-1

Description

I face a scenario in which longest prefix matching does not occur.

Setup

On my lab machine, I have a virtual nic VMnet11 (VMWare) with the ip address 181.0.0.10/8. I have a physical nic with ip address 192.168.4.110/24 that routes traffic to 192.168.4.84 as the default gateway (can access the internet).

Issue

Although the metrics are the same (291), when I ping 181.0.0.1, the traffic is routed via the default gateway to the internet (0.0.0.0 prefix is matched) instead of the traffic flow being tried via VMnet11. (The 255.0.0.0 prefix is not matched)

Notes When pinging the 181.0.0.10 (the locally assigned IPto VMnet11), the correct behavior is observed. (That is 255.255.255.255 prefix is matched on local interface)

Outputs

Here are relevant parts of the 'route print':

===========================================================================
Interface List
 26...00 e0 4c 62 16 05 ......Realtek RTL8139/810x Family Fast Ethernet NIC
  7...00 50 56 c0 00 0b ......VMware Virtual Ethernet Adapter for VMnet11

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.4.84    192.168.4.110    291
        181.0.0.0        255.0.0.0         On-link        181.0.0.10    291
       181.0.0.10  255.255.255.255         On-link        181.0.0.10    291
  255.255.255.255  255.255.255.255         On-link        181.0.0.10    291

===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     192.168.4.84  Default
===========================================================================

Here is the relevant output of the 'ipconfig':

C:\Users\user>ipconfig
Ethernet adapter PCI:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.4.110
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.4.84

Ethernet adapter VMware Network Adapter VMnet11:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a2e7:a501:ffd5:ccac%7
   IPv4 Address. . . . . . . . . . . : 181.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.0.0.0
   Default Gateway . . . . . . . . . :

Here is the relevant output of the 'traceroute':

C:\Users\user>tracert -d  181.0.0.1

Tracing route to 181.0.0.1 over a maximum of 30 hops

  1    <1 ms     1 ms    <1 ms  192.168.4.84
  2     1 ms     1 ms    <1 ms  <public ip>
  ...

Question

What prevents the longest prefix matching from occurring?

Update

The reddit link was informative (thanks). Also mentioning ARP was useful (thanks).

I now suspect that it is a Microsoft's (by-design) issue (reverting to def gw on ARP miss that is not a router's expected behavior, hence why the reddit guy calls Microsoft's OS the worse router). Below find some more outputs for ping and ARP.

This is something that I expected that happens when I ping 181.0.0.2

C:\Users\user>ping 181.0.0.2

Pinging 181.0.0.2 with 32 bytes of data:
Reply from 181.0.0.10: Destination host unreachable.
Request timed out.
Request timed out.

But this is the unwanted behavior that happens when pining 181.0.0.1:

C:\Users\user>ping 181.0.0.1

Pinging 181.0.0.1 with 32 bytes of data:
Reply from 181.0.0.1: bytes=32 time=478ms TTL=43
Reply from 181.0.0.1: bytes=32 time=454ms TTL=43

There is no arp entry

C:\Users\user>arp -a 181.0.0.1
No ARP Entries Found.

C:\Users\user>arp -a 181.0.0.2
No ARP Entries Found.

(apparently such IP do not exist on my lab network, and I expected else than a echo reply via icmp responses)

Improve this question
10
  • 1
    What was the result of the arp for the address when you run a netmon packet capture?
    – Greg Askew
    Commented Aug 19, 2023 at 6:16
  • 2
    @djdomi Normally metric is not used; it's last resort. Routing decisions is made based on prefix length, where longest prefix wins, so the most specific route is preferred: A /24 over a /22, and a /8 over default (/0). Only if two routes are otherwise equal will metric be used.
    – vidarlo
    Commented Aug 19, 2023 at 9:24
  • 2
    @djdomi No, opposite. Default gateway is last resort, as every other prefix will be longer. Default gateway has /0 as prefix, and longest prefix matching works by selecting the longest prefix, the one with most bits set to 1. /0 has 0 bits set to one. This is by design, and makes perfect sense if you think about it; many networks has 3-4 subnets, and a default route. If default route was the most preferred that would be an impossible setup. A /8 should win over a /0. This question is asking why that doesn't happen in one special case.
    – vidarlo
    Commented Aug 19, 2023 at 10:19
  • 1
    Could be proxy arp somewhere. Not much detail on the VMware networking but it probably isn't a typical configuration.
    – Greg Askew
    Commented Aug 19, 2023 at 12:45
  • 1
    This thread in Reddit is similar. reddit.com/r/sysadmin/comments/11ztn6y/…
    – Greg Askew
    Commented Aug 19, 2023 at 17:32

1 Answer 1

Reset to default
2
+50

Since the IP stack was rewritten in Vista to provide feature-parity between IPv4 and IPv6, Windows uses RFC 3484 for both IPv4 and IPv6.

The problem you're seeing here is probably due to source address selection. As you don't provide a source address yourself, the system needs to choose one. In IPv4 this should always select the address matching the interface belonging to the route determined from the longest-prefix-match. However, in RFC 3484 near the end of section 5 ("Source Address Selection") there is the following paragraph:

Rule 8 may be superseded if the implementation has other means of
choosing among source addresses.  For example, if the implementation
somehow knows which source address will result in the "best"
communications performance.

(Rule 8 is longest prefix match)

As neighbor discovery (or ARP as we say in IPv4) failed for the destination address the router knows that direct contact will fail. Thus the default route is the best match and the address of its associated interface will be used as source address.

In your case, if you provide the source address to ping using -s, that should overrule the source address selection and thus the default route should not be tried.

(I'm sorry that I have almost no references, but as that change happended about 15 years ago it is hard to find articles of reasonable credibility)

Improve this answer
1
  • Thanks, you already provided great clues. I found out that the referenced RFC is being obsoleted by 6724 (which core stack for newer versions of windows might probably use instead). Decision to provide feature-parity was a good clue as well. Following your provided info, I found that NCSI process in Windows also influences the address selection. Please allow me to wait a couple of more days to see other possible answers here as well. Thx
    – F.I.V
    Commented Aug 24, 2023 at 9:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .