST_ID) subfield indicates the specific host within a subnetwork.

To accommodate different size networks, IP defines several address classes. Classes A, B, and C are used for host addressing and the only difference between them is the length of the NET_ID subfield:

The remaining two address classes are used for special functions only. Class D addresses, which begin with a value between 224 and 239, are used for IP multicasting (i.e., sending a single datagram to multiple hosts). Class E addresses begin with a value between 240 and 255, and are reserved for experimental use.

Several NET_ID and HOST_ID values are reserved and/or have special meaning. A HOST_ID of 0 (as used above) is a dummy value reserved as a place holder when referring to an entire subnetwork; the address 192.168.99.0, then, refers to the Class C address with a NET_ID of 192.168.99. A HOST_ID of all ones (usually written "255" when referring to an all-ones byte, but also sometimes denoted as "-1") is the broadcast address and refers to all hosts on a network. A NET_ID value of 127 is used for loopback testing and the address 127.0.0.1 refers to the localhost.

Several NET_IDs have been reserved (per RFC 1918) for private network addresses and packets will not be routed over the Internet to these network addresses. Reserved NET_IDs are the Class A address 10.0.0.0 (formerly assigned to ARPANET), the sixteen Class B addresses 172.16.0.0-172.31.0.0, and the 256 Class C addresses 192.168.0.0-192.168.255.0. Private network addresses are frequently used on a network sitting behind a firewall or router that performs Network Address Translation (NAT); with NAT, a host's "private" address is converted to a "public" IP address for use on the Internet. One advantage of NAT is that the organization does not have to change host addresses in case they change Internet service providers and are assigned another "public" IP address.

An additional addressing tool is the subnet mask. Subnet masks are used to indicate the portion of the address that identifies the network (and/or subnetwork) for routing purposes. The subnet mask is written in dotted decimal and the number of 1s indicates the significant NET_ID bits (for fans of Boolean logic, the subnet mask and the entire 32-bit IP address are ANDed together to obtain the relevant NET_ID bits). For "classful" IP addresses described above, the subnet mask and number of significant address bits for the NET_ID are:


                       Number 
Class   Subnet Mask    of Bits           Binary Representation

  A      255.0.0.0        8       11111111 00000000 00000000 00000000
  B     255.255.0.0      16       11111111 11111111 00000000 00000000
  C    255.255.255.0     24       11111111 11111111 11111111 00000000

Depending upon the context and literature, subnet masks may be written in dotted decimal form or just as a number representing the number of significant address bits for the NET_ID. Thus, 192.168.99.17 255.255.255.0 and 192.168.99.17/24 both refer to a Class C NET_ID of 192.168.99.

Subnet masks can also be used to subdivide a large address space or to combine multiple small address spaces. For example, a network may subdivide their address space to define multiple logical networks by segmenting the HOST_ID subfield into a Subnetwork Identifier (SUBNET_ID) and (smaller) HOST_ID. For example, an organization assigned the Class B address space 191.160.0.0, which might then be segmented into a 16-bit NET_ID, 4-bit SUBNET_ID, and 12-bit HOST_ID. In this case, the subnet mask for routing to the NET_ID on the Internet would be 255.255.0.0 (or "/16"), while the mask for routing to individual subnets within the larger Class B address space would be 255.255.240.0 (or "/20").

Alternatively, an organization assigned the four Class C addresses 223.168.128.0, 223.168.129.0, 223.168.130.0, and 223.168.131.0, and use the subnet mask 255.255.252.0 (or "/22") for routing to this domain. This use of subnet masks in routing tables to consolidate addresses using NET_IDs that are not 1, 2, or 3 bytes in length is called Classless Interdomain Routing (CIDR).



ABOUT THE AUTHORS

Gary C. Kessler is a senior network security analyst at SymQuest Group (www.symquest.com), a network integration consulting company with headquarters in South Burlington, VT. His e-mail addresses is kumquat@sover.net. Carol A. Monaghan is the network administrator at Hill Associates (http://www.hill.com), a telecommunications training and education firm in Colchester, VT. You can reach her at c.monaghan@hill.com.