Solved

Windows 2008+ Server and Multiple IP addresses.  Choosing the source IP based on longest prefix matching algorithm.

Posted on 2013-06-11
8
548 Views
1 Endorsement
Last Modified: 2014-09-08
So I've recently discovered that with the TCP/IP stack changes that came with Vista/Server 2008 has changed how servers with multiple IPs operate.

I don't want to waste space articulating the changes, but this article should sum it up:  http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

My question is regarding the selection of a source IP address using the longest prefix match method mentioned in that article from RFC 3484.

For example:


For example, consider the following addresses:

Client machine
IP Address
192.168.1.14 /24
192.168.1.68 /24
Default Gateway
192.168.1.127

The server will use the 192.168.1.68 address because it has the longest matching prefix.

To see this more clearly, consider the IP addresses in binary:

11000000 10101000 00000001 00001110 = 192.168.1.14 (Bits matching the gateway = 25)
11000000 10101000 00000001 01000100 = 192.168.1.68 (Bits matching the gateway = 26)
11000000 10101000 00000001 01111111 = 192.168.1.127

The 192.168.1.68 address has more matching high order bits with the gateway address 192.168.1.127. Therefore, it is used for off-link communication.

This makes sense to me, because you can clearly see that 192.168.1.68 has more matching high order bits with the gateway.

What happens when the IPs addresses are 192.168.1.14 and 192.168.1.15?  


11000000 10101000 00000001 00001110 = 192.168.1.14 (Bits matching the gateway = 25)
11000000 10101000 00000001 00001111 = 192.168.1.15 (Bits matching the gateway = 25)
11000000 10101000 00000001 01111111 = 192.168.1.127

Which IP is chosen here?  They both have 25 matching bits.  The article doesn't really touch on this scenario.

TIA,
Matthew
1
Comment
Question by:mcdonamw79
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:babuse
ID: 39239343
From my understanding of this, it may fall into the final rule which would be...

Rule 8 - Use longest matching Prefix is similar to rule 8a except the match
is with the destination IP address rather than the next hop IP address.
0
 
LVL 2

Expert Comment

by:babuse
ID: 39239354
So, you would see how many bits are matching the destination IP rather than the gateway.

http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx
0
 
LVL 9

Expert Comment

by:DanJ
ID: 39239573
there is an address space overlap in your example.
all addresses
192.168.1.14 /24
192.168.1.68 /24
192.168.1.127

are on the same subnet 192.168.1.0/24

if the OS allows you to configure overlapping IP addresses there must be a tiebreaker, like order of adapters (e.g. Lan0, Lan1).
0
 

Author Comment

by:mcdonamw79
ID: 39239697
Thanks for the replies so far guys.

@babuse:  What if my destination is 192.168.1.16?  In this case, there are still equal numbers of matching bits.

11000000 10101000 00000001 00001110 = 192.168.1.14 (available source)
11000000 10101000 00000001 00001111 = 192.168.1.15 (available source)
11000000 10101000 00000001 00010000 = 192.168.1.16 (destination)

@Danj:  In most cases that I've used multiple IPs on a single adapter, they usually fall on the same network.  Windows does in fact allow this.  With that said, I agree I would assume there has to be a tiebreaker, which is the purpose of my post.  What *is* that tiebreaker, including official documentation for such.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 9

Assisted Solution

by:DanJ
DanJ earned 500 total points
ID: 39239781
the document states the selection is based on the routing table.
If this case check the output of the "route print" command and check the 4th field "Interface". that shall point you to the IP to use.
 

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
    192.168.3.0    255.255.255.0         On-link     192.168.3.201    266
    192.168.3.201  255.255.255.255         On-link     192.168.3.201    266
    192.168.3.202  255.255.255.255         On-link     192.168.3.201    266
    192.168.3.255  255.255.255.255         On-link     192.168.3.201    266
 ==========================================================================
0
 

Accepted Solution

by:
mcdonamw79 earned 0 total points
ID: 39242790
@Danj... I think that may be the ticket.  At first I was concerned because with 2008+, the system automatically adds a *persistent* route, which I would assume overrides the network route and that persistent route does not specify the interface to use.

For example, my machine:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.192.72.1    10.192.72.177    266
      10.192.72.0    255.255.254.0         On-link     10.192.72.177    266
       ...
      <snip for brevity>
       ...
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      10.192.72.1  Default
===========================================================================

In that example, the only IP on my system is 10.192.72.177.  If I add another IP 10.192.72.178, which introduces the same prefix length problem, my routing table remains the same and outbound packet sniffing shows my traffic continuing to come from .177.

I decided to break the prefix length issue by adding 10.192.72.127, which has more matching bits with my gateway.  

When I did this, all of a sudden my traffic started sourcing from the .127 address and my routing table changed to reflect the .127 address as my interface.
0
 

Author Closing Comment

by:mcdonamw79
ID: 39252608
My comment used actual testing to verify what would happen.  I am splitting the answer though as DanJ's post was helpful and lead me to that testing.
0
 

Expert Comment

by:mcdonamwION
ID: 40310054
So I have another situation where the above solution does not seemingly answer and I'm left again with my original question.  Microsoft drives me batty.

I have a server with 2 NICs, but with IPs on the same network.  It was done this way so that the "additional IPs" would not get registered into DNS.  Sure we could have put them all on one NIC and used the NETSH /SKIPASSOURCE command, but that feels very kludgy and can be easily undone by someone inadvertently viewing the IP via the GUI and clicking OK.  

At any rate, both NICs have the same gateway set.  This is necessary to insure outbound "answer" TCP packets associated with incoming packets from external networks on the "additional IP" NIC can find their way back to the source vs. the server accepting incoming packets on one NIC (additional IP) and sending outbound back out another (Primary).

In this scenario, I cannot understand why my system is choosing one IP over another.  The "primary" IP is 10.205.1.9 /16 (Adapter #1) and the "additional IP" is 10.205.1.14 /16 (Adapter #2), with the GW on both as 10.205.0.20 (255.255.0.0).  

In this scenario, the two source IPs share the same prefix with the GW and also share the same prefix with my destination IP;  10.205.10.240 /16.

For some reason my system is opting to use the "additional IP" 10.205.1.14 as its source IP vs. 10.205.1.9.  

Clearly there is some other logic here that is not explained in the original document and may perhaps stem solely around the fact that the two NICs both have the same gateway.  

I just want to understand the logic for which IP is chosen and why.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now